Multi-tenancy support

Michael Schwartzkopff ms at sys4.de
Mon Jun 20 16:30:11 UTC 2022 

On 20.06.22 18:16, Cecil Wei wrote:
> Hi Alan,
>
> Alan DeKok <aland at deployingradius.com> 於 2022年6月20日 週一 晚上11:07寫道:
>
>>> 2. Are there multiple tenants behind one RADIUS proxy?
>>>
>>> There will be no radius proxy in front of freeradius server.
>>    You previously said:
>>
>>>> I don't seem to find a way to identify tenants if the incoming traffic is
>>>> from the same proxy server.
>>    So which is it?
>>
> We are actually supporting our own devices (behind proxy) and
> equipments from other vendors. For requests from our own devices, I
> now know that I can do tenant lookup with our own VSA.
>
>>> 3. Is there anything in the Access-Request packets which lets you
>>> distinguish one tenant from each other?  (i.e. run the server in debug
>>> mode, or use wireshark)
>>>
>>> We want our service to be vendor agnostic. So it’s preferable to identify
>>> tenant without specific attributes in Access-Request
>>    That's not really a good approach.
>>
>> a) have a unique client (or set of clients) for each tenant, and then key off the "client" section to get a tenant ID
>>
>> b) look in the RADIUS packets to see how you can tell tenants apart (NAS-Identifier with host name, etc.)
>>
>>    Those are your choices.  Pick (a), (b), or some combination of (a) and (b).
>>
>>> 4. An individual shared secret for each tenant for security concerns.
>>    The clients.conf file takes care of that.
>>
> I read the documentation of client.conf for what needs to be included
> in a client section. If I understand it correctly, to have individual
> shared secret for each tenant, I would also need to specify unique
> source IP address (ranges) of the incoming requests. Option (b) alone
> is not sufficient.

Yes. shared secrets go into the clients.conf.

You have the option to use a database if you have more clients. This is 
more manageble for more clients.

You also have the (advanced!) option to use dynamic client definition. 
To get an idea what you can do, see: 
https://blog.sys4.de/freeradius-clients-netbox-en.html


> Could you help to see if this is correct or not? Thank you.
>
> Cecil
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
  
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
  
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the Freeradius-Users mailing list