Hi Matthew, We are using the check-eap-tls virtual server and ca_path with the magic "hash link" now, and it can achieve the desired results! Thank you so much. James On Wed, Nov 8, 2023 at 6:31 PM Matthew Newton via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On 08/11/2023 10:13, James Fan wrote:
If I configure the ca_path, it does not multi-tenancy because the CA certificates will exist in one path, and if I use a client certificate from the other tenant's CA, it will pass, right?
You add extra checks to make sure the right one has been used.
But what EAP type?
If it's EAP-TLS then you can configure the check-eap-type virtual server (see the tls{} config section) where you can look at certificate information and accept/reject. It's often use to pull information from the client cert and then do an LDAP lookup, for example.
Otherwise you should be able to use the TLS-Cert-* attributes to see which root CA has been used and make policy decisions. See e.g. raddb/sites-available/default for a commented-out list of what's available.
So, how can I ensure the client will use the proper CA to verify certificates based on their tenant If I can get tenant information from the request?
"proper CA"? That doesn't make much sense. You don't.
The client will check that the server certificate presented is valid, or not. If it has the root CA installed of whatever server certificate is presented, then it'll pass. You can often configure the client (as part of its provisioning process, whatever that is for you) so that only a certain set of root CAs can be used for server auth, it's not something you do on the server side. But if the client user can reconfigure their machine, they can alter that setting - it's for security not for authentication purposes.
You don't permit the client to access the network based on what server certificate is presented. You verify the credentials the client sends to the server, e.g. the username/password, or the client cert - possibly with extra policy checks.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html