Multi-tenancy support

Alex Zetaeffesse fzetafs at
Mon Jun 20 14:49:46 UTC 2022

Hi Alan,

Despite having a similar project I guess it's better to have a different
thread in the ML for my project.
I had actually started a differentone; shall I continue that one, providing
the correct answers to your questions?


On Sun, Jun 19, 2022 at 3:07 PM Alan DeKok <aland at>

> On Jun 19, 2022, at 4:32 AM, Alex Zetaeffesse <fzetafs at> wrote:
> > I'm challenged by the same problem. We would like to give tenants full
> > control of their data and also privacy.
>   This is what databases are for.  Put different tenants into different
> database tables.
>   Many complex RADIUS problems are really database problems.  Once you
> decide how to represent the data, the RADIUS configuration is trivial.
> > For the auth based on the MAC address where FR returns the PSK the most
> > convenient solution would be to have just one DB but I'm thinking of
> > splitting it into as many dBs as the number of the tenants,
>   Why?  My comments to Cecil also apply here.  Trying random solutions is
> a guaranteed way to disaster.
> > Then the the
> > problem of the query time arises (do we have to go through them
> > sequentially?) and I'm thinking of using a SQL proxy.
> > All of this just in mind, 'cause I never used/configured SQL proxy and I
> > don't know if they help in achieving my goal.
> > In our project for smart devices we will be using realms as others
> > suggested.
>   Nathan's suggestion may work here.  But only if each tenant has their
> own RADIUS client IP.
>   It's impossible to give advice in these situations, because the
> questions are too vague:
> Q: I want to do stuff.  How do I do I configure FreeRADIUS?
> A: I have no idea.  What stuff do you want to do?
>   One common response here is to either to argue, or to give up.  I
> suggest instead working towards a solution, by answering the following
> questions:
> 1. Can the same MAC appear in different tenants?  If so, how do you tell
> the tenants apart (see below...)
> 2. Are there multiple tenants behind one RADIUS proxy?
> 4. Is there anything in the Access-Request packets which lets you
> distinguish one tenant from each other?  (i.e. run the server in debug
> mode, or use wireshark)
>   Answering those questions will let you *begin* coming up with a solution.
>   Note that all of the questions involving figuring out what's going on.
> And looking at the RADIUS packets / debug output of the server.
>   I've never understood why people think they can design or debug a
> complex RADIUS system without ever looking at what's actually going on.
> It's like asking a mechanic to fix your car, and hours later discovering
> that he's not even looked at it.  Instead, he's spent all that time online
> looking at videos of similar cars.  It makes zero sense.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list