Hi all, I have been working on a project that we need to support more than 10000 tenants. I tried to create multiple virtual servers and each listen to different ports and I found that I can only create up to 300 virtual servers due to the limitation of FD_SETSIZE. In this case I will need to have more than 300 servers running which doesn't seem to make much sense. I also consider the option of creating multiple client sections to specify the source IP addresses and the corresponding virtual server. However, I don't seem to find a way to identify tenants if the incoming traffic is from the same proxy server. I am running out of options and hoping that you may share your experience or suggestions. thank you very much Cecil
On 15.06.22 05:26, Cecil Wei wrote:
Hi all,
I have been working on a project that we need to support more than 10000 tenants. I tried to create multiple virtual servers and each listen to different ports and I found that I can only create up to 300 virtual servers due to the limitation of FD_SETSIZE. In this case I will need to have more than 300 servers running which doesn't seem to make much sense.
I also consider the option of creating multiple client sections to specify the source IP addresses and the corresponding virtual server. However, I don't seem to find a way to identify tenants if the incoming traffic is from the same proxy server.
I am running out of options and hoping that you may share your experience or suggestions.
thank you very much
Cecil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How about separating the tenants by their REALMs? Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
On Jun 14, 2022, at 10:26 PM, Cecil Wei <cecilwei@gmail.com> wrote:
I have been working on a project that we need to support more than 10000 tenants. I tried to create multiple virtual servers and each listen to different ports and I found that I can only create up to 300 virtual servers due to the limitation of FD_SETSIZE. In this case I will need to have more than 300 servers running which doesn't seem to make much sense.
The normal process is to just create users as "user@realm.org". You can then use one server.
I also consider the option of creating multiple client sections to specify the source IP addresses and the corresponding virtual server. However, I don't seem to find a way to identify tenants if the incoming traffic is from the same proxy server.
The reason this is hard is because no one does this. It's a bad design, and will cause all kinds of problems in the future.
I am running out of options and hoping that you may share your experience or suggestions.
Just use realms. It's what people have done for 20+ years. Alan DeKok.
Hi Alan, Michael, Thank you so much for your reply. I am still very new to freeradius so correct me if I am wrong. If I am doing MAC authentication from access points, the chances are the username will not be available in the request and we would just look into the user file and see if the MAC address (Calling-Station-Id) is registered or not. In this scenario, I don't seem to have anything to identify the realm of the incoming request. This is the reason why I am thinking of using client section with source IP address mapping with virtual server. I don't really think this is a good idea as well because we will need to make sure the ip addresses are not overlapping or incorrectly configured. Can I do the following things? 1. Create 10,000 virtual servers each maps to a tenant. 2. Create 10,000 client sections with separate ip addresses and associate them to corresponding virtual server. 3. Create 10,000 realm sections with tenantId and associate them to corresponding virtual server. If the radius request is directly sent from access point, use client section to redirect to the virtual server. If the radius request is from proxy server, identify the realm with attribute in the request and redirect to the correct virtual server. Thank you again for your kind response. Cecil Alan DeKok <aland@deployingradius.com> 於 2022年6月16日 週四 凌晨4:35寫道:
On Jun 14, 2022, at 10:26 PM, Cecil Wei <cecilwei@gmail.com> wrote:
I have been working on a project that we need to support more than 10000 tenants. I tried to create multiple virtual servers and each listen to different ports and I found that I can only create up to 300 virtual servers due to the limitation of FD_SETSIZE. In this case I will need to have more than 300 servers running which doesn't seem to make much sense.
The normal process is to just create users as "user@realm.org". You can then use one server.
I also consider the option of creating multiple client sections to specify the source IP addresses and the corresponding virtual server. However, I don't seem to find a way to identify tenants if the incoming traffic is from the same proxy server.
The reason this is hard is because no one does this. It's a bad design, and will cause all kinds of problems in the future.
I am running out of options and hoping that you may share your experience or suggestions.
