The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.


Apache::AuthenRadius - Authentication via a Radius server


 # Configuration in httpd.conf

 PerlModule Apache::AuthenRadius

 # Authentication in .htaccess

 AuthName Radius

 AuthType Digest or AuthType Basic

 # authenticate via Radius
 PerlAuthenHandler Apache::AuthenRadius

 PerlSetVar Auth_Radius_host
 PerlSetVar Auth_Radius_port 1647
 PerlSetVar Auth_Radius_secret MySharedSecret
 PerlSetVar Auth_Radius_timeout 5

 # This allows you to append something to the user name that
 # is sent to the RADIUS server
 # usually a realm so the RADIUS server can use it to
 # discriminate between users
 PerlSetVar Auth_Radius_appendToUsername

 require valid-user


This module allows Basic and Digest authentication against a Radius server.


handler( $r )

The mod_perl handler.


  • Auth_Radius_host

    The Radius server host: either its name or its dotted quad IP number. The parameter is passed as the PeerHost option to IO::Socket::INET->new.

  • Auth_Radius_port

    The port on which the Radius server is listening: either its service name or its actual port number. This parameter defaults to "1647" which is the official service name for Radius servers. The parameter is passed as the PeerPort option to IO::Socket::INET->new.

  • Auth_Radius_secret

    The shared secret for connection to the Radius server.

  • Auth_Radius_timeout

    The timeout in seconds to wait for a response from the Radius server.

  • Auth_Radius_algorithm

    For Digest authentication, this is the algorithm to use. Defaults to 'MD5'. For Basic authentication, it is ignored. If Digest authentication is set, unauthenticated requests will be sent a Digest challenge, including a nonce. Authenticated requests will have the nonce checked against Auth_Radius_nonce_lifetime, then the whole Authentication header sent as the password to RADIUS.

  • Auth_Radius_appendToUsername

    Appends a string to the end of the user name that is sent to RADIUS. This would normally be in the form of a realm (i.e. This is useful where you might want to discriminate between the same user in several contexts. Clever RADIUS servers such as Radiator can use the realm to let the user in or no depending on which protected Apache directory they are trying to access.

  • Auth_Radius_nonce_lifetime

    Specifies the maximum nonce lifetime in seconds for Digest authentication. This parameter allows you to change the nonce lifetime for Digest authentication. Digest authentications whose nonce exceeds the maximum lifetime are declined. Defaults to 300 seconds.


The module should be loaded upon startup of the Apache daemon. Add the following line to your httpd.conf:

 PerlModule Apache::AuthenRadius


For AuthenRadius you need to enable the appropriate call-back hook when making mod_perl:

  perl Makefile.PL PERL_AUTHEN=1

For Digest authentication, you will need Authen::Radius version 0.06 or better. Version 0.05 only permits 16 byte passwords


Apache, mod_perl, Authen::Radius


Authen::Radius by Carl Declerck

Apache::AuthenRadius by Dan Sully <daniel | AT |>


The Apache::AuthenRadius module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.