Can I use diffrent root CA certificates while dynamic loading certificate chains?
Hi, we have a case that, with multi-tenancy, there will be multiple CA certificates in our FreeRadius server, so we need to load the certificate chains dynamically. But when I use the statements below, I can't include the CA certificates in the certificate files I set. The TLS-Session-Cert-File looks like it is only for the server certificate and intermediate CA certificates. Is there any chance of dynamic loading certificate chains with root CA certificates? Thanks. authenticate { ... Auth-Type eap { if ("%{unpack:&EAP-Message 4 byte}" == 1) { update control { TLS-Session-Cert-File := "${certdir}/realms/%{Realm}" } } eap } ... }
On 08/11/2023 08:42, James Fan wrote:
Hi, we have a case that, with multi-tenancy, there will be multiple CA certificates in our FreeRadius server, so we need to load the certificate chains dynamically. But when I use the statements below, I can't include the CA certificates in the certificate files I set. The TLS-Session-Cert-File looks like it is only for the server certificate and intermediate CA certificates. Is there any chance of dynamic loading certificate chains with root CA certificates?
Why? The client already has the root CA cert installed which is uses to verify the server certificate that you send. You don't need to send the root to the client again. If you want to use different root CAs on the server to verify client certificates (e.g. with EAP-TLS) from different roots then either configure ca_path in the eap module, or make duplicate eap module instances and call the appropriate one depending on the incoming request.
authenticate { ... Auth-Type eap { if ("%{unpack:&EAP-Message 4 byte}" == 1) { update control { TLS-Session-Cert-File := "${certdir}/realms/%{Realm}" } } eap
"eap" here should be inside the "Auth-Type eap" section.
} ... }
-- Matthew
Hi Matthew, Thanks for your reply. If I configure the ca_path, it does not multi-tenancy because the CA certificates will exist in one path, and if I use a client certificate from the other tenant's CA, it will pass, right? So, how can I ensure the client will use the proper CA to verify certificates based on their tenant If I can get tenant information from the request? Thanks. On Wed, Nov 8, 2023 at 5:47 PM Matthew Newton via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On 08/11/2023 08:42, James Fan wrote:
Hi, we have a case that, with multi-tenancy, there will be multiple CA certificates in our FreeRadius server, so we need to load the certificate chains dynamically. But when I use the statements below, I can't include the CA certificates in the certificate files I set. The TLS-Session-Cert-File looks like it is only for the server certificate and intermediate CA certificates. Is there any chance of dynamic loading certificate chains with root CA certificates?
Why? The client already has the root CA cert installed which is uses to verify the server certificate that you send. You don't need to send the root to the client again.
If you want to use different root CAs on the server to verify client certificates (e.g. with EAP-TLS) from different roots then either configure ca_path in the eap module, or make duplicate eap module instances and call the appropriate one depending on the incoming request.
authenticate { ... Auth-Type eap { if ("%{unpack:&EAP-Message 4 byte}" == 1) { update control { TLS-Session-Cert-File := "${certdir}/realms/%{Realm}" } } eap
"eap" here should be inside the "Auth-Type eap" section.
} ... }
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 08/11/2023 10:13, James Fan wrote:
If I configure the ca_path, it does not multi-tenancy because the CA certificates will exist in one path, and if I use a client certificate from the other tenant's CA, it will pass, right?
You add extra checks to make sure the right one has been used. But what EAP type? If it's EAP-TLS then you can configure the check-eap-type virtual server (see the tls{} config section) where you can look at certificate information and accept/reject. It's often use to pull information from the client cert and then do an LDAP lookup, for example. Otherwise you should be able to use the TLS-Cert-* attributes to see which root CA has been used and make policy decisions. See e.g. raddb/sites-available/default for a commented-out list of what's available.
So, how can I ensure the client will use the proper CA to verify certificates based on their tenant If I can get tenant information from the request?
"proper CA"? That doesn't make much sense. You don't. The client will check that the server certificate presented is valid, or not. If it has the root CA installed of whatever server certificate is presented, then it'll pass. You can often configure the client (as part of its provisioning process, whatever that is for you) so that only a certain set of root CAs can be used for server auth, it's not something you do on the server side. But if the client user can reconfigure their machine, they can alter that setting - it's for security not for authentication purposes. You don't permit the client to access the network based on what server certificate is presented. You verify the credentials the client sends to the server, e.g. the username/password, or the client cert - possibly with extra policy checks. -- Matthew
Hi Matthew, We are using the check-eap-tls virtual server and ca_path with the magic "hash link" now, and it can achieve the desired results! Thank you so much. James On Wed, Nov 8, 2023 at 6:31 PM Matthew Newton via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
On 08/11/2023 10:13, James Fan wrote:
If I configure the ca_path, it does not multi-tenancy because the CA certificates will exist in one path, and if I use a client certificate from the other tenant's CA, it will pass, right?
You add extra checks to make sure the right one has been used.
But what EAP type?
If it's EAP-TLS then you can configure the check-eap-type virtual server (see the tls{} config section) where you can look at certificate information and accept/reject. It's often use to pull information from the client cert and then do an LDAP lookup, for example.
Otherwise you should be able to use the TLS-Cert-* attributes to see which root CA has been used and make policy decisions. See e.g. raddb/sites-available/default for a commented-out list of what's available.
So, how can I ensure the client will use the proper CA to verify certificates based on their tenant If I can get tenant information from the request?
"proper CA"? That doesn't make much sense. You don't.
