Technical guide

FreeRADIUS vs Managed RADIUS for Small ISPs

Choose the right RADIUS operating model by comparing control, reliability, maintenance effort, billing integration, migration risk, and support evidence.

FreeRADIUS integration
Operator playbook

Run the workflow with proof

guided path
1
steps audited
100%
guesswork
0
PlanPre-flight checklistReady
RunGuarded action stepsTracked
VerifyEvidence capturedDone
Each guide maps to a real operator workflow you can run and audit in ISPAgents.
Page type
Guides
Primary search
FreeRADIUS vs Managed RADIUS
Updated
2026-06-07

The real decision is operational

FreeRADIUS is powerful and proven. Managed RADIUS is commercial early access for tenants that complete launch signoff because it reduces server maintenance and can provide clearer operational health. The right choice depends on the ISP's team, network design, and tolerance for migration risk.

Keep existing FreeRADIUS when

  • It is stable and the team understands it.
  • PPPoE or hotspot policies already work.
  • The ISP has custom SQL, scripts, or vendor-specific logic.
  • The operator wants billing integration without changing auth first.
  • The network has private routing constraints that make direct cloud RADIUS harder at the start.

Use managed RADIUS when

  • The ISP does not want to maintain RADIUS servers.
  • Regional resilience and health visibility matter.
  • New sites need faster rollout.
  • Support needs clearer evidence for blocked or mismatched subscribers.
  • Billing workflows should safely drive access policy after mapping and rollback proof.
  • The tenant can run a beta onboarding window with NAS source review, Vault secret refs, primary/secondary RADIUS config, failure posture signoff, and live smoke evidence.

Hybrid is often the safest start

A small ISP does not need to make a risky all-or-nothing move. A hybrid rollout can connect current FreeRADIUS first, then move selected plans, sites, or customer groups into managed RADIUS after the team trusts the workflow.

ModelProsRisks
Existing FreeRADIUSMaximum control, minimal migration, known behavior.Server maintenance, weaker visibility, more custom work.
Managed RADIUS early accessLess infrastructure, better health views, faster rollout after launch proof.Requires trust in cloud auth path and migration planning.
HybridLowest cutover risk, gradual validation.Requires clear policy ownership during transition.

What billing integration must prove

The billing system should not only change RADIUS. It should explain the result:

  • Which invoice or payment caused the change.
  • Which subscriber and service were affected.
  • Which RADIUS policy was applied.
  • Whether CoA or disconnect succeeded.
  • Which router or NAS reported the session.
  • What support should tell the customer.

ISPAgents approach

ISPAgents should support existing FreeRADIUS, managed RADIUS, MikroTik direct control, and custom agents as separate validated paths. Managed RADIUS early access is the main cloud-operated path; RouterOS Local PPP/PPPoE is a beta delivery mode only for tenants that want local RouterOS PPP instead of RADIUS. That gives the operator a practical rollout based on the network they have today, not an idealized network they may never get time to build.

Next step

See how this works in your network.