RADIUS authentication

The RADIUS authentication plugin enables Enano to talk to a back-end RADIUS server for both usernames and passwords. This means that users can sign in to your Enano website using a username and password stored with any number of services, including Microsoft® Active Directory®, Kerberos™, LDAP, and any variety of UNIX® account systems.

This plugin works in two main modes. The first is a "supplemental" mode that simply asks the RADIUS server if the provided username and password are valid, and if so, it logs the user in.

The second mode is enforced SSO (single sign-on). This means that Enano synchronizes user accounts on demand with your upstream account system. Local password authentication is blocked except for administrators, keeping Enano user accounts completely seamless with those of an enterprise or other large-scale deployment.

Requirements

  • RADIUS extension from PECL
  • mcrypt
  • mhash
  • Enano 1.1.8 (Mercurial revision 1205:c922ef08167a or later)

Known limitations

  • My test setup based around any form of MSCHAP couldn't result in any good authentications. I don't know if it was a problem with my RADIUS setup or the poorly written upstream MSCHAP code.

Security considerations

You'll need to close up a couple of holes in Enano that under most circumstances are harmless but can pose problems for enterprise or other large scale deployments.

  • Enano ONLY talks to RADIUS when the user logs on. After that, the local authorization in the form of a session key is considered sufficient. Consider greatly lowering the lifetime of session keys (both "short" and "extended"). If an upstream user account is disabled or deleted, it might remain accessible if the user has a valid Enano session in progress.
  • If SSO enforcement is enabled, then when a user logs in with valid RADIUS credentials but does not have a local account, one is created automatically, and the password is locked.
  • A valid local password is required when upgrading Enano. The upgrade script does not load plugins, so RADIUS authentication settings will be entirely ignored.
    • If a user account that was originally created via RADIUS needs to be used to authenticate to the upgrade script, you must reset the user's password. Enano does not cache RADIUS passwords locally in any form.
  • If you use a registration agreement (TOU) on your site, automatically created user accounts will be treated as inactive until the TOU is accepted.
  • Enabling SSO enforcement disables local registration.
  • Again, SSO enforcement means that except for administrator accounts, local passwords do not work, even for users that existed before RADIUS was enabled. Make sure your users are aware of this change before switching your site to use RADIUS.
  • Because Enano does not cache any RADIUS details, the plugin will not add any information to the session key salting process.
  • If you use e-mail account activation, make sure that you properly set the e-mail domain in the RADIUS settings panel, and that e-mail addresses in the format of radiususername@domain will result in delivery.
  • Consider using ACLs to deny guests access to most pages if Enano is being used for a site that should be restricted to a specific member base.

License

  • Plugin file: GPLv2 and later
  • libradauth.php and libmschap.php: BSD, in respect for a request from the upstream author to not relicense to the GPL

Download

Latest revision: zip | tar.gz
Mercurial clone URL: http://hg.enanocms.org/repos/radiusauth