Client certificate authentication using Apache and mod_auth_radius
Marki
jm+freeradiususer at roth.lu
Thu Sep 24 08:28:18 CEST 2020
Hello,
I've tried authenticating a client certificate using Apache and
aforementioned module.
All I'm getting to work is for Apache to transmit the entire DN to
Radius as username, which contains whitespace and thus doesn't work.
For the sake of testing I've tried sending only the country code
contained within the DN:
Virtualhost configuration is this:
<VirtualHost *:443>
...
SSLVerifyClient require
SSLCACertificateFile /CA.pem
SSLVerifyDepth 2
SSLOptions +FakeBasicAuth +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_C
<Location />
AuthType basic
AuthName "Cert"
AuthBasicProvider radius
# AuthBasicFake "%{SSL_CLIENT_S_DN_C}"
<RequireAny>
Require valid-user
</RequireAny>
</Location>
</VirtualHost>
Without "SSLOptions +FakeBasicAuth", Radius isn't queried at all. Using
"AuthBasicFake" does not change things (specifying it alone does not
query Radius, and specifying it additionally to SSLUsername does not
change anything).
Has anyone ever made extracting a part of the DN in order to provide it
to Radius work with Apache? (Apache version in this case is 2.4.23)
I've found some bug reports for Apache, the state of which is not clear
however:
https://bz.apache.org/bugzilla/show_bug.cgi?id=52616
https://bz.apache.org/bugzilla/show_bug.cgi?id=31418
Thanks,
Marki
More information about the Freeradius-Users
mailing list