Sorry for resuming this thread but I resumed working on this project too. Each company may use PEAP (not really the best I know) or EAP-TLS (or TTLs) for smart devices and iPSK (MAC addr as username and the RADIUS returns the PSK) for IoT devices. As to the CRL my understanding is that the CRL must be concatenated to the CA or the CA chain. And whenever a cert is revoked the CRL must be updated and the FR instance restarted. Things from this standpoint haven't changed so far, have thay? So if each company wants to manage their own devices independently we must have one FR instance per company. I guess it's possible to run different FR instance on the same host though using docker would be a more elegant solution. Eventually there will be as many FR instances as the tenants for Smart Devices, one possible DB for IoT devices (one table per tenant?) and as many CRL as the number of tenants. Alex On Wed, Dec 29, 2021 at 4:51 PM Alan DeKok <aland@deployingradius.com> wrote:
On Dec 29, 2021, at 10:15 AM, Alex Zetaeffesse <fzetafs@gmail.com> wrote:
I didn't know FR could query different sources of authentication/authorization sequentially (especially if tables are on different servers) but I guess that would introduce a lag in the response time back to the NAS
Yes.
FR can do pretty much anything. It's just that you usually don't want to do many queries. It's inefficient, and slow.
Maybe a SQL proxy (that's on my side)? Then the first reply would be served. And uh by writing this I realized I could expose the service to a potential DoS for specific MAC addresses. Ok, much better a single table in a single DB where checks before storing a record can be done simply and quickly!
Exactly.
Also, the table used by FR doesn't have to be the same ones used by the web tool. You can create views, foreign keys, etc.
The point is that the DB used by FreeRADIUS should be (a) local, and (b) fast.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html