Just use realms. It's what people have done for 20+ years.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 15, 2022, at 8:20 PM, Cecil Wei <cecilwei@gmail.com> wrote
I am still very new to freeradius so correct me if I am wrong. If I am doing MAC authentication from access points,
When you ask a question, it helps to describe the problem you're trying to solve. You should give information about the problem, and describe it in detail. It's less useful to give out a little more information with each message. You should also describe the requirements, not your current solution. In many cases, people find some weird way of doing things, and ask "why doesn't this work?" If instead they describe what they want to do, we can propose a simpler / better solution.
the chances are the username will not be available in the request and we would just look into the user file and see if the MAC address (Calling-Station-Id) is registered or not. In this scenario, I don't seem to have anything to identify the realm of the incoming request. This is the reason why I am thinking of using client section with source IP address mapping with virtual server. I don't really think this is a good idea as well because we will need to make sure the ip addresses are not overlapping or incorrectly configured.
If the User-Names are just MAC addresses, then put them all into a database, in a custom table. Have one column MAC address. And another column tenant name. You can then get any packet, and look up the MAC address to get the tenant name.
Can I do the following things?
1. Create 10,000 virtual servers each maps to a tenant.
Why do you need 10,000 virtual servers? You haven't said what you're doing with them. Do they all have completely different policies?
2. Create 10,000 client sections with separate ip addresses and associate them to corresponding virtual server. 3. Create 10,000 realm sections with tenantId and associate them to corresponding virtual server.
All of these are possible solutions. They're all bad. What is the *problem* you're trying to solve? Why do you think you need 10,000 virtual servers? What are each of them doing? Alan DeKok.
Hi Alan, Thank you again for replying to my question and sorry for not asking questions properly but focusing only on the problems of my solution. I am trying to build a platform that provides MAC authentication service to multiple organizations. There will be a captive portal for end user to register their device MAC address. The administrator of an organization can also upload a list of MAC addresses to the database. It might be possible that the same user MAC address appears in multiple organizations. In this case multiple tenants might be selected if we lookup by MAC address. I am also thinking of providing EAP authentication to multiple organizations and allow them to have their own root certificate. My understanding for this requirement is that I will need to create multiple EAP configurations. I thought that virtual server can help on providing proper data isolation and individual EAP configuration. Could you share some best practices for the problems I mentioned above if there are over 10,000 organizations? Thank you very much. Cecil Alan DeKok <aland@deployingradius.com> 於 2022年6月16日 週四 晚上7:55寫道:
On Jun 15, 2022, at 8:20 PM, Cecil Wei <cecilwei@gmail.com> wrote
I am still very new to freeradius so correct me if I am wrong. If I am doing MAC authentication from access points,
When you ask a question, it helps to describe the problem you're trying to solve. You should give information about the problem, and describe it in detail.
It's less useful to give out a little more information with each message.
You should also describe the requirements, not your current solution. In many cases, people find some weird way of doing things, and ask "why doesn't this work?" If instead they describe what they want to do, we can propose a simpler / better solution.
the chances are the username will not be available in the request and we would just look into the user file and see if the MAC address (Calling-Station-Id) is registered or not. In this scenario, I don't seem to have anything to identify the realm of the incoming request. This is the reason why I am thinking of using client section with source IP address mapping with virtual server. I don't really think this is a good idea as well because we will need to make sure the ip addresses are not overlapping or incorrectly configured.
If the User-Names are just MAC addresses, then put them all into a database, in a custom table. Have one column MAC address. And another column tenant name.
You can then get any packet, and look up the MAC address to get the tenant name.
Can I do the following things?
1. Create 10,000 virtual servers each maps to a tenant.
Why do you need 10,000 virtual servers? You haven't said what you're doing with them. Do they all have completely different policies?
2. Create 10,000 client sections with separate ip addresses and associate them to corresponding virtual server. 3. Create 10,000 realm sections with tenantId and associate them to corresponding virtual server.
All of these are possible solutions. They're all bad.