The client will check that the server certificate presented is valid, or not. If it has the root CA installed of whatever server certificate is presented, then it'll pass. You can often configure the client (as part of its provisioning process, whatever that is for you) so that only a certain set of root CAs can be used for server auth, it's not something you do on the server side. But if the client user can reconfigure their machine, they can alter that setting - it's for security not for authentication purposes.
You don't permit the client to access the network based on what server certificate is presented. You verify the credentials the client sends to the server, e.g. the username/password, or the client cert - possibly with extra policy checks.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am trying to upgrade to FreeRADIUS 3.2.6 and Python3 The documentation link at rlm_python3 (and rlm_python for that matter) goes to the "modules" page and there is nothing on the page for python. Is the python doc hiding somewhere? Maybe also a question. In FR 3.0 it did not actually use the local python (2.x) installation at all. (unless libraries were added to the PYTHONPATH) Is that still true?
On Oct 28, 2024, at 4:26 PM, Dan M <dan.red.beard@gmail.com> wrote:
I am trying to upgrade to FreeRADIUS 3.2.6 and Python3 The documentation link at rlm_python3 (and rlm_python for that matter) goes to the "modules" page and there is nothing on the page for python.
Is the python doc hiding somewhere?
You can see mods-available/python3. There is no auto-generated HTML documentation for the Python module in version 3.x.
Maybe also a question. In FR 3.0 it did not actually use the local python (2.x) installation at all. (unless libraries were added to the PYTHONPATH) Is that still true?
See mods-available/python3 This is all documented. Alan DeKok.
From: Freeradius-Users <freeradius-users- bounces+dan.red.beard=gmail.com@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Monday, October 28, 2024 1:29 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Documentation question/issue
On Oct 28, 2024, at 4:26 PM, Dan M <dan.red.beard@gmail.com> wrote:
I am trying to upgrade to FreeRADIUS 3.2.6 and Python3 The documentation link at rlm_python3 (and rlm_python for that matter) goes to the "modules" page and there is nothing on the page for python.
Is the python doc hiding somewhere?
You can see mods-available/python3. There is no auto-generated HTML documentation for the Python module in version 3.x.
Maybe also a question. In FR 3.0 it did not actually use the local python (2.x) installation at all. (unless libraries were added to the PYTHONPATH) Is that still true?
See mods-available/python3
This is all documented.
Often I find that answer to be true. Not sufficiently for my questions today. There is nothing in that file about what is actually going on inside FR when using python3. It only talks about the PYTHONPATH and implementing functions. And I don't think PYTHONPATH is relevant until python is actually active. Is this correct: Installing freeradius-python add supports for python 3 in FR 3.2.6. Internally, FR uses libpython3 to create a python environment. Since the name of libpython3.so is not versioned (beyond 3) FR doesn't need to know nor does it care which 3.x version is installed. FR will us what it finds. (I'm on RHEL 9) And since it isn't using the python3 command there is no "default" package path. If anything is needed from say /usr/lib64/python3.9/site-packages then that path has to be added to python_path in mods-config/python3 (or possibly the system var instead) I suppose it says that but not quite so explicitly especially for someone invoking python3 and getting all that for free. I'm pretty sure there used to be a page that said all this. And also pretty sure that it is neither in any installed files nor is it obvious. So when some info security agent asks me "how does it use the local installation?" I can't point to your documentation and say: "like that!" Because there isn't any. Would be nice if you had something like that. Because I will be asked. Thanks for suffering this 10T user.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Oct 28, 2024, at 6:10 PM, Dan M <dan.red.beard@gmail.com> wrote:
This is all documented.
Often I find that answer to be true. Not sufficiently for my questions today.
The python / python3 modules take the RADIUS attributes, and dump then into python dicts. When the module is done, they take the python dicts and put them back into the RADIUS attributes.
There is nothing in that file about what is actually going on inside FR when using python3.
We're happy to take patches. Unfortunately, we've seen very, very, few patches to fix the documentation. Oh well.
It only talks about the PYTHONPATH and implementing functions. And I don't think PYTHONPATH is relevant until python is actually active.
The PYTHONPATH is only used for loading python code, when the rlm_python module is running.
Is this correct: Installing freeradius-python add supports for python 3 in FR 3.2.6. Internally, FR uses libpython3 to create a python environment. Since the name of libpython3.so is not versioned (beyond 3) FR doesn't need to know nor does it care which 3.x version is installed. FR will us what it finds. (I'm on RHEL 9)
That's the idea.
And since it isn't using the python3 command there is no "default" package path. If anything is needed from say /usr/lib64/python3.9/site-packages then that path has to be added to python_path in mods-config/python3 (or possibly the system var instead)
Yes.
I suppose it says that but not quite so explicitly especially for someone invoking python3 and getting all that for free.
I'm pretty sure there used to be a page that said all this. And also pretty sure that it is neither in any installed files nor is it obvious.
All of the documentation is up to date, as best we can make it. We don't generally delete documentation which is useful to people.
So when some info security agent asks me "how does it use the local installation?" I can't point to your documentation and say: "like that!" Because there isn't any.
Would be nice if you had something like that. Because I will be asked.
Figure it out and submit a patch. Unfortunately, I've seen about 100x more complaints than patches. For some unknown reason, the documentation doesn't improve. This is Free Software. It gets better when people contribute. If most people don't contribute, then it's up to the small number of people who do contribute. And they're generally inclined to be happier with patches than with complaints. Alan DeKok.
participants (4)
-
Alan DeKok -
Dan M -
James Fan -
Matthew Newton