What is RADIUS Authentication?

If you run an Internet Service Provider (ISP) business in India, you have probably come across the term RADIUS authentication. But what exactly is it, and why is it so critical to your daily operations?

RADIUS stands for Remote Authentication Dial-In User Service. It is a networking protocol that provides centralised Authentication, Authorisation, and Accounting (AAA) services for users who connect to a network. Originally developed in 1991, RADIUS has become the industry-standard protocol for managing subscriber access across broadband, wireless, and dial-up networks worldwide.

In simple terms, whenever a subscriber tries to connect to your ISP network, RADIUS is the system that:

  • Verifies **who they are** (Authentication)
  • Determines **what they are allowed to do** (Authorisation)
  • Keeps a **record of what they did** (Accounting)

---

How Does RADIUS Authentication Work?

The AAA Framework Explained

The three pillars of RADIUS — Authentication, Authorisation, and Accounting — work together seamlessly to manage subscriber sessions.

Authentication

Authentication is the process of verifying the identity of a user. When a subscriber enters their username and password, the Network Access Server (NAS) — typically your router or broadband equipment — forwards these credentials to the RADIUS server.

The RADIUS server then checks these credentials against its database and responds with one of three outcomes:

  • **Access-Accept** — credentials are valid, user is allowed in
  • **Access-Reject** — credentials are invalid, user is denied
  • **Access-Challenge** — additional information is required (used in multi-factor setups)

Authorisation

Once a user is authenticated, Authorisation determines what resources and services that user can access. This is where your ISP policies come into play.

For example, a subscriber on a 50 Mbps plan should not get 100 Mbps speeds. RADIUS handles this by sending attributes to the NAS that define:

  • Bandwidth limits (upload and download speeds)
  • Session time limits
  • IP address assignments
  • VLAN assignments
  • Data usage caps
💡 OneRADIUS allows you to configure granular authorisation policies per subscriber plan, making it easy to manage thousands of users with different service tiers.

Accounting

Accounting is the continuous logging of session data. The NAS sends periodic updates to the RADIUS server about an ongoing session, including:

  • Session start and stop times
  • Total data uploaded and downloaded
  • Session duration
  • Termination cause

This data is invaluable for billing, network monitoring, compliance, and troubleshooting.

---

The RADIUS Communication Flow — Step by Step

Here is a simplified walkthrough of what happens when a subscriber logs in to your ISP network:

  1. **Subscriber connects** — A user connects via PPPoE, IPoE, or Wi-Fi and submits credentials
  2. **NAS sends Access-Request** — The NAS packages the credentials and sends an Access-Request packet to the RADIUS server
  3. **RADIUS server processes the request** — The server looks up the user in the database and validates credentials
  4. **RADIUS sends Access-Accept or Reject** — If valid, an Access-Accept is sent with authorisation attributes; otherwise, Access-Reject is returned
  5. **NAS applies policies** — The NAS applies the speed limits, IP address, and other attributes received from RADIUS
  6. **Session begins and accounting starts** — The NAS sends an Accounting-Start packet to RADIUS, and periodic Accounting-Interim-Update packets follow
  7. **Session ends** — When the user disconnects, an Accounting-Stop packet is sent, completing the session record
💡 This entire process typically completes in milliseconds, making RADIUS transparent to the end user.

---

Why RADIUS is Essential for Indian ISPs

India has one of the fastest-growing broadband markets in the world, driven by the explosion of FTTH (Fibre to the Home) connections and affordable data plans. Managing thousands — sometimes tens of thousands — of concurrent subscribers requires a robust and scalable AAA system.

Here is why RADIUS is non-negotiable for Indian ISPs:

Centralised User Management

Without RADIUS, managing subscriber credentials across multiple NAS devices would be an operational nightmare. RADIUS provides a single point of control for all user accounts, policies, and session data.

