Multi-tenancy support

[Cecil Wei]

Hi Alan,

Thanks again for your reply. May I start by answering the questions that
you mentioned?

The requirement is to identify tenants of RADIUS requests from devices made
by different vendors (Cisco,

1. Can the same MAC appear in different tenants?

Yes, we don't plan to add restrictions on this.

2. Are there multiple tenants behind one RADIUS proxy?

There will be no radius proxy in front of freeradius server.

3. Is there anything in the Access-Request packets which lets you
distinguish one tenant from each other?  (i.e. run the server in debug
mode, or use wireshark)

We want our service to be vendor agnostic. So it’s preferable to identify
tenant without specific attributes in Access-Request

4. An individual shared secret for each tenant for security concerns.

Hoping I am providing enough details for my needs. Thank you very much.

Cecil


Alan DeKok <aland at deployingradius.com> 於 2022年6月19日 週日 晚上8:57寫道：

> On Jun 18, 2022, at 11:51 PM, Cecil Wei <cecilwei at gmail.com> wrote:
> > I am trying to build a platform that provides MAC authentication service
> to
> > multiple organizations. There will be a captive portal for end user to
> > register their device MAC address. The administrator of an organization
> can
> > also upload a list of MAC addresses to the database. It might be possible
> > that the same user MAC address appears in multiple organizations. In this
> > case multiple tenants might be selected if we lookup by MAC address.
>
>   You're going to have a very hard time building this.  The first reason
> is because you've promised people a solution, without understanding the
> problem (or what's possible).  The second is because I asked specific, and
> detailed questions about what your needs were.  Those questions were
> ignored.
>
>   I'm trying to understand what the requirements are, in order to help
> you.  By not answering, you're not working towards a solution.
>
> > I am also thinking of providing EAP authentication to multiple
> > organizations and allow them to have their own root certificate. My
> > understanding for this requirement is that I will need to create multiple
> > EAP configurations.
>
>   So instead of understanding the problem, you're going to try another
> random solution.  Which may or may not help.  But you're not sure.
>
> > I thought that virtual server can help on providing proper data isolation
> > and individual EAP configuration.
>
>   The virtual server documentation makes it clear what virtual servers are
> for.  You can read the documentation to see whether or not you need
> different virtual servers.
>
> > Could you share some best practices for the problems I mentioned above if
> > there are over 10,000 organizations?
>
>   Understand the problem.  Read the documentation.  When you ask for help,
> do what people say.
>
>   You need to take a step back, write down the requirements, write down
> what's possible, and then try to *understand* what's going on.  You're just
> not going to solve anything by changing random things in random
> configuration files.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>