httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Bailleul" <Emmanuel.Baill...@telindus.fr>
Subject [users@httpd] Using Apache 2.2.9 + mod_auth_xradius with 2 Radius servers fails
Date Wed, 27 Aug 2008 13:32:21 GMT
Hello list,

I've spent a lot of time trying to find a way to use at least 2 Radius
Servers in order to authenticate users in a reverse proxy config. 
I currently use httpd-2.2.9 & mod_auth_xradius-0.4.6. I have tried a lot
of combination even with several Radius products (RSA, ActivID, ...) but
to no avail... If I only use one auth server, everything runs fine.

First I wanted to simply use multiple "AuthXRadiusAddServer" lines in my
httpd.conf, as suggested by mod_auth_xradius, but this feature is buggy,
as one can see here :
http://issues.outoforder.cc/view.php?id=43

I also wanted to use multiple providers in "AuthBasicProvider"
directive, as 2.2's doc suggest.
I've made several tests : 
- if I use "AuthBasicProvider file xradius", the behaviour is as
expected : the user is searched in auth file and if not present Radius
server is queried
- if I use "AuthBasicProvider xradius file", Radius is queried first but
if this fails (server unreachable/not responding), file is never tested.

I also tested almost the same by loading mod_authn_alias and using my
two Radius auth servers :
<AuthnProviderAlias xradius radius1>
...
</AuthnProviderAlias>
<AuthnProviderAlias xradius radius2>
...
</AuthnProviderAlias>
AuthBasicProvider Radius1 Radius2

But the behaviour was similar to the previous, no redundancy ...

As mod_auth_xradius is supposed to be 2.1+ API compatible, I thought
this should have worked, but in fact this does not seem to be the case
...

The only remaing solutions for me are :
- hack mod_auth_xradius's code to "force" it to work as expected, but as
I am no developper, this is likely to be a very ugly hack ... 
- use a load balancer in front of my radius servers to guarantee high
availability ...

I was wondering if someone has already experienced such problems using
multiple authproviders, with mod_auth_xradius or more generally with
radius auth redundancy and how he managed to solve this.

Thanks a lot for your help.

Emmanuel Bailleul
Security Engineer
Telindus FRANCE

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message