Fletcher Cocquyt <[email protected]> writes: > Hi, we just started testing 2 factor authentication
> http://webauth.stanford.edu/manual/mod/mod_webauth.html > We want to enforce 2 factor authentication for off campus users (eg > client IP not in 171.65.0.0/16) > What would the recommended Apache config look like to do this? Hi Fletcher, Apologies for the delay in answering this question. I was away on vacation and then a family medical emergency, and we didn't have the coverage for this list that we thought we had. This particular requirement actually wasn't on the set of requirements we were given by university upper management when we were told to build the multifactor authentication system. I do agree that in retrospect it should have been something we should have on the roadmap, but all the focus for this project was for applications that would always or randomly require multifactor regardless of where the user is coming from. This is, unfortunately, also not an easy thing to do in Apache. We could have additional mod_webauth directives that configure IP addresses that require different factors than other IP addresses, but this all gets quite complicated, particularly in its interactions with other Apache directives. I haven't yet looked in detail at Apache 2.4, but from discussions with other Apache authentication module authors, it looks like the way that authorization is handled in Apache 2.4 was completely overhauled and Apache now internally can do boolean logic on multiple require directives. If this is the case, then that's by far the best way of implementing this sort of functionality; that would let you combine IP restrictions and factor restrictions as you desire. My guess right now, although we need to do more investigation, is that we will add this functionality using the new Apache 2.4 authorization model, and it will only be available when running Apache 2.4 or later. I expect that work is at least a couple of months off, as we will need to revise mod_webauthldap extensively for Apache 2.4 as well. In the meantime, I'm afraid that the only way to provide this functionality is to force users who need to use multifactor and users who don't to use different URL spaces. You can do that with mod_rewrite, but it's going to be complicated and confusing. > We'd also like to whitelist certain IPs for API access without any > webauth or 2 factor. This, on the other hand, is easy. All you need to do here is the normal procedure when you want IP addresses to bypass any Apache authentication mechanism, namely: AuthType WebAuth Allow from <ip> require valid-user # or some other privgroup Satisfy any The "Satisfy any" Apache directive will allow either the IP address or WebAuth to satisfy the authentication requirement. -- Russ Allbery <[email protected]> Technical Lead, ITS Infrastructure Delivery Group, Stanford University
