Section 4.1.3. Web-Server authentication

4.1.3. Web-Server authentication

With this option, RAdmin user authentication is done by your web server, using whatever methods and systems have been configured into the web server. You might choose this option if you have a pre-existing system for controlling and authenticating access to web server pages for your staff. With this option, the Password field on the ‘Edit Administrator User’’ page is not used. To enable this option, you must configure your web server appropriately but you do not need to enable any authentication options with RAdmin.

In this method every administrative user will receive the permissions profile configured into RAdmin for the username with which they authenticated to the web server (or ‘anonymous’ if no such Administrative user has been configured into RAdmin). See the ‘Edit Administrative User’ page for each web-server authenticated user.

Like any other web application, you can configure your web server so that only specific users can access particular pages. You can choose whether or not to do this, based on a number of factors:

Do you intend to let your users access the public/changePassword.pl and public/showUsage.pl pages and change their own password and view their own usage?
Do you intend to impose user-specific permissions to RAdmin users, i.e. to permits different staff members to do different things?

In order to distinguish between your users (usually the public, with few privileges), and your authorized RAdmin administrative users (usually your internal staff, responsible for administering the end users), or to distinguish between individual RAdmin users (perhaps with different access levels or permissions) you will need to enable web server access control on your web server.

The way to do this depends on what type of web server you are running, and is usually different for each type. If you are running the Apache, you can add access configuration to its configuration file for each location and directory you wish to protect. In the following example, only users specified in the password file and coming from one of the two IP subnets are permitted to access the contents of the location.

# Example Apache 2.4 configuration
<Location "/cgi-bin">
        Options None
        AuthType Basic
        AuthName "RAdmin system"
        AuthBasicProvider file
        AuthUserFile /path/to/htpasswd-radmin
        <RequireAll>
                Require valid-user
                <RequireAny>
                        Require ip 10.20.30.0/24
                        Require ip 172.16.130.0/24
               </RequireAny>
        </RequireAll>
</Location>

Consult your web server vendor documentation for details on other web servers.

It is common practice to enable access control for the RAdmin private scripts (usually in cgi-bin/Radmin/private), and to have no access control for the publicly runnable scripts (usually in cgi-bin/Radmin/public).

Tip

It is possible to configure Apache (and some other web server) to authenticate web users by access a Radius server (such as Radius) to authenticate users. This can be very convenient, because you would not have to maintain a separate AuthUserFile for your Apache web access.