httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marki <>
Subject [users@httpd] Radius AAA, transmit part of client certificate DN as username
Date Sat, 26 Sep 2020 13:46:38 GMT

I've installed mod_auth_radius and am trying to send part of a client 
certificate DN as the username.

What I'm doing is:

   SSLCACertificateFile /CA.pem
   <Location /ssltest>
     SSLVerifyClient require
     SSLVerifyDepth 99
     SSLOptions +FakeBasicAuth

     AuthType basic
     AuthName "Cert"
     AuthBasicProvider radius
#    AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"

       Require valid-user

I haven't found out how to only send part of the DN to Radius.

"SSLOptions +FakeBasicAuth" transmits entire DN.

Adding "SSLUserName SSL_CLIENT_S_DN_CN" still transmits entire DN.

Adding "AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"" still transmits entire DN.

Without "SSLOptions +FakeBasicAuth" no Radius request is ever made, 
indepedently of whether SSLUserName and/or AuthBasicFake is set or not.

How do I send _part of_ the DN to Radius for authentication?

I feel this may have to do with this:

But there haven't been any updates in a long time. What's the current state?
In any case, the server does not seem to behave like the documentation 
suggests, see

"When the FakeBasicAuth option is enabled, this directive instead 
controls the value of the username embedded within the basic 
authentication header (see SSLOptions)."


(Apache 2.4.23)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message