Multi-tenancy support

Cecil Wei cecilwei at gmail.com
Mon Jun 20 16:16:03 UTC 2022


Hi Alan,

Alan DeKok <aland at deployingradius.com> 於 2022年6月20日 週一 晚上11:07寫道:

> > 2. Are there multiple tenants behind one RADIUS proxy?
> >
> > There will be no radius proxy in front of freeradius server.
>
>   You previously said:
>
> >> I don't seem to find a way to identify tenants if the incoming traffic is
> >> from the same proxy server.
>
>   So which is it?
>

We are actually supporting our own devices (behind proxy) and
equipments from other vendors. For requests from our own devices, I
now know that I can do tenant lookup with our own VSA.

> > 3. Is there anything in the Access-Request packets which lets you
> > distinguish one tenant from each other?  (i.e. run the server in debug
> > mode, or use wireshark)
> >
> > We want our service to be vendor agnostic. So it’s preferable to identify
> > tenant without specific attributes in Access-Request
>
>   That's not really a good approach.
>
> a) have a unique client (or set of clients) for each tenant, and then key off the "client" section to get a tenant ID
>
> b) look in the RADIUS packets to see how you can tell tenants apart (NAS-Identifier with host name, etc.)
>
>   Those are your choices.  Pick (a), (b), or some combination of (a) and (b).
>
> > 4. An individual shared secret for each tenant for security concerns.
>
>   The clients.conf file takes care of that.
>

I read the documentation of client.conf for what needs to be included
in a client section. If I understand it correctly, to have individual
shared secret for each tenant, I would also need to specify unique
source IP address (ranges) of the incoming requests. Option (b) alone
is not sufficient.

Could you help to see if this is correct or not? Thank you.

Cecil


More information about the Freeradius-Users mailing list