Client certificate authentication using Apache and mod_auth_radius

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Client certificate authentication using Apache and mod_auth_radius

Marki
Hello,

I've tried authenticating a client certificate using Apache and
aforementioned module.

All I'm getting to work is for Apache to transmit the entire DN to
Radius as username, which contains whitespace and thus doesn't work.

For the sake of testing I've tried sending only the country code
contained within the DN:

Virtualhost configuration is this:

<VirtualHost *:443>
   ...

   SSLVerifyClient require
   SSLCACertificateFile /CA.pem
   SSLVerifyDepth 2
   SSLOptions +FakeBasicAuth +StdEnvVars
   SSLUserName SSL_CLIENT_S_DN_C

   <Location />
     AuthType basic
     AuthName "Cert"
     AuthBasicProvider radius
#    AuthBasicFake "%{SSL_CLIENT_S_DN_C}"

     <RequireAny>
       Require valid-user
     </RequireAny>
   </Location>
</VirtualHost>

Without "SSLOptions +FakeBasicAuth", Radius isn't queried at all. Using
"AuthBasicFake" does not change things (specifying it alone does not
query Radius, and specifying it additionally to SSLUsername does not
change anything).

Has anyone ever made extracting a part of the DN in order to provide it
to Radius work with Apache? (Apache version in this case is 2.4.23)

I've found some bug reports for Apache, the state of which is not clear
however:
https://bz.apache.org/bugzilla/show_bug.cgi?id=52616
https://bz.apache.org/bugzilla/show_bug.cgi?id=31418

Thanks,
Marki

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Client certificate authentication using Apache and mod_auth_radius

Alan DeKok-2
On Sep 24, 2020, at 2:28 AM, Marki <[hidden email]> wrote:
> I've tried authenticating a client certificate using Apache and aforementioned module.
>
> All I'm getting to work is for Apache to transmit the entire DN to Radius as username, which contains whitespace and thus doesn't work.

  RADIUS doesn't care about whitespace or not.

  The issue is that the mod_auth_radius module looks for username and password from the HTTP headers.  If those don't exist, the module won't do anything.

  In the end, this is an Apache issue.  I wrote the mod_auth_radius in 1999 or so.  The Apache people refused to accept it as part of the Apache project.  So the module has sort of stalled in development.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html