What is the *problem* you're trying to solve? Why do you think you need 10,000 virtual servers? What are each of them doing?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Cecil, I'm challenged by the same problem. We would like to give tenants full control of their data and also privacy. For the auth based on the MAC address where FR returns the PSK the most convenient solution would be to have just one DB but I'm thinking of splitting it into as many dBs as the number of the tenants, Then the the problem of the query time arises (do we have to go through them sequentially?) and I'm thinking of using a SQL proxy. All of this just in mind, 'cause I never used/configured SQL proxy and I don't know if they help in achieving my goal. In our project for smart devices we will be using realms as others suggested. Alex On Sun, Jun 19, 2022 at 5:51 AM Cecil Wei <cecilwei@gmail.com> wrote:
Hi Alan,
Thank you again for replying to my question and sorry for not asking questions properly but focusing only on the problems of my solution.
I am trying to build a platform that provides MAC authentication service to multiple organizations. There will be a captive portal for end user to register their device MAC address. The administrator of an organization can also upload a list of MAC addresses to the database. It might be possible that the same user MAC address appears in multiple organizations. In this case multiple tenants might be selected if we lookup by MAC address.
I am also thinking of providing EAP authentication to multiple organizations and allow them to have their own root certificate. My understanding for this requirement is that I will need to create multiple EAP configurations.
I thought that virtual server can help on providing proper data isolation and individual EAP configuration.
Could you share some best practices for the problems I mentioned above if there are over 10,000 organizations?
Thank you very much.
Cecil
Alan DeKok <aland@deployingradius.com> 於 2022年6月16日 週四 晚上7:55寫道:
On Jun 15, 2022, at 8:20 PM, Cecil Wei <cecilwei@gmail.com> wrote
I am still very new to freeradius so correct me if I am wrong. If I am doing MAC authentication from access points,
When you ask a question, it helps to describe the problem you're trying to solve. You should give information about the problem, and describe it in detail.
It's less useful to give out a little more information with each message.
You should also describe the requirements, not your current solution. In many cases, people find some weird way of doing things, and ask "why doesn't this work?" If instead they describe what they want to do, we can propose a simpler / better solution.
the chances are the username will not be available in the request and we would just look into the user file and see if the MAC address (Calling-Station-Id) is registered or not. In this scenario, I don't seem to have anything to identify the realm of the incoming request. This is the reason why I am thinking of using client section with source IP address mapping with virtual server. I don't really think this is a good idea as well because we will need to make sure the ip addresses are not overlapping or incorrectly configured.
If the User-Names are just MAC addresses, then put them all into a database, in a custom table. Have one column MAC address. And another column tenant name.
You can then get any packet, and look up the MAC address to get the tenant name.
Can I do the following things?
1. Create 10,000 virtual servers each maps to a tenant.
Why do you need 10,000 virtual servers? You haven't said what you're doing with them. Do they all have completely different policies?
2. Create 10,000 client sections with separate ip addresses and associate them to corresponding virtual server. 3. Create 10,000 realm sections with tenantId and associate them to corresponding virtual server.
All of these are possible solutions. They're all bad.
What is the *problem* you're trying to solve? Why do you think you need 10,000 virtual servers? What are each of them doing?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, You can set arbitrary values in client configuration, for example: client tenant-foo-client { ipaddr = 192.0.2.1 … usual stuff ... tenant = foo } Then in your policy you can refer to "%{client:tenant}" to get the string “foo”. You can include this in your SQL queries, or, whatever you are using, to scope the queries to that tenant. That won’t have any of the scaling limitations you are worried about. Virtual servers are really most useful when you want to have completely different policy. For the use cases discussed in this thread, I presume the policy will be the same (or largely the same, where differences can be controlled with simple control statements), so different virtual servers doesn’t make a lot of sense.
