Geekly Articles each Day

OTP Authentication on Apache Web Server

In this post we will talk about how to configure one-time password authentication on Apache using JAS and Radius. JAS (JaCarta Authentication Server) is a standalone high-performance authentication server with support for OTP and U2F tokens, as well as software tokens for mobile devices. The following software was used during the configuration process - JAS 1.x, Linux Debian, Apache2, as well as JaCarta WebPass tokens, JaCarta U2F tokens, any OTP tokens by event, software Google Authenticator, Yandex-key, etc.
To solve this problem, you can use the radius authentication plug-in for the apache2 server. All actions on the Web server are performed for the Linux Debian stretch distribution .

Web server setup


1. Install the radius module for apache2:
sudo apt install libapache2-mod-auth-radius sudo a2enmod auth_radius

2. We select the necessary site and in its configuration we make changes:
  ServerName web1.test2.ru  ServerAdmin webmaster@localhost DocumentRoot /var/www/html #     radius (, ,   )  AddRadiusAuth 127.0.0.1 P@ssw0rd 5 AddRadiusCookieValid 60

In the section "Directory" also indicate:
  AuthType Basic AuthName "Radius Authentication" AuthBasicAuthoritative Off AuthBasicProvider radius AuthRadiusAuthoritative on AuthRadiusActive On Require valid-user


3. Reboot the web server daemon:
 sudo apache2ctl restart

The web server is ready.

Configuring Radius Server (NPS)


Launch the NPS management console.

1. Add our Web server as a client:
image

2. In the connection request policies, create a rule according to the enterprise security policy:
image

Adding a user with network access rights


We create the user and on the Dial-in tab we provide network access rights:
image

Configure JAS Server


In the JAS management console, add any of the above OTP authenticators.
Specify the username in the properties:
image
For more information on configuring the JAS server, see the product documentation and the Knowledge Base .

Work check


In the browser, go to our site. Login and password must be requested. Enter username and one-time password:
image
If everything is done correctly, we get access to our website, password protected:
image

Additionally:
www.adminsehow.com/2010/03/how-to-authenticate-apache-2-with-radius-on-debian

Source: https://habr.com/ru/post/473826/

More articles:


All Articles