Multi-tenancy support

Nathan Ward lists+freeradius at daork.net
Sun Jun 19 08:41:14 UTC 2022


Hi,

You can set arbitrary values in client configuration, for example:

client tenant-foo-client {
  ipaddr = 192.0.2.1
  … usual stuff ...
  tenant = foo
}

Then in your policy you can refer to "%{client:tenant}" to get the string “foo”.
You can include this in your SQL queries, or, whatever you are using, to scope the queries to that tenant.
That won’t have any of the scaling limitations you are worried about.

Virtual servers are really most useful when you want to have completely different policy. For the use cases discussed in this thread, I presume the policy will be the same (or largely the same, where differences can be controlled with simple control statements), so different virtual servers doesn’t make a lot of sense.

> On 19/06/2022, at 8:32 PM, Alex Zetaeffesse <fzetafs at gmail.com> wrote:
> 
> Hi Cecil,
> 
> I'm challenged by the same problem. We would like to give tenants full
> control of their data and also privacy.
> For the auth based on the MAC address where FR returns the PSK the most
> convenient solution would be to have just one DB but I'm thinking of
> splitting it into as many dBs as the number of the tenants, Then the the
> problem of the query time arises (do we have to go through them
> sequentially?) and I'm thinking of using a SQL proxy.
> All of this just in mind, 'cause I never used/configured SQL proxy and I
> don't know if they help in achieving my goal.
> In our project for smart devices we will be using realms as others
> suggested.
> 
> Alex
> 
> On Sun, Jun 19, 2022 at 5:51 AM Cecil Wei <cecilwei at gmail.com> wrote:
> 
>> Hi Alan,
>> 
>> Thank you again for replying to my question and sorry for not asking
>> questions properly but focusing only on the problems of my solution.
>> 
>> I am trying to build a platform that provides MAC authentication service to
>> multiple organizations. There will be a captive portal for end user to
>> register their device MAC address. The administrator of an organization can
>> also upload a list of MAC addresses to the database. It might be possible
>> that the same user MAC address appears in multiple organizations. In this
>> case multiple tenants might be selected if we lookup by MAC address.
>> 
>> I am also thinking of providing EAP authentication to multiple
>> organizations and allow them to have their own root certificate. My
>> understanding for this requirement is that I will need to create multiple
>> EAP configurations.
>> 
>> I thought that virtual server can help on providing proper data isolation
>> and individual EAP configuration.
>> 
>> Could you share some best practices for the problems I mentioned above if
>> there are over 10,000 organizations?
>> 
>> Thank you very much.
>> 
>> Cecil
>> 
>> Alan DeKok <aland at deployingradius.com> 於 2022年6月16日 週四 晚上7:55寫道:
>> 
>>> On Jun 15, 2022, at 8:20 PM, Cecil Wei <cecilwei at gmail.com> wrote
>>>> I am still very new to freeradius so correct me if I am wrong. If I am
>>>> doing MAC authentication from access points,
>>> 
>>>  When you ask a question, it helps to describe the problem you're trying
>>> to solve.  You should give information about the problem, and describe it
>>> in detail.
>>> 
>>>  It's less useful to give out a little more information with each
>> message.
>>> 
>>>  You should also describe the requirements, not your current solution.
>>> In many cases, people find some weird way of doing things, and ask "why
>>> doesn't this work?"  If instead they describe what they want to do, we
>> can
>>> propose a simpler / better solution.
>>> 
>>>> the chances are the username
>>>> will not be available in the request and we would just look into the
>> user
>>>> file and see if the MAC address (Calling-Station-Id) is registered or
>>> not.
>>>> In this scenario, I don't seem to have anything to identify the realm
>> of
>>>> the incoming request. This is the reason why I am thinking of using
>>> client
>>>> section with source IP address mapping with virtual server. I don't
>>> really
>>>> think this is a good idea as well because we will need to make sure the
>>> ip
>>>> addresses are not overlapping or incorrectly configured.
>>> 
>>>  If the User-Names are just MAC addresses, then put them all into a
>>> database, in a custom table.  Have one column MAC address.  And another
>>> column tenant name.
>>> 
>>>  You can then get any packet, and look up the MAC address to get the
>>> tenant name.
>>> 
>>>> Can I do the following things?
>>>> 
>>>> 1. Create 10,000 virtual servers each maps to a tenant.
>>> 
>>>  Why do you need 10,000 virtual servers?  You haven't said what you're
>>> doing with them.  Do they all have completely different policies?
>>> 
>>>> 2. Create 10,000 client sections with separate ip addresses and
>> associate
>>>> them to corresponding virtual server.
>>>> 3. Create 10,000 realm sections with tenantId and associate them to
>>>> corresponding virtual server.
>>> 
>>>  All of these are possible solutions.  They're all bad.
>>> 
>>>  What is the *problem* you're trying to solve?  Why do you think you
>> need
>>> 10,000 virtual servers?  What are each of them doing?
>>> 
>>>  Alan DeKok.
>>> 
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>> 
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list