I have a web server run by Apache 2.2 on my Debian Linux. I have a root and intermediate CA within Apache. The intermediate CA created my web server cert, as well as client certs. I would like to use the client certificate's CN as the username when my RADIUS server prompts me for credentials. I'm looking at Apache's website and it looks like there are some features that would be useful (such as AuthBasicFake) however those are only available in Apache 2.4. Does anyone know of a work around for this problem?

  • 51
  • 1
  • 6
  • Update to Apache 2.4. "Please note that Apache Web Server Project will only provide maintenance releases of the 2.2.x flavor through June of 2017, and will provide some security patches beyond this date through at least December of 2017." from [Apache Announcement 2.4](https://www.apache.org/dist/httpd/Announcement2.4.html) – Esa Jokinen Apr 13 '17 at 05:52
  • @EsaJokinen I figured it out and posted a solution. This is for a small project and the Linux computer is not mine so I didn't want to update to Jessie or Apache 2.4 – alexs973 Apr 13 '17 at 20:44

1 Answers1


Since my version of Debian is Wheezy (7), I had to use apache 2.2 and use a clever work around. Here's my Apache configuration (with a couple lines omitted):

AddRadiusAuth ~~~~~~~~~~~~~~:1812 ~~~~~~~~~ 5:3
AddRadiusCookieValid 60

SSLEngine On
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLOptions +FakeBasicAuth

SSLCertificateFile ~~~~~~~~~~~~~~~~~~~~~~
SSLCertificateKeyFile ~~~~~~~~~~~~~~~~~~~~~~
SSLCACertificateFile ~~~~~~~~~~~~~~~~~~~~~~
SSLCACertificatePath ~~~~~~~~~~~~~~~~~~~~~~

<Directory /var/www/>
    SSLVerifyClient require
    SSLVerifyDepth 10
    SSLOptions +StdEnvVars

    Options Indexes FollowSymLinks MultiViews
    DirectoryIndex /cgi-bin/index.html

    AllowOverride None
    Order allow,deny
    Allow from all

    AddHandler mod_python .py
    PythonHandler mod_python.publisher
    PythonDebug On

    AuthType Basic
    AuthName "RADIUS authentication for localhost"
    AuthBasicAuthoritative off
    AuthRadiusAuthoritative on
    AuthBasicProvider radius
    AuthRadiusActive On
    Require valid-user

The SSLOptions +FakeBasicAuth takes everything in my certificate and uses it as the username and has the password of 'password'. I have RADIUS configured to check the username and password. So what I did was I created the client certificate and only included the CN, 'ExampleName'. I loaded the client certificate on to my browser and enabled it to be password protected every time it's used. Apache reads 'ExampleName' as '/CN=ExampleName' and passes that to RADIUS. However for some reason (I'm guessing escape characters has something to do with this), RADIUS reads '/CN=ExampleName' as '/CN=3DExampleName'. So when I configured the user name and password it must be: '/CN=3DExampleName' and 'password'.

When I go to my site I select the certificate, type in my password (not 'password', the one that I chose when I password protected it). Then RADIUS asks for a username and password. I enter nothing and click ok and it works. I'm guessing FakeBasicAuth (Apache) passes the username, '/CN=ExampleName' (which turns into '/CN=3DExampleName'), and password, 'password' to RADIUS.

Sorry for the long response (to my own question). Sometimes I get stuck and maybe this will help someone in the future. Also if anyone has a better work around without updating my Debian to Jessie (8) or to Apache 2.4, please let me know.

  • 51
  • 1
  • 6