Regulatory Compliance

The Department of Telecommunications (DoT) and TRAI regulations in India require ISPs to maintain detailed logs of subscriber sessions, including connection times and data usage. RADIUS accounting provides exactly this data automatically.

⚠️ Failure to maintain proper subscriber session logs can result in regulatory penalties under Indian telecom licensing conditions. Ensure your RADIUS server retains data as per DoT guidelines.

Scalability

As your subscriber base grows from 500 to 5,000 to 50,000 users, your RADIUS server must scale accordingly. Modern RADIUS solutions like OneRADIUS are built to handle millions of authentication requests per day without performance degradation.

Plan Management and Billing Integration

RADIUS integrates directly with your billing system to enforce subscriber plans in real time. When a subscriber's plan expires or their data quota is exhausted, RADIUS can immediately disconnect the session or redirect them to a payment portal.

---

Key RADIUS Attributes Every ISP Should Know

RADIUS communicates using attribute-value pairs (AVPs). Some of the most important standard attributes for ISPs include:

  • **User-Name (1)** — The subscriber username
  • **User-Password (2)** — The encrypted password
  • **NAS-IP-Address (4)** — IP of the NAS device sending the request
  • **Framed-IP-Address (8)** — The IP address assigned to the subscriber
  • **Session-Timeout (27)** — Maximum session duration in seconds
  • **Idle-Timeout (28)** — Time before an idle session is terminated
  • **Acct-Input-Octets (42)** — Total bytes received by the user
  • **Acct-Output-Octets (43)** — Total bytes sent to the user
  • **Acct-Session-Time (46)** — Total session duration in seconds
💡 OneRADIUS supports both standard RADIUS attributes and vendor-specific attributes (VSAs) for popular NAS equipment used in India, including MikroTik, Cisco, Huawei, ZTE, and Juniper.

---

RADIUS vs DIAMETER — What is the Difference?

You may have heard of DIAMETER, which is often described as the successor to RADIUS. Here is a quick comparison:

RADIUS

  • UDP-based (faster but less reliable)
  • Widely supported by all NAS equipment
  • Ideal for broadband and fixed-line ISP networks
  • Simpler to deploy and manage

DIAMETER

  • TCP/SCTP-based (more reliable)
  • Used primarily in 4G/5G mobile core networks
  • More complex to implement
  • Better suited for carrier-grade mobile applications

For fixed-line and broadband ISPs in India, RADIUS remains the dominant and preferred choice. DIAMETER is typically reserved for mobile network operators running EPC (Evolved Packet Core) infrastructure.

---

Common RADIUS Authentication Methods

RADIUS supports multiple authentication protocols, each with different security characteristics:

PAP (Password Authentication Protocol)

  • Passwords are transmitted in clear text (base64 encoded within RADIUS)
  • Simple but less secure
  • Still used in many ISP environments with proper network segmentation

CHAP (Challenge Handshake Authentication Protocol)

  • Uses a challenge-response mechanism
  • Password never sent over the network
  • More secure than PAP

MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol v2)

  • Widely used in PPPoE broadband setups
  • Provides mutual authentication
  • Supported by most Windows and Linux PPPoE clients

EAP (Extensible Authentication Protocol)

  • Highly flexible framework supporting many sub-methods
  • Used in Wi-Fi (WPA2-Enterprise) and advanced setups
  • Methods include EAP-TLS, EAP-TTLS, PEAP
💡 OneRADIUS supports all major authentication methods, giving ISPs the flexibility to deploy the right security model for their network architecture.

---

What is a RADIUS Proxy and Why Do ISPs Use It?

A RADIUS proxy forwards authentication requests from one RADIUS server to another. This is useful in scenarios such as:

  • **Roaming agreements** between ISPs
  • **Hierarchical ISP structures** where resellers authenticate through a master ISP
  • **Load balancing** across multiple RADIUS servers
  • **Redundancy** — if the primary RADIUS server fails, the proxy forwards to a backup

For ISPs with franchise or reseller networks — which is common in Tier 2 and Tier 3 cities across India — RADIUS proxy functionality is extremely valuable.

