Multi-tenancy support
Alex Zetaeffesse
fzetafs at gmail.com
Mon Jun 20 14:49:46 UTC 2022
Hi Alan,
Despite having a similar project I guess it's better to have a different
thread in the ML for my project.
I had actually started a differentone; shall I continue that one, providing
the correct answers to your questions?
Alex
On Sun, Jun 19, 2022 at 3:07 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Jun 19, 2022, at 4:32 AM, Alex Zetaeffesse <fzetafs at gmail.com> wrote:
> > I'm challenged by the same problem. We would like to give tenants full
> > control of their data and also privacy.
>
> This is what databases are for. Put different tenants into different
> database tables.
>
> Many complex RADIUS problems are really database problems. Once you
> decide how to represent the data, the RADIUS configuration is trivial.
>
> > For the auth based on the MAC address where FR returns the PSK the most
> > convenient solution would be to have just one DB but I'm thinking of
> > splitting it into as many dBs as the number of the tenants,
>
> Why? My comments to Cecil also apply here. Trying random solutions is
> a guaranteed way to disaster.
>
> > Then the the
> > problem of the query time arises (do we have to go through them
> > sequentially?) and I'm thinking of using a SQL proxy.
> > All of this just in mind, 'cause I never used/configured SQL proxy and I
> > don't know if they help in achieving my goal.
> > In our project for smart devices we will be using realms as others
> > suggested.
>
> Nathan's suggestion may work here. But only if each tenant has their
> own RADIUS client IP.
>
> It's impossible to give advice in these situations, because the
> questions are too vague:
>
> Q: I want to do stuff. How do I do I configure FreeRADIUS?
>
> A: I have no idea. What stuff do you want to do?
>
> One common response here is to either to argue, or to give up. I
> suggest instead working towards a solution, by answering the following
> questions:
>
> 1. Can the same MAC appear in different tenants? If so, how do you tell
> the tenants apart (see below...)
>
> 2. Are there multiple tenants behind one RADIUS proxy?
>
> 4. Is there anything in the Access-Request packets which lets you
> distinguish one tenant from each other? (i.e. run the server in debug
> mode, or use wireshark)
>
> Answering those questions will let you *begin* coming up with a solution.
>
> Note that all of the questions involving figuring out what's going on.
> And looking at the RADIUS packets / debug output of the server.
>
> I've never understood why people think they can design or debug a
> complex RADIUS system without ever looking at what's actually going on.
> It's like asking a mechanic to fix your car, and hours later discovering
> that he's not even looked at it. Instead, he's spent all that time online
> looking at videos of similar cars. It makes zero sense.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list