NAME

Apache::AppSamurai::AuthRadius - Check credentials against RADIUS service

SYNOPSIS

The module is selected and configured inside the Apache configuration.

 # Example with an authname of "fred" for use as part of an Apache config.

 # Configure as an authentication method
 PerlSetVar fredAuthMethods "AuthRadius"

 # Set the IP and port to send Radius requests to
 PerlSetVar fredAuthRadiusConnect "10.10.10.10:1812"

 # Set the RADIUS key to use
 PerlSetVar fredAuthRadiusSecret "ThePasswordJustBetterNotBePASSWORD"

 # Set the timeout for the RADIUS connection
 PerlSetVar fredAuthRadiusTimeout 5

DESCRIPTION

This Apache::AppSamurai authentication module checks a username and password against a backend RADIUS service.

This module is one way to access strong authentication systems, like RSA SecurID. Note that features like "Next Tokencode" are not supported by this module at this time, so Apache::AppSamurai can not help users re-synchronize their tokens.

USAGE

The basic Apache::AppSamurai::AuthBase configuration options are supported. Additional options are described below. The following must be preceded by the auth name and the auth module name, AuthRadius. For example, if you wish to set the Connect value for the auth name "Jerry", you would use:

 PerlSetVar JerryAuthRadiusConnect "thisistheservername:1234"

The auth name and "AuthRadius" have been removed for clarity. See Apache::AppSamurai for more general configuration information, or the examples/conf/ directory in the Apache::AppSamurai distribution for examples.

Connect SERVER:PORT

(Default: 127.0.0.1:1812) Set to the IP address or FQDN (fully qualified domain name) of the RADIUS server, a :, and then the port RADIUS is listening on.

Secret PASSWORD

(Default: defaultisstupid) Set the RADIUS secret (password) used for communication between the Apache::AppSamurai server and the RADIUS server. If possible, use a unique RADIUS secret for different devices to reduce the risk of attack from other devices, and the risk of capturing authentication information in transit.

Oh, and don't use defaultisstupid as your RADIUS secret!

Timeout SECONDS

(Default: 5) The number of seconds to wait for a response from the RADIUS server. The default should usually be fine.

OTHERS

All other configuration items are inherited from Apache::AppSamurai::AuthBase. Consult its documentation for more information.

METHODS

Configure()

Other than the AuthRadius specific configuration options, (described in "USAGE"), this is just a wrapper for the AuthBase Configure().

Initialize()

Performs the following additional actions:

  • Creates and initializes an Authen::Radius instance and saves it in $self->{radius}.

Authenticator()

Sends the authentication request to the RADIUS server. It logs error(s), including specific RADIUS errors, and returns 0 if the authentication fails for any reason.

EXAMPLES

See "SYNOPSIS" for a basic example, or configuration examples in examples/conf/ inside the Apache::AppSamurai distribution.

SEE ALSO

Apache::AppSamurai, Apache::AppSamurai::AuthBase, Authen::Radius

AUTHOR

Paul M. Hirsch, <paul at voltagenoir.org>

BUGS

See Apache::AppSamurai for information on bug submission and tracking.

SUPPORT

See Apache::AppSamurai for support information.

COPYRIGHT & LICENSE

Copyright 2008 Paul M. Hirsch, all rights reserved.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.