On 19/06/2022, at 8:32 PM, Alex Zetaeffesse <fzetafs@gmail.com> wrote:
Hi Cecil,
I'm challenged by the same problem. We would like to give tenants full control of their data and also privacy. For the auth based on the MAC address where FR returns the PSK the most convenient solution would be to have just one DB but I'm thinking of splitting it into as many dBs as the number of the tenants, Then the the problem of the query time arises (do we have to go through them sequentially?) and I'm thinking of using a SQL proxy. All of this just in mind, 'cause I never used/configured SQL proxy and I don't know if they help in achieving my goal. In our project for smart devices we will be using realms as others suggested.
Alex
On Sun, Jun 19, 2022 at 5:51 AM Cecil Wei <cecilwei@gmail.com> wrote:
Hi Alan,
Thank you again for replying to my question and sorry for not asking questions properly but focusing only on the problems of my solution.
I am trying to build a platform that provides MAC authentication service to multiple organizations. There will be a captive portal for end user to register their device MAC address. The administrator of an organization can also upload a list of MAC addresses to the database. It might be possible that the same user MAC address appears in multiple organizations. In this case multiple tenants might be selected if we lookup by MAC address.
I am also thinking of providing EAP authentication to multiple organizations and allow them to have their own root certificate. My understanding for this requirement is that I will need to create multiple EAP configurations.
I thought that virtual server can help on providing proper data isolation and individual EAP configuration.
Could you share some best practices for the problems I mentioned above if there are over 10,000 organizations?
Thank you very much.
Cecil
Alan DeKok <aland@deployingradius.com> 於 2022年6月16日 週四 晚上7:55寫道:
On Jun 15, 2022, at 8:20 PM, Cecil Wei <cecilwei@gmail.com> wrote
I am still very new to freeradius so correct me if I am wrong. If I am doing MAC authentication from access points,
When you ask a question, it helps to describe the problem you're trying to solve. You should give information about the problem, and describe it in detail.
It's less useful to give out a little more information with each message.
You should also describe the requirements, not your current solution. In many cases, people find some weird way of doing things, and ask "why doesn't this work?" If instead they describe what they want to do, we can propose a simpler / better solution.
the chances are the username will not be available in the request and we would just look into the user file and see if the MAC address (Calling-Station-Id) is registered or not. In this scenario, I don't seem to have anything to identify the realm of the incoming request. This is the reason why I am thinking of using client section with source IP address mapping with virtual server. I don't really think this is a good idea as well because we will need to make sure the ip addresses are not overlapping or incorrectly configured.
If the User-Names are just MAC addresses, then put them all into a database, in a custom table. Have one column MAC address. And another column tenant name.
You can then get any packet, and look up the MAC address to get the tenant name.
Can I do the following things?
1. Create 10,000 virtual servers each maps to a tenant.
Why do you need 10,000 virtual servers? You haven't said what you're doing with them. Do they all have completely different policies?
2. Create 10,000 client sections with separate ip addresses and associate them to corresponding virtual server. 3. Create 10,000 realm sections with tenantId and associate them to corresponding virtual server.
All of these are possible solutions. They're all bad.
What is the *problem* you're trying to solve? Why do you think you need 10,000 virtual servers? What are each of them doing?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 19, 2022, at 4:32 AM, Alex Zetaeffesse <fzetafs@gmail.com> wrote:
I'm challenged by the same problem. We would like to give tenants full control of their data and also privacy.
This is what databases are for. Put different tenants into different database tables. Many complex RADIUS problems are really database problems. Once you decide how to represent the data, the RADIUS configuration is trivial.
For the auth based on the MAC address where FR returns the PSK the most convenient solution would be to have just one DB but I'm thinking of splitting it into as many dBs as the number of the tenants,
Why? My comments to Cecil also apply here. Trying random solutions is a guaranteed way to disaster.
Then the the problem of the query time arises (do we have to go through them sequentially?) and I'm thinking of using a SQL proxy. All of this just in mind, 'cause I never used/configured SQL proxy and I don't know if they help in achieving my goal. In our project for smart devices we will be using realms as others suggested.
