Multi-tenancy support

Cecil Wei cecilwei at
Sun Jun 19 03:51:25 UTC 2022

Hi Alan,

Thank you again for replying to my question and sorry for not asking
questions properly but focusing only on the problems of my solution.

I am trying to build a platform that provides MAC authentication service to
multiple organizations. There will be a captive portal for end user to
register their device MAC address. The administrator of an organization can
also upload a list of MAC addresses to the database. It might be possible
that the same user MAC address appears in multiple organizations. In this
case multiple tenants might be selected if we lookup by MAC address.

I am also thinking of providing EAP authentication to multiple
organizations and allow them to have their own root certificate. My
understanding for this requirement is that I will need to create multiple
EAP configurations.

I thought that virtual server can help on providing proper data isolation
and individual EAP configuration.

Could you share some best practices for the problems I mentioned above if
there are over 10,000 organizations?

Thank you very much.


Alan DeKok <aland at> 於 2022年6月16日 週四 晚上7:55寫道:

> On Jun 15, 2022, at 8:20 PM, Cecil Wei <cecilwei at> wrote
> > I am still very new to freeradius so correct me if I am wrong. If I am
> > doing MAC authentication from access points,
>   When you ask a question, it helps to describe the problem you're trying
> to solve.  You should give information about the problem, and describe it
> in detail.
>   It's less useful to give out a little more information with each message.
>   You should also describe the requirements, not your current solution.
> In many cases, people find some weird way of doing things, and ask "why
> doesn't this work?"  If instead they describe what they want to do, we can
> propose a simpler / better solution.
> > the chances are the username
> > will not be available in the request and we would just look into the user
> > file and see if the MAC address (Calling-Station-Id) is registered or
> not.
> > In this scenario, I don't seem to have anything to identify the realm of
> > the incoming request. This is the reason why I am thinking of using
> client
> > section with source IP address mapping with virtual server. I don't
> really
> > think this is a good idea as well because we will need to make sure the
> ip
> > addresses are not overlapping or incorrectly configured.
>   If the User-Names are just MAC addresses, then put them all into a
> database, in a custom table.  Have one column MAC address.  And another
> column tenant name.
>   You can then get any packet, and look up the MAC address to get the
> tenant name.
> > Can I do the following things?
> >
> > 1. Create 10,000 virtual servers each maps to a tenant.
>   Why do you need 10,000 virtual servers?  You haven't said what you're
> doing with them.  Do they all have completely different policies?
> > 2. Create 10,000 client sections with separate ip addresses and associate
> > them to corresponding virtual server.
> > 3. Create 10,000 realm sections with tenantId and associate them to
> > corresponding virtual server.
>   All of these are possible solutions.  They're all bad.
>   What is the *problem* you're trying to solve?  Why do you think you need
> 10,000 virtual servers?  What are each of them doing?
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list