Question on dynamic home_server

Michael Schwartzkopff ms at
Wed Jun 15 07:43:34 UTC 2022

On 15.06.22 02:37, Yushu Shi (yusshi) via Freeradius-Users wrote:
> Thank you Alan and Michael for your replies.
> Sadly this is what our customer demands. Their deployment has multiple regions. Each region has multiple RADIUS servers. For an individual NAS device, its primary and secondary region are resolved by DNS query based on the geographic location of the NAS. As NAS provider, we are required to do round-robin inside the primary region's server pool. When all servers in the primary region fail, we should fall back to the secondary region.

That is exactly the use case for pools (primary) and failover for secondary.

If you customer insists on this, double the costs. Then he will get 
reasonable or you will earn damages for the pain he caused.

> Looks like we have to use a separate process to resolve the IP address of all servers then change the config files. But I tried changing ipaddr of the home_server in proxy.conf, sending HUP signal to freeradius, but freeradius still proxy to the previous IP address. Looks like changing ipaddr of the home server does not work. Is this true?
> Is there any way to fail-over between two home server pools?

Hm. Perhaps there is a misunderstanding here. Add more home_servers to 
your home_server_pool. FR will distribute the load. Details are 

> Thanks,
> Yushu
> On 6/14/22, 12:49 PM, "Alan DeKok" <aland at> wrote:
>      On Jun 14, 2022, at 12:03 AM, Yushu Shi (yusshi) via Freeradius-Users <freeradius-users at> wrote:
>      > Need some help with using freeradius as a proxy to two radius server pools.
>      > The requirement is like below:
>        I agree with Michael here.  This is not an appropriate use-case.
>      >  *   There are two server pools, identified with host names:  and
>      >  *   DNS request to the two host names returns the IP addresses of several servers in the pool in a round robin fashion, i.e, “host” command returns 3 IP addresses.
>      >  *   IP address of each server may get changed. Need to honor DNS TTL timer.
>      >  *   All auth requests should be directed to the hosts in the primary pool round robin, and only fail over to the secondary if all hosts behind the primary are unresponsive.
>      >
>      > Is there any way to accomplish these requirements without restarting the process? How should I create the home_server pools in proxy.conf to do this?
>        You can't do this, and you shouldn't do this.
>        DNS round robin is when you have many clients (e.g. thousands or more), and you want them to spread their connections across many back-end servers.  This isn't the case with RADIUS.
>        With RADIUS, you have one RADIUS server.  It knows how to spread it's packets across multiple back-ends.
>        This requirement won't do what you want, and it won't work with FreeRADIUS.
>        Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

Mit freundlichen Grüßen,


[*] sys4 AG, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the Freeradius-Users mailing list