FR 3.0 radsec : dynamic home server discovery status

Arran Cudbard-Bell a.cudbardb at
Fri Mar 13 16:44:26 CET 2020

> On Mar 13, 2020, at 9:54 AM, Alan DeKok <aland at> wrote:
> On Mar 13, 2020, at 8:57 AM, Stefan Winter <stefan.winter at> wrote:
>> many hundreds of realms set NAPTR records in eduroam. Those typically
>> point to an approximate dozen of country-level endpoints which take the
>> traffic from there over RADIUS/UDP.
>  That makes sense.
>> To be honest, the lack of NAPTR lookup capability is my #1 reason why
>> I'm using Radiator and radsecproxy as the two RADIUS implementations for
>> my own country-level servers. Both allow dynamic lookups.

Out of interest, is it a mix of UDP+DTLS and TCP+TLS?

Is there a way of specifying a preference via the NAPTR records?


For v3 I think poking via radmin to add new destinations might be a reasonably simple way to do this asynchronously.

Request comes in for new realm, calls exec to trigger a script to do the resolution and insert the realm info via radmin (maybe just have the ability to define new realms via config snippets?). FR doesn't responsd to the original request.

Retransmit comes in, gets forwarded to realm that's now magically appeared.

Synchronisation for the realm rbtree would be a pain, but as this is relatively low volume, maybe just add a toggle that puts a mutex around the tree?


For v4 the other thing that occurred to me, is that it wouldn't be *that* hard to fix the exec calls to be async.  You just need to stick the server ends of stdout/stderr into the event loop. I think kqueue also has a notification system for process exits too...

So one quick/hacky way of doing the lookups could just be calling out to dig and parsing the results.

Actually adding radsec and dynamic realm support is much much easier in v4.


More information about the Freeradius-Users mailing list