Radius AAA, transmit part of client certificate DN as username

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Radius AAA, transmit part of client certificate DN as username

Marki
Hello,

I've installed mod_auth_radius and am trying to send part of a client
certificate DN as the username.

What I'm doing is:

   SSLCACertificateFile /CA.pem
   <Location /ssltest>
     SSLVerifyClient require
     SSLVerifyDepth 99
     SSLOptions +FakeBasicAuth
     SSLUserName SSL_CLIENT_S_DN_CN

     AuthType basic
     AuthName "Cert"
     AuthBasicProvider radius
#    AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"

     <RequireAny>
       Require valid-user
     </RequireAny>
   </Location>

I haven't found out how to only send part of the DN to Radius.

"SSLOptions +FakeBasicAuth" transmits entire DN.

Adding "SSLUserName SSL_CLIENT_S_DN_CN" still transmits entire DN.

Adding "AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"" still transmits entire DN.

Without "SSLOptions +FakeBasicAuth" no Radius request is ever made,
indepedently of whether SSLUserName and/or AuthBasicFake is set or not.

How do I send _part of_ the DN to Radius for authentication?

I feel this may have to do with this:
https://bz.apache.org/bugzilla/show_bug.cgi?id=52616
https://bz.apache.org/bugzilla/show_bug.cgi?id=31418

But there haven't been any updates in a long time. What's the current state?
In any case, the server does not seem to behave like the documentation
suggests, see
https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslusername

"When the FakeBasicAuth option is enabled, this directive instead
controls the value of the username embedded within the basic
authentication header (see SSLOptions)."

Thanks,
Marki

(Apache 2.4.23)



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]