Managed RADIUS
ISPAgents-operated RADIUS as a managed service — authentication, accounting, and Change of Authorization for PPPoE and hotspot — so you stop running and patching FreeRADIUS yourself, with strict per-tenant realms and secrets.
Subscribers, devices, and access in one view
Stop operating RADIUS yourself
FreeRADIUS is powerful, but running it well is a full-time discipline: patching, backups, latency, secrets, NAS configuration, policy mapping, accounting hygiene, and safe change control. The server that authenticates every subscriber is also the server that takes the whole base offline when it misbehaves — so a lot of small and mid-sized ISPs end up with one fragile box nobody wants to touch.
Managed RADIUS is the AAA spine, operated by ISPAgents. We run authentication, accounting, and Change of Authorization for your PPPoE and hotspot subscribers on a hosted RADIUS plane with strict per-tenant isolation, so your team stops owning the failure modes and starts working from one place where access, billing, and support already agree.
This is commercial early access (beta) today. Onboarding is high-touch and tenant-specific — we register your NAS, seed secrets, configure endpoints, and run live smoke with you before any subscriber traffic moves. It is not yet self-service, and it is not zero-touch.
What "managed" means here
Managed RADIUS is the operated AAA service — not a billing engine. Billing, pricing, invoicing, and dunning live elsewhere in the platform and feed policy into RADIUS; the RADIUS plane itself authenticates sessions, records accounting, and enforces live access changes through CoA. Keeping that boundary clean is deliberate: see RADIUS billing software for how billing state maps to access, and FreeRADIUS cloud managed for the launch and signoff detail.
- A hosted AAA spine operated by ISPAgents, not a server you patch.
- Live session control through CoA, so suspend, restore, and shape take effect on sessions that are already up.
- RadSec (RADIUS over TLS) supported where the NAS and tenant design call for encrypted transport.
- Strict per-tenant realms and secrets, so one operator's auth domain and shared secrets are never reachable from another's.
- Controller-aware, working with backends like Splynx and UISP where the operator already runs one.
The AAA capabilities
| Capability | What it does |
|---|---|
| Authentication | Validates PPPoE and hotspot subscriber sessions against the tenant's realm and policy before the NAS grants access. |
| Accounting | Collects session start, interim, and stop records for usage visibility, support context, and reconciliation against billing. |
| Change of Authorization (CoA) | Disconnects, restores, or re-shapes a live session — so an overdue suspend or a post-payment restore happens immediately, not at next reconnect. |
| RadSec / TLS | Carries RADIUS over TLS where encrypted transport is required, instead of relying only on classic UDP auth/accounting. |
| Per-tenant realms & secrets | Isolates each operator's authentication domain, NAS list, and shared-secret references so realms and secrets never cross tenants. |
A live CoA layer, not just a login check
The reason to operate RADIUS rather than just check passwords is CoA. When a subscriber pays a bill, an operator should not wait for them to reconnect to get service back — and when an account goes overdue, suspension should land on the session that is currently online. Managed RADIUS uses CoA to make those changes take effect live, where the NAS and network design support it, and records what changed:
- Suspend an overdue subscriber's active session on operator rules.
- Restore a paid subscriber immediately after a payment posts.
- Re-shape or re-profile a session after an upgrade or downgrade.
This pairs directly with automatic internet suspension software, which decides when access should change; Managed RADIUS is the plane that enforces it on live sessions.
Coexist first, take over when proven
Managed RADIUS does not force a cutover. Most operators reach us with a working FreeRADIUS deployment, and the right rollout keeps it in place:
- Run a hybrid posture — keep your existing FreeRADIUS as primary or secondary while we onboard selected sites, plans, or segments onto the managed plane.
- Configure a reversible server list on the NAS, with a chosen failure posture (fail-open-secondary, fail-closed, or local-fallback) agreed before the window.
- Move by site, router, package, or customer segment — not one risky all-at-once flip.
- Let Managed RADIUS become primary only once live auth, accounting, CoA, and rollback evidence are captured for that tenant.
RouterOS local PPP/PPPoE management is a separate beta pilot, for operators who specifically want MikroTik to handle local PPP instead of RADIUS subscriber auth. It is not the primary Managed RADIUS path and is gated until a real live local PPPoE subscriber-session proof passes.
Where Managed RADIUS fits
Managed RADIUS is the operated authentication, accounting, and CoA layer; it sits beside the rest of the platform rather than replacing it. Decide between running your own and having us operate it with the FreeRADIUS vs Managed RADIUS guide, connect an existing deployment through the FreeRADIUS integration, or review the launch and signoff posture in FreeRADIUS cloud managed. When billing should drive a live suspend or restore, pair it with automatic internet suspension software.
Continue the operations map.
Automatic Internet Suspension Software
Design suspension and restoration workflows without losing control by connecting billing, payment evidence, RADIUS, MikroTik, custom agents, approvals, and rollback evidence.
Open pageSolutionsCustomer Self-Service App
A phone-first app for an ISP's subscribers — view plan and balance, track data usage, pay, and open support — branded to the operator. Account and usage are live today; CPE controls are on the way.
Open pageIntegrationsController Integrations
Pull devices, topology, and telemetry from external controllers — Ubiquiti UniFi, Cambium cnMaestro, and UISP — into one tenant-scoped pane, mapped to canonical devices. Read-only and safe. This is early access.
Open pageIntegrationsFreeRADIUS Integration
Keep your existing FreeRADIUS where it works, or move selected access workflows to Managed RADIUS early access after tenant launch signoff.
Open page