Hi,
I printed out the source code of the radius apache module and browsed through it a bit to find out what was going on. The RADIUS cookie is an MD5 hash of some public information and some secret information. The radius module recomputes the cookie upon each request and compares it with the cookie included in the headers. The problem is that the public information includes username/password as well. If I use the module on a reverse proxy and the target server asks for authentication, the cookie is invalidated as soon as the user tries to authenticate to the target server, because the username/password pair is replaced. The question is whether including username/password in the public information really helps to prevent spoofing the cookie, as this information can easily be replicated in any request. What I need is to push all relevant information to cookies and "clear" this path. The radius module can be easily modified to behave in this way. Just I am not sure about security issues involved. Robert Szelepcsenyi On Wed, May 19, 2004 at 12:45:43PM -0400, Alan DeKok wrote: > Robert Szelepcsenyi <[EMAIL PROTECTED]> wrote: > > I am trying to set up a reverse proxy to allow access to our Intranet > > web servers from the outside network. I want to authenticate users > > coming from outside using the apache radius module. This works as it > > should, but assoon as an Intranet server requires basic > > authentication, I get into trouble. When I get prompted for a > > username/password and I enter them, then the radius module blows up > > and asks me to authenticate again. When I reauthenticate, I get > > prompted from the Intranet server again. > > What do the debugging messages say? > > Oh... it's Apache. There are no debugging messages. > > > It seems to me that there is a conflict between basic authentication > > in the apache radius module and basic authentication in the Intranet > > server. > > Sounds like it. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
