Hi Alan, Thank you again for replying to my question and sorry for not asking questions properly but focusing only on the problems of my solution. I am trying to build a platform that provides MAC authentication service to multiple organizations. There will be a captive portal for end user to register their device MAC address. The administrator of an organization can also upload a list of MAC addresses to the database. It might be possible that the same user MAC address appears in multiple organizations. In this case multiple tenants might be selected if we lookup by MAC address. I am also thinking of providing EAP authentication to multiple organizations and allow them to have their own root certificate. My understanding for this requirement is that I will need to create multiple EAP configurations. I thought that virtual server can help on providing proper data isolation and individual EAP configuration. Could you share some best practices for the problems I mentioned above if there are over 10,000 organizations? Thank you very much. Cecil Alan DeKok <aland@deployingradius.com> 於 2022年6月16日 週四 晚上7:55寫道:
On Jun 15, 2022, at 8:20 PM, Cecil Wei <cecilwei@gmail.com> wrote
I am still very new to freeradius so correct me if I am wrong. If I am doing MAC authentication from access points,
When you ask a question, it helps to describe the problem you're trying to solve. You should give information about the problem, and describe it in detail.
It's less useful to give out a little more information with each message.
You should also describe the requirements, not your current solution. In many cases, people find some weird way of doing things, and ask "why doesn't this work?" If instead they describe what they want to do, we can propose a simpler / better solution.
the chances are the username will not be available in the request and we would just look into the user file and see if the MAC address (Calling-Station-Id) is registered or not. In this scenario, I don't seem to have anything to identify the realm of the incoming request. This is the reason why I am thinking of using client section with source IP address mapping with virtual server. I don't really think this is a good idea as well because we will need to make sure the ip addresses are not overlapping or incorrectly configured.
If the User-Names are just MAC addresses, then put them all into a database, in a custom table. Have one column MAC address. And another column tenant name.
You can then get any packet, and look up the MAC address to get the tenant name.
Can I do the following things?
1. Create 10,000 virtual servers each maps to a tenant.
Why do you need 10,000 virtual servers? You haven't said what you're doing with them. Do they all have completely different policies?
2. Create 10,000 client sections with separate ip addresses and associate them to corresponding virtual server. 3. Create 10,000 realm sections with tenantId and associate them to corresponding virtual server.
All of these are possible solutions. They're all bad.
What is the *problem* you're trying to solve? Why do you think you need 10,000 virtual servers? What are each of them doing?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html