Configuring Apache for Authenticating with RADIUS Server

This section explains how to configure the external authentication for Session Monitor with the Radius Service using the Apache Web Server.

  1. Log in to Session Monitor.
  2. Click Admin and select Settings.
  3. Enable the setting, External authentication enabled and set it to True.
  4. Log out from Session Monitor.
  5. If the current web service is NGINX, change to HTTPD by following the steps mentioned in Configuring Reverse Proxy Server.
    1. Run the following commands to install the Apache Web Server and mod_ssl packages:
      yum install httpd mod_ssl

      Note:

      If you have a proxy server, to complete the download, edit the proxy settings for the external downloads to be successful.
    2. Install the Apache Web Server and mod_ssl packages together as the HTTPD package executes a post-install script that uses mod_ssl to generate a localhost certificate. The localhost certificate is required for the default HTTPD service configuration. If the certificate is not generated, enter the following lines in the /etc/httpd/conf.d/ssl.conf file to start the HTTPD server: 
      SSLCertificateFile /etc/pki/tls/certs/localhost.crt 
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  6. If the localhost certificates are not generated, remove the ssl.conf file from the /etc/httpd/conf.d file to start the Apache server.
  7. Run the following commands to install all additional packages:
    yum groupinstall "Development Tools"
yum install httpd-devel
  8. To install Apache modules for Radius authentication, run the following commands:
    wget http://www.outoforder.cc/downloads/mod_auth_xradius/mod_auth_xradius-0.4.6.tar.bz2
tar -xvf mod_auth_xradius-0.4.6.tar.bz2
cd mod_auth_xradius-0.4.6
  9. A code change is required in the xradius_cache.c file, for the module to install properly:
    $ vi /root/mod_auth_xradius-0.4.6/src/xradius_cache.c
  10. Copy the following lines into the editor and press the ENTER key:
    :%s/unixd_config/ap_unixd_config/g
  11. Save the file.
  12. To install the module files successfully, run the following commands:
    $ ./configure --with-apxs=/sbin/apxs
$ make
$ make install
$ cd ..
  13. Ensure that the mod_auth_xradius.so file is present in the /usr/lib64/httpd/modules/ directory of your machine.
    #ls -lrt /usr/lib64/httpd/modules/mod_auth_xradius.so
-rwxr-xr-x. 1 root root 193976 Mar 20 13:27 /usr/lib64/httpd/modules/mod_auth_xradius.so
  14. To load the required modules into the HTTPD configuration, edit the file /etc/httpd/conf/httpd.conf and paste the following lines. Better to put under any 'Load Module' section or under any commented 'Load module' sample code) and save the file.
    LoadModule auth_xradius_module /usr/lib64/httpd/modules/mod_auth_xradius.so
AuthXRadiusCache dbm /var/authxcache
  15. Edit the pld.conf file:
    vi /etc/httpd/conf.d/pld.conf
  16. Edit the following location in the file as below:
    <LocationMatch "^/me/(?!(proxy/|c/|r/|scripts/|/help/|logout\.html)).*$">
        #
        # BEGIN LDAP Auth
        # Uncomment and adjust the lines below for LDAP Auth
         AuthName "OCSM COM"
         AuthType basic
       AuthXRadiusAddServer "<Radius Server IP>:1812" "<Radius Shared Secret>"
         AuthXRadiusTimeout 2
         AuthXRadiusRetries 2
         AuthBasicProvider xradius
         Require valid-user
         RewriteEngine On
         RewriteCond %{SERVER_PORT} 443
         RewriteCond %{LA-U:REMOTE_USER} (.+)
         RewriteRule .* - [E=RU:%1,L]       
        # AuthName should be the same as for /me/logout.html
        # AuthLDAPURL "ldap://ldap-server/dc=example,dc=org?uid?one"
        # AuthLDAPBindDN "cn=admin,dc=example,dc=org"
        # AuthLDAPBindPassword admin
         RequestHeader unset X-Forwarded-User
         RequestHeader set X-Forwarded-User %{RU}e
        # RequestHeader set X-Forwarded-User-Role ""
        # RequestHeader set X-Forwarded-User-Role %{AUTHENTICATE_employeeType}e
        # RequestHeader unset X-Forwarded-User-Permission
        # RequestHeader set X-Forwarded-User-Permission %{AUTHENTICATE_gecos}e
        # # Admin permission mask - all bits set
        # RequestHeader set X-Forwarded-User-Permission 4610266613338864839
        # Require valid-user
      # END LDAP Auth
    </LocationMatch>

    Note:

    For Mediation Engine Connector, make similar changes under section <LocationMatch "^/mec/((?!(proxy/|r/|res/|help/|logout\.html)).*)$">
    .
  17. For a description of the parameters and information on the optional parameters in the RADIUS pld.conf file, see RADIUS pld.conf File Details.

    Note:

    All Non admin users are required to be created on Operations Monitor first and then these users can log in via RADIUS Authentication.
  18. If you have modified the Auth Name above, then modify the Auth Name in this section in the pld.conf file.
    # Logout page for COM
    <Location /me/logout.html>
        AuthType basic
        # AuthName should be the same as for /me/
        AuthName "OCSM COM"
        AuthBasicProvider file
        AuthUserFile     "/opt/oracle/ocsm/etc/httpd/logout.htpasswd"
        Require           valid-user
        ProxyPass !
    </Location>

    Note:

    Change the AuthName directive for Mediation Engine in <Location /me/logout.html> and for Mediation Engine Connector in <Location /mec/logout.html>
  19. Run the following command to start and enable the HTTPD:
    systemctl daemon-reload
systemctl restart httpd.service
    The HTTPD server of Session Monitor has been configured for external authentication with RADIUS. When you open the Session Monitor in a web browser, the external authentication pop-up appears. On providing the correct RADIUS user credentials, you can log in successfully.