---

Challenges ISPs Face Without a Proper RADIUS Server

Many small and mid-sized ISPs in India start out using basic or free RADIUS tools that eventually become bottlenecks. Common problems include:

  • **Authentication failures** during peak hours due to server overload
  • **Inability to enforce bandwidth policies** accurately
  • **Poor accounting data** leading to billing disputes
  • **No proper GUI** — forcing reliance on command-line configuration
  • **Lack of integration** with billing and network management systems
  • **No support for NAS COA (Change of Authorisation)** — making real-time plan changes impossible
⚠️ Running an overloaded or poorly configured RADIUS server can lead to mass subscriber disconnections during peak usage hours — a nightmare for ISP customer retention.

---

How OneRADIUS Solves These Challenges

OneRADIUS by ARCR Technologies is a purpose-built AAA RADIUS server solution designed specifically for the Indian ISP market. Here is what sets it apart:

Built for Indian ISP Workflows

OneRADIUS understands the unique requirements of Indian ISPs — from DoT compliance to integration with popular Indian billing platforms. The software is designed around how Indian ISPs actually operate.

Intuitive Web-Based Dashboard

No more command-line headaches. OneRADIUS provides a clean, web-based management interface where you can:

  • Add and manage subscribers
  • Create and assign plans
  • Monitor live sessions
  • View accounting reports
  • Configure NAS devices

Real-Time CoA (Change of Authorisation)

Need to upgrade a subscriber plan instantly or disconnect an overdue account? OneRADIUS supports RFC 3576 CoA (Change of Authorisation) and Disconnect Messages (DM), allowing you to make real-time changes to active sessions without waiting for the subscriber to reconnect.

High Performance and Scalability

OneRADIUS is engineered to handle high-volume authentication requests, making it suitable for ISPs of all sizes — from small local providers to large regional operators.

Billing System Integration

OneRADIUS integrates with popular ISP billing and CRM systems, ensuring that your subscriber plans, data quotas, and session data are always in sync.

Detailed Reports and Analytics

Get deep insights into your network with comprehensive reports on:

  • Daily, weekly, and monthly subscriber usage
  • Peak hour analysis
  • Failed authentication logs
  • NAS performance statistics

---

Best Practices for RADIUS Deployment in ISP Networks

To get the most out of your RADIUS infrastructure, follow these best practices:

  • **Deploy redundant RADIUS servers** — Always have a primary and secondary RADIUS server to avoid single points of failure
  • **Secure the RADIUS shared secret** — Use strong, unique shared secrets for each NAS device
  • **Segment RADIUS traffic** — Keep RADIUS communication on a dedicated management VLAN
  • **Monitor RADIUS server performance** — Track CPU, memory, and authentication response times regularly
  • **Back up your RADIUS database regularly** — Subscriber data loss can be catastrophic
  • **Keep RADIUS software updated** — Security patches are critical for any authentication system
  • **Audit failed authentication logs** — Patterns of failed logins can indicate brute force attacks or misconfigured equipment
⚠️ Never expose your RADIUS server directly to the public internet. RADIUS should only be accessible from your NAS devices over a trusted internal network.

---

Conclusion

RADIUS authentication is the invisible backbone that keeps ISP networks running smoothly. From verifying subscriber credentials in milliseconds to enforcing bandwidth policies and generating compliance-ready accounting logs, RADIUS is indispensable for any ISP operating at scale in India.

For ISPs looking for a reliable, scalable, and India-focused AAA RADIUS solution, OneRADIUS by ARCR Technologies offers everything you need in a single, easy-to-manage platform.

Whether you are a new ISP looking to set up your first RADIUS server or an established operator tired of the limitations of your current system, OneRADIUS is built to grow with your business.

Ready to experience OneRADIUS? Visit [oneradius.com](https://oneradius.com) to request a demo and see how we are transforming AAA infrastructure for Indian ISPs.