OTP Authentication on Apache Web Server

In this post we will talk about how to configure one-time password authentication on Apache using JAS and Radius. JAS (JaCarta Authentication Server) is a standalone high-performance authentication server with support for OTP and U2F tokens, as well as software tokens for mobile devices. The following software was used during the configuration process - JAS 1.x, Linux Debian, Apache2, as well as JaCarta WebPass tokens, JaCarta U2F tokens, any OTP tokens by event, software Google Authenticator, Yandex-key, etc.

To solve this problem, you can use the radius authentication plug-in for the apache2 server. All actions on the Web server are performed for the Linux Debian stretch distribution .



Web server setup



1. Install the radius module for apache2:

sudo apt install libapache2-mod-auth-radius sudo a2enmod auth_radius
      
      





2. We select the necessary site and in its configuration we make changes:

  ServerName web1.test2.ru  ServerAdmin webmaster@localhost DocumentRoot /var/www/html #     radius (, ,   )  AddRadiusAuth 127.0.0.1 P@ssw0rd 5 AddRadiusCookieValid 60
      
      





In the section "Directory" also indicate:

  AuthType Basic AuthName "Radius Authentication" AuthBasicAuthoritative Off AuthBasicProvider radius AuthRadiusAuthoritative on AuthRadiusActive On Require valid-user
      
      







3. Reboot the web server daemon:

 sudo apache2ctl restart
      
      





The web server is ready.



Configuring Radius Server (NPS)



Launch the NPS management console.



1. Add our Web server as a client:

image



2. In the connection request policies, create a rule according to the enterprise security policy:

image



Adding a user with network access rights



We create the user and on the Dial-in tab we provide network access rights:

image



Configure JAS Server



In the JAS management console, add any of the above OTP authenticators.

Specify the username in the properties:

image

For more information on configuring the JAS server, see the product documentation and the Knowledge Base .

Work check



In the browser, go to our site. Login and password must be requested. Enter username and one-time password:

image

If everything is done correctly, we get access to our website, password protected:

image



Additionally:

www.adminsehow.com/2010/03/how-to-authenticate-apache-2-with-radius-on-debian






All Articles