Nathan's suggestion may work here. But only if each tenant has their own RADIUS client IP. It's impossible to give advice in these situations, because the questions are too vague: Q: I want to do stuff. How do I do I configure FreeRADIUS? A: I have no idea. What stuff do you want to do? One common response here is to either to argue, or to give up. I suggest instead working towards a solution, by answering the following questions: 1. Can the same MAC appear in different tenants? If so, how do you tell the tenants apart (see below...) 2. Are there multiple tenants behind one RADIUS proxy? 4. Is there anything in the Access-Request packets which lets you distinguish one tenant from each other? (i.e. run the server in debug mode, or use wireshark) Answering those questions will let you *begin* coming up with a solution. Note that all of the questions involving figuring out what's going on. And looking at the RADIUS packets / debug output of the server. I've never understood why people think they can design or debug a complex RADIUS system without ever looking at what's actually going on. It's like asking a mechanic to fix your car, and hours later discovering that he's not even looked at it. Instead, he's spent all that time online looking at videos of similar cars. It makes zero sense. Alan DeKok.
Hi Alan, Despite having a similar project I guess it's better to have a different thread in the ML for my project. I had actually started a differentone; shall I continue that one, providing the correct answers to your questions? Alex On Sun, Jun 19, 2022 at 3:07 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jun 19, 2022, at 4:32 AM, Alex Zetaeffesse <fzetafs@gmail.com> wrote:
I'm challenged by the same problem. We would like to give tenants full control of their data and also privacy.
This is what databases are for. Put different tenants into different database tables.
Many complex RADIUS problems are really database problems. Once you decide how to represent the data, the RADIUS configuration is trivial.
For the auth based on the MAC address where FR returns the PSK the most convenient solution would be to have just one DB but I'm thinking of splitting it into as many dBs as the number of the tenants,
Why? My comments to Cecil also apply here. Trying random solutions is a guaranteed way to disaster.
Then the the problem of the query time arises (do we have to go through them sequentially?) and I'm thinking of using a SQL proxy. All of this just in mind, 'cause I never used/configured SQL proxy and I don't know if they help in achieving my goal. In our project for smart devices we will be using realms as others suggested.
Nathan's suggestion may work here. But only if each tenant has their own RADIUS client IP.
It's impossible to give advice in these situations, because the questions are too vague:
Q: I want to do stuff. How do I do I configure FreeRADIUS?
A: I have no idea. What stuff do you want to do?
One common response here is to either to argue, or to give up. I suggest instead working towards a solution, by answering the following questions:
1. Can the same MAC appear in different tenants? If so, how do you tell the tenants apart (see below...)
2. Are there multiple tenants behind one RADIUS proxy?
4. Is there anything in the Access-Request packets which lets you distinguish one tenant from each other? (i.e. run the server in debug mode, or use wireshark)
Answering those questions will let you *begin* coming up with a solution.
Note that all of the questions involving figuring out what's going on. And looking at the RADIUS packets / debug output of the server.
I've never understood why people think they can design or debug a complex RADIUS system without ever looking at what's actually going on. It's like asking a mechanic to fix your car, and hours later discovering that he's not even looked at it. Instead, he's spent all that time online looking at videos of similar cars. It makes zero sense.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 20, 2022, at 10:49 AM, Alex Zetaeffesse <fzetafs@gmail.com> wrote:
Hi Alan,
Despite having a similar project I guess it's better to have a different thread in the ML for my project. I had actually started a differentone; shall I continue that one, providing the correct answers to your questions?
Yes, thanks. Alan DeKok.
On Jun 18, 2022, at 11:51 PM, Cecil Wei <cecilwei@gmail.com> wrote:
I am trying to build a platform that provides MAC authentication service to multiple organizations. There will be a captive portal for end user to register their device MAC address. The administrator of an organization can also upload a list of MAC addresses to the database. It might be possible that the same user MAC address appears in multiple organizations. In this case multiple tenants might be selected if we lookup by MAC address.
