802.1x/iPSK DB access delegation.

Alex Zetaeffesse fzetafs at gmail.com
Thu May 12 17:13:50 UTC 2022


Sorry for resuming this thread but I resumed working on this project too.
Each company may use PEAP (not really the best I know) or EAP-TLS (or TTLs)
for smart devices and iPSK (MAC addr as username and the RADIUS returns the
PSK) for IoT devices.
As to the CRL my understanding is that the CRL must be concatenated to the
CA or the CA chain.
And whenever a cert is revoked the CRL must be updated and the FR instance
restarted.
Things from this standpoint haven't changed so far, have thay?

So if each company wants to manage their own devices independently we must
have one FR instance per company.
I guess it's possible to run different FR instance on the same host though
using docker would be a more elegant solution.

Eventually there will be as many FR instances as the tenants for Smart
Devices, one possible DB for IoT devices (one table per tenant?) and as
many CRL as the number of tenants.


Alex

On Wed, Dec 29, 2021 at 4:51 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Dec 29, 2021, at 10:15 AM, Alex Zetaeffesse <fzetafs at gmail.com> wrote:
> > I didn't know FR could query different sources of
> > authentication/authorization sequentially (especially if tables are on
> > different servers) but I guess that would introduce a lag in the response
> > time back to the NAS
>
>   Yes.
>
>   FR can do pretty much anything.  It's just that you usually don't want
> to do many queries.  It's inefficient, and slow.
>
> > Maybe a SQL proxy (that's on my side)? Then the first reply would be
> > served. And uh by writing this I realized I could expose the service to a
> > potential DoS for specific MAC addresses.
> > Ok, much better a single table in a single DB where checks before
> storing a
> > record can be done simply and quickly!
>
>   Exactly.
>
>   Also, the table used by FR doesn't have to be the same ones used by the
> web tool.  You can create views, foreign keys, etc.
>
>   The point is that the DB used by FreeRADIUS should be (a) local, and (b)
> fast.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list