Can I use diffrent root CA certificates while dynamic loading certificate chains?

James Fan polysorb at gmail.com
Thu Nov 9 06:28:08 UTC 2023 

Hi Matthew,
We are using the check-eap-tls virtual server and ca_path with the magic
"hash link" now, and it can achieve the desired results!
Thank you so much.

James

On Wed, Nov 8, 2023 at 6:31 PM Matthew Newton via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

>
>
> On 08/11/2023 10:13, James Fan wrote:
> > If I configure the ca_path, it does not multi-tenancy because the CA
> > certificates will exist in one path, and if I use a client certificate
> from
> > the other tenant's CA, it will pass, right?
>
> You add extra checks to make sure the right one has been used.
>
> But what EAP type?
>
> If it's EAP-TLS then you can configure the check-eap-type virtual server
> (see the tls{} config section) where you can look at certificate
> information and accept/reject. It's often use to pull information from
> the client cert and then do an LDAP lookup, for example.
>
> Otherwise you should be able to use the TLS-Cert-* attributes to see
> which root CA has been used and make policy decisions. See e.g.
> raddb/sites-available/default for a commented-out list of what's available.
>
> > So, how can I ensure the client will use the proper CA to verify
> > certificates based on their tenant If I can get tenant information from
> the
> > request?
>
> "proper CA"? That doesn't make much sense. You don't.
>
> The client will check that the server certificate presented is valid, or
> not. If it has the root CA installed of whatever server certificate is
> presented, then it'll pass. You can often configure the client (as part
> of its provisioning process, whatever that is for you) so that only a
> certain set of root CAs can be used for server auth, it's not something
> you do on the server side. But if the client user can reconfigure their
> machine, they can alter that setting - it's for security not for
> authentication purposes.
>
> You don't permit the client to access the network based on what server
> certificate is presented. You verify the credentials the client sends to
> the server, e.g. the username/password, or the client cert - possibly
> with extra policy checks.
>
> --
> Matthew
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list