Is it possible to proxy a request to a second radius server if the first one rejects the request?

ngoetz24 at ngoetz24 at
Fri Jan 10 07:01:39 CET 2020

We are in the process to migrating a large number of users from our existing
OTP server to a new OTP solution.  During this process it will take around a
moth to assign all the users a new physical token. Because of this, we will
need to support both OTP servers until all the users have their new tokens.


We currently have two realms setup in the proxy.conf file.  One goes to the
old OTP radius server, and the other goes to the new OTP radius server.
Using each of these realms individually works just fine.


Is there a way to configure freeradius to proxy the request to the first
realm, and if it gets a rejection to then proxy the request to the second


We are trying to make this transition as seamless as possible to our users.
During the transition period, it would be useful if we could find a way to
proxy the request to both OTP servers and as long as one of them accepts the
request the user will be granted access.


It would be ideal if it would proxy to the old OTP server first and only if
the request is rejected to forward the request to the second OPT server.
Since the OTP server is configured to lock an account after 3 failures, we
want the request to try the old OTP server first.  This way once the user
get's their new token it won't matter if their token gets locked on the old
system.  Once the transition is complete and all the users have their new
tokens, we will shutdown the old OTP server.


If this is at all possible, I would be grateful is someone could point me in
the right direction on how to do this.  


We are currently running on FreeRadius 3.0.20


Thank You.

More information about the Freeradius-Users mailing list