Max listening ports

Alan DeKok aland at deployingradius.com
Thu Nov 13 16:02:00 CET 2014


Kev Pearce wrote:
> My multi-tenancy needs to work like this:
> 
> Each customer gets their own udp port to authenticate to.

  Yes, we got that.  You've said that before.  You should talk about the
PROBLEM, not the IMPLEMENTATION you've created.

  Your solution may very well be wrong.

> They have their own shared secret that applies to all their clients (i.e any
> client that connects to their udp port).

  Yes, they each connect to their own UDP port.  Why?  You don't seem to
be clear on that.

> They can have any client IP address authenticate, use their own shared
> secret and authenticate their own user list (in mysql).

  Did you read my previous message?  You can create unique virtual
servers per client.

> What I have built is a virtual server per customer.

  Customer?  Tenant?  You're using vague terminology.  Be specific.  Who
is doing what and why?

> Each VS has its own listen port and has its own shared secret (using dynamic
> clients read from mysql, looked up by a udp port field).

  You're describing your implementation.  NOT the problem.

> The shared secret is setup using 128.0.0.0/1 and 0.0.0.0/1 CIDR hosts read
> by dynamic clients (as per previous posts I made).
> This then allows any client to auth to that udp port with that customers
> shared secret.

  Could you explain why you need to say 5-6 tunes "EACH CUSTOMER GETS
THEIR OWN UDP PORT"?

  It's unnecessary and annoying.  It means you either think we're idiots
and don't understand it, OR you're stuck on your implementation, and
REALLY WANT TO TALK ABOUT IT.

> If there is any way to isolate 'lots' of customer so they each have their
> own port and shared secret without lots of seperate virtual servers I'd
> definitely be interested.

  No.  I've explained that you DO NOT need to use separate ports.
Instead of listening and trying to understand, you've asked again how to
use multiple ports.

> I use the port as part of my sql queries to authorise users and all this
> works absolutely great.

  Except that you've got to modify the server source because your design
is bad.

  i.e. your design is crap.  It's overly complicated, and unnecessary.

  Can you answer this one simple question:

- do multiple customers use the same the RADIUS client IP?

  - YES
  - NO

  Which is it?

  My guess is NO.  In which case your design is massively
over-complicated and unnecessary.

  Are you prepared to think about it?  i.e. pay attention, and have a
response which *doesn't* say 6 times "I HAVE MULTIPLE UDP PORTS" ?

  It's annoying.  You're asking for help and then ignoring the answers.
 Read and learn, or stop asking questions.

  Alan DeKok.


More information about the Freeradius-Devel mailing list