Adding MFA to Apache websites

Note: This integration does not support the use of Push. You will need to use OTP.

 

Setting up MFA for RADIUS is a requirement for this integration. Please see this article for more information.

  1. Run apt-get install libapache2-mod-auth-radius to install the Radius Authentication Module (radius_auth_module).
  2. Step 2 – Configure sites and directories for RADIUS Authentication by editing/etc/apache2/sites-available/default (or whatever virtual site you want to use with AuthAnvil.)

Sample /etc/apache2/sites-available/default file:

## RADIUS configuration for AuthAnvil Radius Server
# Add configuration options for radius_auth_module
<IfModule radius_auth_module>

# AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
#
# Use RADIUS server on 10.10.30.3, RADIUS port is 1812,
# secret is ‘pass’, time out after 10 seconds.
# Do not allow retries since we are using Two-Factor Authentication.
AddRadiusAuth 10.10.30.3:1812 pass 10

# AuthRadiusBindAddress <hostname/ip-address>
#
# Bind client (local) socket to this local IP address.
# The server will then see RADIUS client requests will come from
# the given IP address.
# By default, the module does not bind to any particular address,
# and the operating system chooses the address to use.

# AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
# The special value of 0 (zero) means the cookie is valid forever.
AddRadiusCookieValid 120

# End of the module directives
</IfModule>

# Use RADIUS authentication for the locations below

<Location /protected >
  Order Allow,Deny

# Use basic password authentication.
# AuthType Digest won’t work with RADIUS authentication.
  AuthType Basic

# Tell users where they are authenticating to
  AuthName “AuthAnvil RADIUS Server”

# Disable other authentication types
  AuthBasicAuthoritative off

# Use radius_auth_module for all authentication, and make the responses
# from it authoritative.
  AuthRadiusAuthoritative on

# Set RADIUS to be the provider for this basic authentication
  AuthBasicProvider radius

# Activate Radius Authentication for this directory.
# If there is a directory below ths one which you do NOT want to have RADIUS
# authentication for, then use a <Directory> or <Location> directive,
# and set “AuthRadiusActive Off”.  The default is “On”.
  AuthRadiusActive On  

# Require a valid user, deny access otherwise require valid-user

require valid-user

# End of the per-location directives
</Location>

  1. Run sudo apache2ctl stop then sudo apache2ctl start to stop and restart Apache.
  2. Log into the website and when it prompts for a username and password, enter your username in the username box and your MFA token in the password box.

Radius Dialog_thumb[3]


Other Configurations

For assistance with other configurations, including manually building and configuring the module, check out FreeRADIUS.org’s usage guide for mod_auth_radius. This guide includes a sample httpd.conf file for other configurations, as well as instructions for implementing RADIUS security for directories using .htaccess files.

Have more questions? Submit a request

0 Comments

Article is closed for comments.