Would you like to learn how to configure an Apache server to use the Radius protocol to authenticate on the Active directory? In this tutorial, we are going to show you how to authenticate the Apache users on the Active Directory database using the Microsoft NPS server.

• Ubuntu 18
• Ubuntu 19
• Ubuntu 20
• Apache 2.4.41
• Windows 2012 R2

Equipment list

The following section presents the list of equipment used to create this tutorial.

As an Amazon Associate, I earn from qualifying purchases.

Tutorial - Radius Server Installation on Windows

• IP - 192.168.15.10.
• Operacional System - Windows 2012 R2
• Hostname - TECH-DC01
• Active Directory Domain: TECH.LOCAL

Open the Server Manager application.

Access the Manage menu and click on Add roles and features.

Windows 2012 add role

Access the Server roles screen, select the Network Policy and Access Service option.

Click on the Next button.

Network Policy and Access Service

On the following screen, click on the Add features button.

network policy features

On the Role service screen, click on the Next Button.

network policy server

On the next screen, click on the Install button.

radius server installation on windows

You have finished the Radius server installation on Windows 2012.

Tutorial Radius Server - Active Directory Integration

Next, we need to create at least 1 account on the Active directory.

The ADMIN account will be used to login on the Apache server.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new account inside the Users container.

Zabbix active directory account

Create a new account named: admin

Password configured to the ADMIN user: 123qwe..

This account will be used to authenticate on the Apache web interface.

active directory admin accountzabbix active directory admin properties

Congratulations, you have created the required Active Directory accounts.

Next, we need to create at least 1 group on the Active directory.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new group inside the Users container.

Radius Active directory group

Create a new group named: APACHE-USERS.

Members of this group will be able to access the Apache server's protected directory.

Apache Active directory authentication group

Important! Add the admin user as a member of the Apache-Users group.

Apache Active directory user authentication

Congratulations, you have created the required Active Directory group.

Tutorial Radius Server - Add Client Devices

On the Radius server, open the application named: Network Policy Server

You need to authorize the Radius server on the Active directory database.

Right-click on NPS(LOCAL) and select the Register server in Active Directory option.

authorize radius server on windows

On the confirmation screen, click on the OK button.

Next, you need to configure Radius clients.

Radius clients are devices that will be allowed to request authentication from the Radius server.

Important! Do not confuse Radius clients with Radius users.

Right click on Radius Clients folder and select the New option.

Apache radius client NPS

Here is an example of a Client configured to allow an Apache server to connect to the Radius server.

You need to set the following configuration:

• Friendly name to the device - Add a description to your Apache server.
• Device IP Address - IP address of your Apache server.
• Device Shared secret - kamisama123

The Shared secret will be used to authorize the device to use the Radius server.

You have finished the Radius client configuration.

Tutorial Radius Server - Configure a Network Policy

Now, you need to create a Network Polity to allow authentication.

Right click on the Network Policies folder and select the New option.

Enter a name to the network policy and click on the Next button.

nps - network policy name

Click on the Add condition button.

We are going to allow members of the APACHE-USERS group to authenticate.

Apache Active directory authentication group

Select the User group option and click on the Add button.

nps - user group condition

Click on the Add Groups button and locate the APACHE-USERS group.

APC UPS - Active directory group

Select the Access granted option and click on the Next button.

This will allow members of the APACHE-USERS group to authenticate on the Radius server.

NPS Access granted

On the Authentication Methods screen, select the Unencrypted authentication (PAP, SPAP) option.

Radius server authentication method

If the following warning is presented, click on the No button.

NPS Warning message

Click on the Next button until the summary screen is displayed.

Verify the Radius server configuration summary and click on the Finish button.

pfsense active directory authentication summary

Congratulations! You have finished the Radius server configuration.

Apache - Radius Authentication Test

Install the required package.

Copy to Clipboard

Test your radius authentication on the Active directory using the following commands:

Copy to Clipboard

Here is the command output:

Copy to Clipboard

In our example, the Admin account was able to successfully authenticate on the Radius server.

Apache - Radius Authentication on the Active directory

• IP - 192.168.15.11
• Operational System - Ubuntu 19.10
• Hostname - APACHE

Install the Apache server and the Radius module.

Copy to Clipboard

Enable the Apache2 Radius module.

Copy to Clipboard

In our example, we are going to request authentication to users trying to access a directory named Test.

Create a directory named Test and give the user named www-data permission over this directory.

Copy to Clipboard

Configure the Apache server to request the Radius authentication to users trying to access the Test directory.

Edit the Apache 000-default.conf configuration file.

Copy to Clipboard

Here is the 000-default.conf file before our configuration.

Copy to Clipboard

Here is the 000-default.conf file after our configuration.

Copy to Clipboard

The Apache server was configured to request password authentication to acess the directory /var/www/html/test.

The Apache web server was configured to authenticate user accounts using the Radius server 192.168.15.10.

Restart the Apache service.

Copy to Clipboard

Congratulations! You successfully configured the Apache authentication.

Apache - Radius Authentication Test

Open your browser and enter the IP address of your Apache web server.

In our example, the following URL was entered in the Browser:

• http://192.168.15.11

The Apache default page will be displayed.

Apache default page

Open your browser and enter the IP address of your web server plus /test.

In our example, the following URL was entered in the Browser:

• http://192.168.15.11/test

On the login screen, Enter a Radius username and its password.

• Username: admin
• Password: 123qwe..

Apache login form

After a successful login, you will be authorized to access the directory named Test.

Apache Radius Authentication test

Congratulations! You have configured the Radius authentication on an Apache server.