Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/freeradius: EAP-TLS with multiple CAs #4381

Merged
merged 3 commits into from
Jan 14, 2025
Merged

net/freeradius: EAP-TLS with multiple CAs #4381

merged 3 commits into from
Jan 14, 2025

Conversation

razza-guhl
Copy link
Contributor

@razza-guhl razza-guhl commented Dec 2, 2024
edited
Loading

Description:
This PR enables the configuration of multiple CA certificates for EAP-TLS authentication in FreeRADIUS. This is useful for environments where client devices (e.g., laptops, desktops) use certificates from an internal private CA, while devices like VoIP phones and printers use certificates issued by their vendor's CA.

The configuration aligns with the FreeRADIUS documentation regarding the "ca_file" directive, which supports multiple CA certificates:
[FreeRADIUS Documentation - ca_file](https://networkradius.com/doc/current/raddb/tls/tls-config_tls-common.html)

To implement this, the controller and model for eap was modified. And the "generate_certs.php" script was updated to handle and process multiple refid values when provided.

Changes:

  • Modified "generate_certs.php" to support multiple CA references.
  • Updated logic to accommodate additional CA certificates for EAP-TLS configurations.
  • Modified the UI for multiple CA input.

Testing:

  • Verified functionality with multiple CAs in test environments for both internal and vendor-supplied certificates.
  • Ensured backward compatibility for single CA setups.

Let me know if additional tests or refinements are needed!

@razza-guhl razza-guhl force-pushed the freeradius-eap-tls-multiple-ca branch from b3eb2e0 to 32d4709 Compare December 2, 2024 17:06
@razza-guhl razza-guhl marked this pull request as ready for review December 2, 2024 18:14
razza-guhl
razza-guhl commented Dec 3, 2024
View reviewed changes
Copy link
Contributor Author

@razza-guhl razza-guhl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and works as aspected

mimugmail
mimugmail approved these changes Dec 15, 2024
View reviewed changes
Copy link
Member

@mimugmail mimugmail left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this looks good and works on my system, thx. @fichtner there is a second PR open so no version bump here and we'll do it afterwards. ok?

@mimugmail
Copy link
Member

@fichtner any chance to get the devel before 25.1? :)

@fichtner fichtner self-assigned this Jan 14, 2025
@fichtner fichtner merged commit 2f4e63b into opnsense:master Jan 14, 2025
@fichtner
Copy link
Member

Merged, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mimugmail mimugmail mimugmail approved these changes

Assignees

@fichtner fichtner

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@razza-guhl @mimugmail @fichtner