You do it on both.
Client does it so it doesn’t waste an RPC for the server to just say No. Consider Key spamming. 100 back to back rpc’s that get ignored.
Server does it to prevent cheating and it is the one that actually equips (Attaches, changes character state etc).
Firing a weapon goes through the same flow. Client checks if it can (has weapon, weapon has ammo etc) → RPC server. Server checks if it can (has weapon, weapon has ammo etc) → fires auth shot.