RADIUS Server Setup and Management Training
RADIUS Server Setup and Management Training for ISP Operators
Master the AAA (Authentication, Authorization, Accounting) framework that powers subscriber management for ISPs. Learn FreeRADIUS from installation to production deployment, including MikroTik integration and billing system connectivity.
What We Offer
Our RADIUS training covers 10 core modules that take operators from protocol fundamentals through to advanced subscriber management, billing integration, and high-availability deployments.
RADIUS Protocol Fundamentals (Authentication, Authorization, Accounting)
FreeRADIUS Installation and Initial Configuration
Integration with MikroTik PPPoE Server
User Management and Bandwidth Plan Profiles
CoA (Change of Authorization) for Dynamic Speed Changes
Accounting Logs and Billing System Integration
MySQL/MariaDB Backend Setup and Optimization
RADIUS Server Failover and High Availability
NAS (Network Access Server) Configuration
Troubleshooting Authentication and Accounting Failures
How It Works
The Role of RADIUS in ISP Subscriber Management
RADIUS (Remote Authentication Dial-In User Service) is the protocol that makes centralized subscriber management possible for ISPs. Every time a broadband subscriber connects to the internet through PPPoE, their credentials are sent to a RADIUS server for verification. The RADIUS server checks the username and password against its database, verifies that the subscriber's account is active and not expired, determines which bandwidth plan the subscriber is on, and sends back the appropriate speed limits and IP address assignment to the NAS (Network Access Server, typically a MikroTik router). This entire process happens in milliseconds and is completely transparent to the subscriber. Beyond authentication, RADIUS also handles authorization (determining what resources a subscriber can access) and accounting (recording session start/stop times, data usage, and session duration for billing purposes). Without a properly configured RADIUS server, ISPs would need to manage subscriber credentials and bandwidth profiles locally on each router, which is impractical for any network serving more than a handful of subscribers.
Setting Up FreeRADIUS with MikroTik
Our training provides a complete, step-by-step walkthrough of deploying FreeRADIUS from scratch and integrating it with MikroTik PPPoE servers. The process begins with installing FreeRADIUS on a Linux server (we cover both Ubuntu/Debian and CentOS/Rocky Linux installations), configuring the database backend using MySQL or MariaDB, and setting up the initial client (NAS) definitions that tell FreeRADIUS which routers are authorized to send authentication requests. Participants then configure the MikroTik PPPoE server to point to the RADIUS server, defining the shared secret, timeout values, and fallback behavior.
The training covers the FreeRADIUS configuration files in detail, including the main radiusd.conf, the clients.conf for NAS definitions, the users file for local user testing, and the SQL module configuration for database-backed authentication. We explain how FreeRADIUS processes authentication requests through its module chain: first checking the authorize section to look up the user and retrieve their stored password and attributes, then passing through the authenticate section to verify the password, and finally the post-auth section where custom logic like logging or attribute manipulation can be added. This understanding of the FreeRADIUS processing pipeline is essential for troubleshooting authentication failures and implementing custom business logic.
Automating Subscriber Provisioning
Manual subscriber management through direct database edits or configuration file changes does not scale for growing ISPs. Our training teaches operators how to automate the subscriber lifecycle using RADIUS in conjunction with billing and CRM systems. When a new subscriber signs up, the billing system creates a record in the RADIUS database with the subscriber's credentials, assigned bandwidth plan, and account validity period. When the subscriber connects, the RADIUS server automatically applies the correct speed limits based on their plan. If the subscriber upgrades or downgrades their plan, the billing system updates the RADIUS database and sends a CoA (Change of Authorization) packet to the MikroTik router, which updates the subscriber's speed limits in real time without requiring a reconnection. When a subscriber's payment is overdue, the billing system can update the RADIUS profile to redirect the subscriber to a captive portal or reduce their speed until payment is received.
Integrating with Billing Systems
The connection between RADIUS and billing is what transforms raw authentication into a revenue-generating system. Our training covers the integration architecture, where the billing system writes subscriber data to the RADIUS database and reads accounting data back for usage tracking and invoice generation. We work with common ISP billing platforms used in India, teaching operators how to configure the database schema for compatibility, set up accounting tables that record session details (bytes in, bytes out, session duration, NAS IP, assigned IP), and build SQL queries that generate usage reports for billing reconciliation. The training also covers how to implement prepaid and postpaid models using RADIUS, where prepaid subscribers have a data or time quota that decrements in real time, and postpaid subscribers have unlimited access with usage-based billing at the end of each cycle.
Troubleshooting and Monitoring
Authentication failures are one of the most common issues ISP support teams deal with daily. Our training equips operators with systematic troubleshooting skills for RADIUS-related problems. We cover how to read FreeRADIUS debug output (running the server in debug mode with the -X flag), interpret common error messages, trace the authentication flow from the NAS through to the database lookup and back, and identify issues such as incorrect shared secrets, password mismatches, expired accounts, simultaneous-use violations, and database connectivity problems. We also set up monitoring for the RADIUS infrastructure using tools like radclient for synthetic testing, Zabbix for server health monitoring, and custom scripts that alert operators when authentication failure rates exceed normal thresholds.
Key Features
Frequently Asked Questions
Why should ISPs use RADIUS instead of local authentication on routers?
Local authentication stores subscriber credentials directly on the router, which becomes unmanageable once you exceed a few dozen subscribers. RADIUS centralizes authentication, authorization, and accounting in a database-backed server. This allows you to manage thousands of subscribers from a single interface, integrate with billing systems for automated plan changes, generate accounting records for usage tracking, and implement features like CoA (Change of Authorization) for real-time speed adjustments. RADIUS also supports redundancy, so if one server goes down, a backup server handles authentication without subscriber impact.
Which RADIUS software do you recommend for ISP deployments?
We primarily train on FreeRADIUS, which is the most widely deployed RADIUS server globally and handles the needs of ISPs ranging from hundreds to millions of subscribers. FreeRADIUS is open-source, highly configurable, and supports MySQL, MariaDB, PostgreSQL, and LDAP backends. For ISPs that prefer commercial solutions, we also cover the basics of Cisco ISE and other commercial AAA platforms. However, FreeRADIUS remains our recommended choice for most ISP deployments due to its flexibility, performance, and zero licensing cost.
How does RADIUS integrate with MikroTik PPPoE for bandwidth management?
When a subscriber connects via PPPoE, the MikroTik router sends an Access-Request to the RADIUS server with the subscriber's credentials. If authentication succeeds, the RADIUS server sends back an Access-Accept message that includes reply attributes such as Mikrotik-Rate-Limit, which defines the subscriber's download and upload speed. The MikroTik router applies these speed limits automatically to the PPPoE session. When the subscriber's plan changes in the billing system, the RADIUS server can send a CoA (Change of Authorization) packet to the router, updating the speed limits in real time without disconnecting the subscriber.
What happens if the RADIUS server goes down during operation?
Our training covers RADIUS high-availability configuration to prevent single points of failure. We set up primary and secondary RADIUS servers with database replication between them. MikroTik and other NAS devices are configured with both server addresses, so if the primary server is unreachable, authentication requests automatically fail over to the secondary. We also cover interim accounting configurations that buffer records locally on the NAS when the RADIUS server is temporarily unavailable, forwarding them once connectivity is restored.
Automate Your Subscriber Management with RADIUS
Contact us to schedule RADIUS training for your ISP team. We will guide you from initial setup through billing integration and high-availability deployment.
Ready to Get Started?
Whether you need broadband, a Shopify app, or an AI-powered solution, our team is here to help. We respond within 2 hours.