FreeRADIUS vs Managed RADIUS for Small ISPs
Choose the right RADIUS operating model by comparing control, reliability, maintenance effort, billing integration, migration risk, and support evidence.
Run the workflow with proof
The real decision is operational
FreeRADIUS is powerful and proven. Managed RADIUS is commercial early access for tenants that complete launch signoff because it reduces server maintenance and can provide clearer operational health. The right choice depends on the ISP's team, network design, and tolerance for migration risk.
Keep existing FreeRADIUS when
- It is stable and the team understands it.
- PPPoE or hotspot policies already work.
- The ISP has custom SQL, scripts, or vendor-specific logic.
- The operator wants billing integration without changing auth first.
- The network has private routing constraints that make direct cloud RADIUS harder at the start.
Use managed RADIUS when
- The ISP does not want to maintain RADIUS servers.
- Regional resilience and health visibility matter.
- New sites need faster rollout.
- Support needs clearer evidence for blocked or mismatched subscribers.
- Billing workflows should safely drive access policy after mapping and rollback proof.
- The tenant can run a beta onboarding window with NAS source review, Vault secret refs, primary/secondary RADIUS config, failure posture signoff, and live smoke evidence.
Hybrid is often the safest start
A small ISP does not need to make a risky all-or-nothing move. A hybrid rollout can connect current FreeRADIUS first, then move selected plans, sites, or customer groups into managed RADIUS after the team trusts the workflow.
| Model | Pros | Risks |
|---|---|---|
| Existing FreeRADIUS | Maximum control, minimal migration, known behavior. | Server maintenance, weaker visibility, more custom work. |
| Managed RADIUS early access | Less infrastructure, better health views, faster rollout after launch proof. | Requires trust in cloud auth path and migration planning. |
| Hybrid | Lowest cutover risk, gradual validation. | Requires clear policy ownership during transition. |
What billing integration must prove
The billing system should not only change RADIUS. It should explain the result:
- Which invoice or payment caused the change.
- Which subscriber and service were affected.
- Which RADIUS policy was applied.
- Whether CoA or disconnect succeeded.
- Which router or NAS reported the session.
- What support should tell the customer.
ISPAgents approach
ISPAgents should support existing FreeRADIUS, managed RADIUS, MikroTik direct control, and custom agents as separate validated paths. Managed RADIUS early access is the main cloud-operated path; RouterOS Local PPP/PPPoE is a beta delivery mode only for tenants that want local RouterOS PPP instead of RADIUS. That gives the operator a practical rollout based on the network they have today, not an idealized network they may never get time to build.
Continue the operations map.
One Subscriber, One Device Identity
How ISPAgents resolves TR-069, SNMP, syslog, USP, controller, and RADIUS observations into one canonical subscriber, site, and device — the foundation that makes billing, access, and support finally agree.
Open pageGuidesTR-069 Device Compatibility
TR-069 support is broad by default — almost every CPE already speaks CWMP. ISPAgents publishes a per-model coverage matrix so your support and NOC teams know exactly which parameters and workflows are proven on each router and firmware range.
Open pageSolutionsAutomatic Internet Suspension Software
Design suspension and restoration workflows without losing control by connecting billing, payment evidence, RADIUS, MikroTik, custom agents, approvals, and rollback evidence.
Open pageSolutionsCustomer Self-Service App
A phone-first app for an ISP's subscribers — view plan and balance, track data usage, pay, and open support — branded to the operator. Account and usage are live today; CPE controls are on the way.
Open page