Multi-tenancy support

Cecil Wei cecilwei at
Thu Jun 16 01:20:43 UTC 2022

Hi Alan, Michael,

Thank you so much for your reply.

I am still very new to freeradius so correct me if I am wrong. If I am
doing MAC authentication from access points, the chances are the username
will not be available in the request and we would just look into the user
file and see if the MAC address (Calling-Station-Id) is registered or not.
In this scenario, I don't seem to have anything to identify the realm of
the incoming request. This is the reason why I am thinking of using client
section with source IP address mapping with virtual server. I don't really
think this is a good idea as well because we will need to make sure the ip
addresses are not overlapping or incorrectly configured.

Can I do the following things?

1. Create 10,000 virtual servers each maps to a tenant.
2. Create 10,000 client sections with separate ip addresses and associate
them to corresponding virtual server.
3. Create 10,000 realm sections with tenantId and associate them to
corresponding virtual server.

If the radius request is directly sent from access point, use client
section to redirect to the virtual server.
If the radius request is from proxy server, identify the realm with
attribute in the request and redirect to the correct virtual server.

Thank you again for your kind response.


Alan DeKok <aland at> 於 2022年6月16日 週四 凌晨4:35寫道:

> On Jun 14, 2022, at 10:26 PM, Cecil Wei <cecilwei at> wrote:
> >
> > I have been working on a project that we need to support more than 10000
> > tenants. I tried to create multiple virtual servers and each listen to
> > different ports and I found that I can only create up to 300 virtual
> > servers due to the limitation of FD_SETSIZE. In this case I will need to
> > have more than 300 servers running which doesn't seem to make much sense.
>   The normal process is to just create users as "user at".  You
> can then use one server.
> > I also consider the option of creating multiple client sections to
> specify
> > the source IP addresses and the corresponding virtual server. However, I
> > don't seem to find a way to identify tenants if the incoming traffic is
> > from the same proxy server.
>   The reason this is hard is because no one does this.   It's a bad
> design, and will cause all kinds of problems in the future.
> > I am running out of options and hoping that you may share your experience
> > or suggestions.
>   Just use realms.  It's what people have done for 20+ years.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list