You're going to have a very hard time building this. The first reason is because you've promised people a solution, without understanding the problem (or what's possible). The second is because I asked specific, and detailed questions about what your needs were. Those questions were ignored. I'm trying to understand what the requirements are, in order to help you. By not answering, you're not working towards a solution.
I am also thinking of providing EAP authentication to multiple organizations and allow them to have their own root certificate. My understanding for this requirement is that I will need to create multiple EAP configurations.
So instead of understanding the problem, you're going to try another random solution. Which may or may not help. But you're not sure.
I thought that virtual server can help on providing proper data isolation and individual EAP configuration.
The virtual server documentation makes it clear what virtual servers are for. You can read the documentation to see whether or not you need different virtual servers.
Could you share some best practices for the problems I mentioned above if there are over 10,000 organizations?
Understand the problem. Read the documentation. When you ask for help, do what people say. You need to take a step back, write down the requirements, write down what's possible, and then try to *understand* what's going on. You're just not going to solve anything by changing random things in random configuration files. Alan DeKok.
This is a pretty big project. I suspect, these are paying subscribers. Not some type of open net work to provide free Internet to the masses. In this particular case, I would suggest you actually pay for support from the commercial side of free radius. They can design you a pretty good solution. Although I’ve never used them for support, a couple of my clients have. They cannot say enough about the support they receive. It’s all been positive. I am willing to bet you the money you spend on initial consult plus a year of support will save you much much more then the time that you’re going to need to get this project going. Now, to your original problem. Can free radius do what you want to? Yes. How do you do that? Well, there are a lot more questions you’re gonna have to ask before you get a good answer on that. Not trying to me mean or snarky here. I’ve just gotten to the point where my time is very valuable. I guess that comes with becoming an old fart. Pay someone to help you designed this. You will have a lot less headaches and be happier at the end. John On Sun, Jun 19, 2022 at 08:56 Alan DeKok <aland@deployingradius.com> wrote:
On Jun 18, 2022, at 11:51 PM, Cecil Wei <cecilwei@gmail.com> wrote:
I am trying to build a platform that provides MAC authentication service to multiple organizations. There will be a captive portal for end user to register their device MAC address. The administrator of an organization can also upload a list of MAC addresses to the database. It might be possible that the same user MAC address appears in multiple organizations. In this case multiple tenants might be selected if we lookup by MAC address.
You're going to have a very hard time building this. The first reason is because you've promised people a solution, without understanding the problem (or what's possible). The second is because I asked specific, and detailed questions about what your needs were. Those questions were ignored.
I'm trying to understand what the requirements are, in order to help you. By not answering, you're not working towards a solution.
I am also thinking of providing EAP authentication to multiple organizations and allow them to have their own root certificate. My understanding for this requirement is that I will need to create multiple EAP configurations.
So instead of understanding the problem, you're going to try another random solution. Which may or may not help. But you're not sure.
I thought that virtual server can help on providing proper data isolation and individual EAP configuration.
The virtual server documentation makes it clear what virtual servers are for. You can read the documentation to see whether or not you need different virtual servers.
Could you share some best practices for the problems I mentioned above if there are over 10,000 organizations?
Understand the problem. Read the documentation. When you ask for help, do what people say.
You need to take a step back, write down the requirements, write down what's possible, and then try to *understand* what's going on. You're just not going to solve anything by changing random things in random configuration files.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, Thanks again for your reply. May I start by answering the questions that you mentioned? The requirement is to identify tenants of RADIUS requests from devices made by different vendors (Cisco, 1. Can the same MAC appear in different tenants? Yes, we don't plan to add restrictions on this. 2. Are there multiple tenants behind one RADIUS proxy? There will be no radius proxy in front of freeradius server. 3. Is there anything in the Access-Request packets which lets you distinguish one tenant from each other? (i.e. run the server in debug mode, or use wireshark) We want our service to be vendor agnostic. So it’s preferable to identify tenant without specific attributes in Access-Request 4. An individual shared secret for each tenant for security concerns. Hoping I am providing enough details for my needs. Thank you very much. Cecil Alan DeKok <aland@deployingradius.com> 於 2022年6月19日 週日 晚上8:57寫道:
On Jun 18, 2022, at 11:51 PM, Cecil Wei <cecilwei@gmail.com> wrote:
I am trying to build a platform that provides MAC authentication service to multiple organizations. There will be a captive portal for end user to register their device MAC address. The administrator of an organization can also upload a list of MAC addresses to the database. It might be possible that the same user MAC address appears in multiple organizations. In this case multiple tenants might be selected if we lookup by MAC address.
