Radius AAA, transmit part of client certificate DN as username

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Radius AAA, transmit part of client certificate DN as username


I've installed mod_auth_radius and am trying to send part of a client
certificate DN as the username.

What I'm doing is:

   SSLCACertificateFile /CA.pem
   <Location /ssltest>
     SSLVerifyClient require
     SSLVerifyDepth 99
     SSLOptions +FakeBasicAuth

     AuthType basic
     AuthName "Cert"
     AuthBasicProvider radius
#    AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"

       Require valid-user

I haven't found out how to only send part of the DN to Radius.

"SSLOptions +FakeBasicAuth" transmits entire DN.

Adding "SSLUserName SSL_CLIENT_S_DN_CN" still transmits entire DN.

Adding "AuthBasicFake "%{SSL_CLIENT_S_DN_CN}"" still transmits entire DN.

Without "SSLOptions +FakeBasicAuth" no Radius request is ever made,
indepedently of whether SSLUserName and/or AuthBasicFake is set or not.

How do I send _part of_ the DN to Radius for authentication?

I feel this may have to do with this:

But there haven't been any updates in a long time. What's the current state?
In any case, the server does not seem to behave like the documentation
suggests, see

"When the FakeBasicAuth option is enabled, this directive instead
controls the value of the username embedded within the basic
authentication header (see SSLOptions)."


(Apache 2.4.23)

To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]