Multi-tenancy support

Alan DeKok aland at
Sun Jun 19 13:07:30 UTC 2022

On Jun 19, 2022, at 4:32 AM, Alex Zetaeffesse <fzetafs at> wrote:
> I'm challenged by the same problem. We would like to give tenants full
> control of their data and also privacy.

  This is what databases are for.  Put different tenants into different database tables.

  Many complex RADIUS problems are really database problems.  Once you decide how to represent the data, the RADIUS configuration is trivial.

> For the auth based on the MAC address where FR returns the PSK the most
> convenient solution would be to have just one DB but I'm thinking of
> splitting it into as many dBs as the number of the tenants,

  Why?  My comments to Cecil also apply here.  Trying random solutions is a guaranteed way to disaster.

> Then the the
> problem of the query time arises (do we have to go through them
> sequentially?) and I'm thinking of using a SQL proxy.
> All of this just in mind, 'cause I never used/configured SQL proxy and I
> don't know if they help in achieving my goal.
> In our project for smart devices we will be using realms as others
> suggested.

  Nathan's suggestion may work here.  But only if each tenant has their own RADIUS client IP.

  It's impossible to give advice in these situations, because the questions are too vague:

Q: I want to do stuff.  How do I do I configure FreeRADIUS?

A: I have no idea.  What stuff do you want to do?

  One common response here is to either to argue, or to give up.  I suggest instead working towards a solution, by answering the following questions:

1. Can the same MAC appear in different tenants?  If so, how do you tell the tenants apart (see below...)

2. Are there multiple tenants behind one RADIUS proxy?

4. Is there anything in the Access-Request packets which lets you distinguish one tenant from each other?  (i.e. run the server in debug mode, or use wireshark)

  Answering those questions will let you *begin* coming up with a solution.

  Note that all of the questions involving figuring out what's going on.  And looking at the RADIUS packets / debug output of the server.

  I've never understood why people think they can design or debug a complex RADIUS system without ever looking at what's actually going on.  It's like asking a mechanic to fix your car, and hours later discovering that he's not even looked at it.  Instead, he's spent all that time online looking at videos of similar cars.  It makes zero sense.
  Alan DeKok.

More information about the Freeradius-Users mailing list