Client certificate authentication using Apache and mod_auth_radius

Marki jm+freeradiususer at
Thu Sep 24 08:28:18 CEST 2020


I've tried authenticating a client certificate using Apache and 
aforementioned module.

All I'm getting to work is for Apache to transmit the entire DN to 
Radius as username, which contains whitespace and thus doesn't work.

For the sake of testing I've tried sending only the country code 
contained within the DN:

Virtualhost configuration is this:

<VirtualHost *:443>

   SSLVerifyClient require
   SSLCACertificateFile /CA.pem
   SSLVerifyDepth 2
   SSLOptions +FakeBasicAuth +StdEnvVars

   <Location />
     AuthType basic
     AuthName "Cert"
     AuthBasicProvider radius
#    AuthBasicFake "%{SSL_CLIENT_S_DN_C}"

       Require valid-user

Without "SSLOptions +FakeBasicAuth", Radius isn't queried at all. Using 
"AuthBasicFake" does not change things (specifying it alone does not 
query Radius, and specifying it additionally to SSLUsername does not 
change anything).

Has anyone ever made extracting a part of the DN in order to provide it 
to Radius work with Apache? (Apache version in this case is 2.4.23)

I've found some bug reports for Apache, the state of which is not clear 


More information about the Freeradius-Users mailing list