You're going to have a very hard time building this. The first reason is because you've promised people a solution, without understanding the problem (or what's possible). The second is because I asked specific, and detailed questions about what your needs were. Those questions were ignored.
I'm trying to understand what the requirements are, in order to help you. By not answering, you're not working towards a solution.
I am also thinking of providing EAP authentication to multiple organizations and allow them to have their own root certificate. My understanding for this requirement is that I will need to create multiple EAP configurations.
So instead of understanding the problem, you're going to try another random solution. Which may or may not help. But you're not sure.
I thought that virtual server can help on providing proper data isolation and individual EAP configuration.
The virtual server documentation makes it clear what virtual servers are for. You can read the documentation to see whether or not you need different virtual servers.
Could you share some best practices for the problems I mentioned above if there are over 10,000 organizations?
Understand the problem. Read the documentation. When you ask for help, do what people say.
You need to take a step back, write down the requirements, write down what's possible, and then try to *understand* what's going on. You're just not going to solve anything by changing random things in random configuration files.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 20, 2022, at 10:45 AM, Cecil Wei <cecilwei@gmail.com> wrote:
Thanks again for your reply. May I start by answering the questions that you mentioned?
That's good.
The requirement is to identify tenants of RADIUS requests from devices made by different vendors (Cisco,
OK. The vendor information is in the MAC address, but it's fine to ignore that.
1. Can the same MAC appear in different tenants?
Yes, we don't plan to add restrictions on this.
OK.
2. Are there multiple tenants behind one RADIUS proxy?
There will be no radius proxy in front of freeradius server.
You previously said:
I don't seem to find a way to identify tenants if the incoming traffic is from the same proxy server.
So which is it?
3. Is there anything in the Access-Request packets which lets you distinguish one tenant from each other? (i.e. run the server in debug mode, or use wireshark)
We want our service to be vendor agnostic. So it’s preferable to identify tenant without specific attributes in Access-Request
That's not really a good approach. a) have a unique client (or set of clients) for each tenant, and then key off the "client" section to get a tenant ID b) look in the RADIUS packets to see how you can tell tenants apart (NAS-Identifier with host name, etc.) Those are your choices. Pick (a), (b), or some combination of (a) and (b).
4. An individual shared secret for each tenant for security concerns.
The clients.conf file takes care of that. The problem here is that you're trying to make RADIUS fit your requirements. This is impossible. The RADIUS equipment from Cisco, etc. has a certain behavior. No amount of wishful thinking will make it do anything else. i.e. you don't have a set of requirements that you invented. Throw those away, and stop thinking about them. Instead, you have a set of *restrictions*. What the RADIUS clients can do, what's in the packets, etc. You have to come up with a solution which fits within those restrictions. On top of that, your requirements are changing and contradictory. Which is not just confusing, those changes make it impossible to give you any reasonable advice. If there's no proxies, then just put a tenant field into each "client" definition, as Nathan suggested. It's that easy. If there are proxies, then you MUST look at the packets. You CANNOT say "Oh, I want to ignore the packet contents". It's wrong, and it won't work. Alan DeKok.
Hi Alan, Alan DeKok <aland@deployingradius.com> 於 2022年6月20日 週一 晚上11:07寫道:
2. Are there multiple tenants behind one RADIUS proxy?
There will be no radius proxy in front of freeradius server.
