Apache - Radius Authentication on the Active Directory

Would you like to learn how to configure an Apache server to use the Radius protocol to authenticate on the Active directory? In this tutorial, we are going to show you how to authenticate the Apache users on the Active Directory database using the Microsoft NPS server.

• Ubuntu 18
• Ubuntu 19
• Ubuntu 20
• Apache 2.4.41
• Windows 2012 R2

Apache - Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Apache.

Tutorial - Radius Server Installation on Windows

• IP - 192.168.15.10.
• Operacional System - Windows 2012 R2
• Hostname - TECH-DC01
• Active Directory Domain: TECH.LOCAL

Open the Server Manager application.

Access the Manage menu and click on Add roles and features.

Access the Server roles screen, select the Network Policy and Access Service option.

Click on the Next button.

On the following screen, click on the Add features button.

On the Role service screen, click on the Next Button.

On the next screen, click on the Install button.

You have finished the Radius server installation on Windows 2012.

Tutorial Radius Server - Active Directory Integration

Next, we need to create at least 1 account on the Active directory.

The ADMIN account will be used to login on the Apache server.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new account inside the Users container.

Create a new account named: admin

Password configured to the ADMIN user: 123qwe..

This account will be used to authenticate on the Apache web interface.

Congratulations, you have created the required Active Directory accounts.

Next, we need to create at least 1 group on the Active directory.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new group inside the Users container.

Create a new group named: APACHE-USERS.

Members of this group will be able to access the Apache server's protected directory.

Important! Add the admin user as a member of the Apache-Users group.

Congratulations, you have created the required Active Directory group.

Tutorial Radius Server - Add Client Devices

On the Radius server, open the application named: Network Policy Server

You need to authorize the Radius server on the Active directory database.

Right-click on NPS(LOCAL) and select the Register server in Active Directory option.

On the confirmation screen, click on the OK button.

Next, you need to configure Radius clients.

Radius clients are devices that will be allowed to request authentication from the Radius server.

Important! Do not confuse Radius clients with Radius users.

Right click on Radius Clients folder and select the New option.

Here is an example of a Client configured to allow an Apache server to connect to the Radius server.

You need to set the following configuration:

• Friendly name to the device - Add a description to your Apache server.
• Device IP Address - IP address of your Apache server.
• Device Shared secret - kamisama123

The Shared secret will be used to authorize the device to use the Radius server.

You have finished the Radius client configuration.

Tutorial Radius Server - Configure a Network Policy

Now, you need to create a Network Polity to allow authentication.

Right click on the Network Policies folder and select the New option.

Enter a name to the network policy and click on the Next button.

Click on the Add condition button.

We are going to allow members of the APACHE-USERS group to authenticate.

Select the User group option and click on the Add button.

Click on the Add Groups button and locate the APACHE-USERS group.

Select the Access granted option and click on the Next button.

This will allow members of the APACHE-USERS group to authenticate on the Radius server.

On the Authentication Methods screen, select the Unencrypted authentication (PAP, SPAP) option.

If the following warning is presented, click on the No button.

Click on the Next button until the summary screen is displayed.

Verify the Radius server configuration summary and click on the Finish button.

Congratulations! You have finished the Radius server configuration.

Apache - Radius Authentication on the Active directory

• IP - 192.168.15.11
• Operational System - Ubuntu 19.10
• Hostname - APACHE

Install the Apache server and the Radius module.

Enable the Apache2 Radius module.

In our example, we are going to request authentication to users trying to access a directory named Test.

Create a directory named Test and give the user named www-data permission over this directory.

Configure the Apache server to request the Radius authentication to users trying to access the Test directory.

Edit the Apache 000-default.conf configuration file.

Here is the 000-default.conf file before our configuration.

Here is the 000-default.conf file after our configuration.

The Apache server was configured to request password authentication to acess the directory /var/www/html/test.

The Apache web server was configured to authenticate user accounts using the Radius server 192.168.15.10.

Restart the Apache service.

Congratulations! You successfully configured the Apache authentication.

Apache - Radius Authentication Test

Open your browser and enter the IP address of your Apache web server.

In our example, the following URL was entered in the Browser:

• http://192.168.15.11

The Apache default page will be displayed.

Open your browser and enter the IP address of your web server plus /test.

In our example, the following URL was entered in the Browser:

• http://192.168.15.11/test

On the login screen, Enter a Radius username and its password.

• Username: admin
• Password: 123qwe..

After a successful login, you will be authorized to access the directory named Test.

Congratulations! You have configured the Radius authentication on an Apache server.