Can I use diffrent root CA certificates while dynamic loading certificate chains?
Matthew Newton
mcn at freeradius.org
Wed Nov 8 10:31:14 UTC 2023
On 08/11/2023 10:13, James Fan wrote:
> If I configure the ca_path, it does not multi-tenancy because the CA
> certificates will exist in one path, and if I use a client certificate from
> the other tenant's CA, it will pass, right?
You add extra checks to make sure the right one has been used.
But what EAP type?
If it's EAP-TLS then you can configure the check-eap-type virtual server
(see the tls{} config section) where you can look at certificate
information and accept/reject. It's often use to pull information from
the client cert and then do an LDAP lookup, for example.
Otherwise you should be able to use the TLS-Cert-* attributes to see
which root CA has been used and make policy decisions. See e.g.
raddb/sites-available/default for a commented-out list of what's available.
> So, how can I ensure the client will use the proper CA to verify
> certificates based on their tenant If I can get tenant information from the
> request?
"proper CA"? That doesn't make much sense. You don't.
The client will check that the server certificate presented is valid, or
not. If it has the root CA installed of whatever server certificate is
presented, then it'll pass. You can often configure the client (as part
of its provisioning process, whatever that is for you) so that only a
certain set of root CAs can be used for server auth, it's not something
you do on the server side. But if the client user can reconfigure their
machine, they can alter that setting - it's for security not for
authentication purposes.
You don't permit the client to access the network based on what server
certificate is presented. You verify the credentials the client sends to
the server, e.g. the username/password, or the client cert - possibly
with extra policy checks.
--
Matthew
More information about the Freeradius-Users
mailing list