Multi-tenancy support

Alan DeKok aland at deployingradius.com
Thu Jun 16 11:55:32 UTC 2022 

On Jun 15, 2022, at 8:20 PM, Cecil Wei <cecilwei at gmail.com> wrote
> I am still very new to freeradius so correct me if I am wrong. If I am
> doing MAC authentication from access points,

  When you ask a question, it helps to describe the problem you're trying to solve.  You should give information about the problem, and describe it in detail.

  It's less useful to give out a little more information with each message.

  You should also describe the requirements, not your current solution.  In many cases, people find some weird way of doing things, and ask "why doesn't this work?"  If instead they describe what they want to do, we can propose a simpler / better solution.

> the chances are the username
> will not be available in the request and we would just look into the user
> file and see if the MAC address (Calling-Station-Id) is registered or not.
> In this scenario, I don't seem to have anything to identify the realm of
> the incoming request. This is the reason why I am thinking of using client
> section with source IP address mapping with virtual server. I don't really
> think this is a good idea as well because we will need to make sure the ip
> addresses are not overlapping or incorrectly configured.

  If the User-Names are just MAC addresses, then put them all into a database, in a custom table.  Have one column MAC address.  And another column tenant name.

  You can then get any packet, and look up the MAC address to get the tenant name.

> Can I do the following things?
> 
> 1. Create 10,000 virtual servers each maps to a tenant.

  Why do you need 10,000 virtual servers?  You haven't said what you're doing with them.  Do they all have completely different policies?

> 2. Create 10,000 client sections with separate ip addresses and associate
> them to corresponding virtual server.
> 3. Create 10,000 realm sections with tenantId and associate them to
> corresponding virtual server.

  All of these are possible solutions.  They're all bad.

  What is the *problem* you're trying to solve?  Why do you think you need 10,000 virtual servers?  What are each of them doing?

  Alan DeKok.

More information about the Freeradius-Users mailing list