

		RADIUS Authentication for Apache.

			mod_auth_radius

		Miquel van Smoorenburg, Feb. 2001

0. INTRODUCTION

   mod_auth_radius is an apache 1.3 module for radius authentication.
   There are already several radius authentication modules, even one
   by Alan DeKok who leads the FreeRadius project of which I am also
   a member, but they all didn't quite do what I wanted it to.

   This module can:

   o use multiple radius servers
   o ignore certain usernames, so that the next authentication module
     gets called. Good for a "backup" account if the radius server
     is down - it avoids the 30 second delay for every page
   o use the returned attributes as groups. It uses the "Login-LAT-Group"
     attribute for this.

1. CONFIGURATION DIRECTIVES

   The following configuration directives can be used in a directory
   config section, or in a .htaccess file:

   RadiusServer1  server  [port]

      Defines the radius server to talk to. <server> is a hostname
      or IP address; <port> is optional, if it isn't set it defaults
      to 1645, the radius authentication port.

   RadiusServer2  server  [port]

      You can define this as backup server. If RadiusServer1 doesn't
      reply, this server will be tried. The algorithm is: try the
      first server 3 times, then alternate between the second and
      the first server. There is a timeout of 3 seconds for each
      request. Unfortunately this means that if the first server is
      down, all authentication requests take at least 9 seconds...

   RadiusSecret  secret

      The shared secret for this radius client. You need to configure
      the same secret on the server.

   RadiusSourceIP  source

      Sets the source address used to send radius authentication
      packets. This can be neccesary on a multi-homed host. <source>
      can be a hostname or an IP address.

   RadiusIgnoreUser  user [user] [user..]

      Usernames to ignore - the module returns DECLINED immidiately
      when the username supplied is in the list. This causes the
      authentication to be handled by the next authentication handler.

   RadiusAuthoritative

      Set to 'off' to allow access control to be passed along to lower
      modules if the UserID is not known to this module.

   RadiusEnabled

      If you set this to 'off', radius processing won't be done.
      This way you can set RadiusServer1, RadiusSecret etc centrally
      in access.conf and turn it on per directory in .htaccess files.

   require group GROUP

      This generic require statement also works with Radius authentication.
      The server has to return one or more "Login-LAT-Group" attributes.
      Each attribute can contain a groupname, or a list of groups,
      comma-seperated. If GROUP doesn't match a group in that list,
      access is denied.

2. INSTALLATION

   Just type "make" and then "make install". This should compile and
   install the module, provided that you have installed the apache
   development files and the "apxs" program.

   You then only need to add a line like this to your httpd.conf file:

   LoadModule radius_auth_module /usr/lib/apache/1.3/mod_auth_radius.so

   Put it just below the "LoadModule auth_module" statement - Apache
   checks the modules in reverse order (last listed first) so that
   Radius authentication happens before normal authentication.

3. TODO

   * Check reply digest from radius server
   * Make group attribute configurable
   * Cache authentication info in cookies
   * Radius server failover config, with shared memory
   * Clean up code, use more of apache api in radius.c


	$Id: README,v 1.2 2001/02/08 16:02:00 miquels Exp $
