Configuring Apache for Authenticating with RADIUS Server

This section explains how to configure the external authentication for Session Monitor with the Radius Service using the Apache Web Server.

1. Log in to Session Monitor.
2. Click Admin and select Settings.
3. Enable the setting, External authentication enabled and set it to True.
4. Log out from Session Monitor.
5. If the current web service is NGINX, change to HTTPD by following the steps mentioned in Configuring Reverse Proxy Server.
   1. Run the following commands to install the Apache Web Server and mod_ssl packages:

      yum install httpd mod_ssl

      Note:

      If you have a proxy server, to complete the download, edit the proxy settings for the external downloads to be successful.
   2. Install the Apache Web Server and mod_ssl packages together as the HTTPD package executes a post-install script that uses mod_ssl to generate a localhost certificate. The localhost certificate is required for the default HTTPD service configuration. If the certificate is not generated, enter the following lines in the /etc/httpd/conf.d/ssl.conf file to start the HTTPD server:

      SSLCertificateFile /etc/pki/tls/certs/localhost.crt 
      SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

6. If the localhost certificates are not generated, remove the ssl.conf file from the /etc/httpd/conf.d file to start the Apache server.
7. Run the following commands to install all additional packages:

   yum groupinstall "Development Tools"
   yum install httpd-devel

8. To install Apache modules for Radius authentication, run the following commands:

   wget http://www.outoforder.cc/downloads/mod_auth_xradius/mod_auth_xradius-0.4.6.tar.bz2
   tar -xvf mod_auth_xradius-0.4.6.tar.bz2
   cd mod_auth_xradius-0.4.6

9. A code change is required in the xradius_cache.c file, for the module to install properly:

   $ vi /root/mod_auth_xradius-0.4.6/src/xradius_cache.c

10. Copy the following lines into the editor and press the ENTER key:

    :%s/unixd_config/ap_unixd_config/g

11. Save the file.
12. To install the module files successfully, run the following commands:

    $ ./configure --with-apxs=/sbin/apxs
    $ make
    $ make install
    $ cd ..

13. Ensure that the mod_auth_xradius.so file is present in the /usr/lib64/httpd/modules/ directory of your machine.

    #ls -lrt /usr/lib64/httpd/modules/mod_auth_xradius.so
    -rwxr-xr-x. 1 root root 193976 Mar 20 13:27 /usr/lib64/httpd/modules/mod_auth_xradius.so

14. To load the required modules into the HTTPD configuration, edit the file /etc/httpd/conf/httpd.conf and paste the following lines. Better to put under any 'Load Module' section or under any commented 'Load module' sample code) and save the file.

    LoadModule auth_xradius_module /usr/lib64/httpd/modules/mod_auth_xradius.so
    AuthXRadiusCache dbm /var/authxcache

15. Edit the pld.conf file:

    vi /etc/httpd/conf.d/pld.conf

16. Edit the following location in the file as below:

    <LocationMatch "^/me/(?!(proxy/|c/|r/|scripts/|/help/|logout\.html)).*$">
            #
            # BEGIN LDAP Auth
            # Uncomment and adjust the lines below for LDAP Auth
             AuthName "OCSM COM"
             AuthType basic
           AuthXRadiusAddServer "<Radius Server IP>:1812" "<Radius Shared Secret>"
             AuthXRadiusTimeout 2
             AuthXRadiusRetries 2
             AuthBasicProvider xradius
             Require valid-user
             RewriteEngine On
             RewriteCond %{SERVER_PORT} 443
             RewriteCond %{LA-U:REMOTE_USER} (.+)
             RewriteRule .* - [E=RU:%1,L]       
            # AuthName should be the same as for /me/logout.html
            # AuthLDAPURL "ldap://ldap-server/dc=example,dc=org?uid?one"
            # AuthLDAPBindDN "cn=admin,dc=example,dc=org"
            # AuthLDAPBindPassword admin
             RequestHeader unset X-Forwarded-User
             RequestHeader set X-Forwarded-User %{RU}e
            # RequestHeader set X-Forwarded-User-Role ""
            # RequestHeader set X-Forwarded-User-Role %{AUTHENTICATE_employeeType}e
            # RequestHeader unset X-Forwarded-User-Permission
            # RequestHeader set X-Forwarded-User-Permission %{AUTHENTICATE_gecos}e
            # # Admin permission mask - all bits set
            # RequestHeader set X-Forwarded-User-Permission 4610266613338864839
            # Require valid-user
          # END LDAP Auth
        </LocationMatch>

    Note:

    For Mediation Engine Connector, make similar changes under section <LocationMatch "^/mec/((?!(proxy/|r/|res/|help/|logout\.html)).*)$">

    .
17. For a description of the parameters and information on the optional parameters in the RADIUS pld.conf file, see RADIUS pld.conf File Details.

    Note:

    All Non admin users are required to be created on Operations Monitor first and then these users can log in via RADIUS Authentication.
18. If you have modified the Auth Name above, then modify the Auth Name in this section in the pld.conf file.

    # Logout page for COM
        <Location /me/logout.html>
            AuthType basic
            # AuthName should be the same as for /me/
            AuthName "OCSM COM"
            AuthBasicProvider file
            AuthUserFile     "/opt/oracle/ocsm/etc/httpd/logout.htpasswd"
            Require           valid-user
            ProxyPass !
        </Location>

    Note:

    Change the AuthName directive for Mediation Engine in <Location /me/logout.html> and for Mediation Engine Connector in <Location /mec/logout.html>
19. Run the following command to start and enable the HTTPD:

    systemctl daemon-reload
    systemctl restart httpd.service

    The HTTPD server of Session Monitor has been configured for external authentication with RADIUS. When you open the Session Monitor in a web browser, the external authentication pop-up appears. On providing the correct RADIUS user credentials, you can log in successfully.