Apache2 reverse proxy Radius auth and logging username

Howdy, gang!

I'm new to Apache, and I was hoping someone could help me out. I'm
using Apache2 as a reverse proxy for a couple of IIS hosts. That part
is working great - users can't tell the difference.

I would like to use radius to authenticate users at the proxy server
rather than via IIS, then pass the radius credentials to the backend
IIS servers (which are set to use basic authentication). I'd prefer
that only authenticated users threaten my IIS boxes :) Is this
doable? If anyone has a sample configuration to post, I would
consider naming my first child after you.

My second question might be made obsolete by the answers to my first
question. Right now I'm just passing through requests to my back-end
servers. I'd like to log the user's basic auth username in
access.log, but the LogFormat %u flag doesn't catch it. Does anyone
know of a way to capture the username when Apache is not
authenticating? This question isn't as important as the first one,
but maybe I could change the name of one of my cats.

Thanks!

Rob