On 08/11/2023 08:42, James Fan wrote:
Hi, we have a case that, with multi-tenancy, there will be multiple CA certificates in our FreeRadius server, so we need to load the certificate chains dynamically. But when I use the statements below, I can't include the CA certificates in the certificate files I set. The TLS-Session-Cert-File looks like it is only for the server certificate and intermediate CA certificates. Is there any chance of dynamic loading certificate chains with root CA certificates?
Why? The client already has the root CA cert installed which is uses to verify the server certificate that you send. You don't need to send the root to the client again. If you want to use different root CAs on the server to verify client certificates (e.g. with EAP-TLS) from different roots then either configure ca_path in the eap module, or make duplicate eap module instances and call the appropriate one depending on the incoming request.
authenticate { ... Auth-Type eap { if ("%{unpack:&EAP-Message 4 byte}" == 1) { update control { TLS-Session-Cert-File := "${certdir}/realms/%{Realm}" } } eap
"eap" here should be inside the "Auth-Type eap" section.
} ... }
-- Matthew