You previously said:
I don't seem to find a way to identify tenants if the incoming traffic is from the same proxy server.
So which is it?
We are actually supporting our own devices (behind proxy) and equipments from other vendors. For requests from our own devices, I now know that I can do tenant lookup with our own VSA.
3. Is there anything in the Access-Request packets which lets you distinguish one tenant from each other? (i.e. run the server in debug mode, or use wireshark)
We want our service to be vendor agnostic. So it’s preferable to identify tenant without specific attributes in Access-Request
That's not really a good approach.
a) have a unique client (or set of clients) for each tenant, and then key off the "client" section to get a tenant ID
b) look in the RADIUS packets to see how you can tell tenants apart (NAS-Identifier with host name, etc.)
Those are your choices. Pick (a), (b), or some combination of (a) and (b).
4. An individual shared secret for each tenant for security concerns.
The clients.conf file takes care of that.
I read the documentation of client.conf for what needs to be included in a client section. If I understand it correctly, to have individual shared secret for each tenant, I would also need to specify unique source IP address (ranges) of the incoming requests. Option (b) alone is not sufficient. Could you help to see if this is correct or not? Thank you. Cecil
On Jun 20, 2022, at 12:16 PM, Cecil Wei <cecilwei@gmail.com> wrote:
We are actually supporting our own devices (behind proxy) and equipments from other vendors. For requests from our own devices, I now know that I can do tenant lookup with our own VSA.
This is just not appropriate. Every message contains a little bit of extra information. Which means any advice I give needs to change. What would be polite is to accurately describe your scenario and requirements at the start. The more you waste everyones time by giving wrong or inaccurate information, the harder it is for people to help you.
I read the documentation of client.conf for what needs to be included in a client section. If I understand it correctly, to have individual shared secret for each tenant, I would also need to specify unique source IP address (ranges) of the incoming requests. Option (b) alone is not sufficient.
Could you help to see if this is correct or not? Thank you.
I suggest figuring it out yourself. You're running the proxy, so you can do whatever you want there. Alan DeKok.
On 20.06.22 18:16, Cecil Wei wrote:
Hi Alan,
Alan DeKok <aland@deployingradius.com> 於 2022年6月20日 週一 晚上11:07寫道:
2. Are there multiple tenants behind one RADIUS proxy?
There will be no radius proxy in front of freeradius server. You previously said:
I don't seem to find a way to identify tenants if the incoming traffic is from the same proxy server. So which is it?
We are actually supporting our own devices (behind proxy) and equipments from other vendors. For requests from our own devices, I now know that I can do tenant lookup with our own VSA.
3. Is there anything in the Access-Request packets which lets you distinguish one tenant from each other? (i.e. run the server in debug mode, or use wireshark)
We want our service to be vendor agnostic. So it’s preferable to identify tenant without specific attributes in Access-Request That's not really a good approach.
a) have a unique client (or set of clients) for each tenant, and then key off the "client" section to get a tenant ID
b) look in the RADIUS packets to see how you can tell tenants apart (NAS-Identifier with host name, etc.)
Those are your choices. Pick (a), (b), or some combination of (a) and (b).
4. An individual shared secret for each tenant for security concerns. The clients.conf file takes care of that.
I read the documentation of client.conf for what needs to be included in a client section. If I understand it correctly, to have individual shared secret for each tenant, I would also need to specify unique source IP address (ranges) of the incoming requests. Option (b) alone is not sufficient.
Yes. shared secrets go into the clients.conf. You have the option to use a database if you have more clients. This is more manageble for more clients. You also have the (advanced!) option to use dynamic client definition. To get an idea what you can do, see: https://blog.sys4.de/freeradius-clients-netbox-en.html
Could you help to see if this is correct or not? Thank you.
Cecil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
participants (6)
-
Alan DeKok -
Alex Zetaeffesse -
Cecil Wei -
John Alcock -
Michael Schwartzkopff -
Nathan Ward