Skip to main content
Use this guide when you are setting up a RADIUS workspace for the first time. It follows the same order shown by the empty-state workflow in the app: add a device, create a group, add users, then organize and monitor.

Prerequisites

Before you begin, confirm that:
  • You can sign in to the Altostrat Radius UI at radius.altostrat.app.
  • You have permission to create NAS devices, groups, users, and realms in the workspace.
  • Your network device supports RADIUS or RadSec and can be configured with the values shown in the device detail page.
  • You know the first policy attributes you need to return or check, or you have an existing RADIUS configuration to translate into groups.
  • If you plan to use CoA or PoD, the NAS can accept control messages from the source address shown in the UI.

First Setup

1

Open RADIUS

Go to radius.altostrat.app and select the workspace you want to configure.
2

Add a device

Open Settings and select Devices. Create a NAS device with a device name, type, and optional description.
3

Save device configuration

After the device is created, open its detail page. Use the RadSec configuration values and certificate downloads shown there when configuring the network device.
4

Create a group

Open Settings and select Groups. Create a group for the first reusable access policy, then add check or reply attributes as needed.
5

Add a user

Return to the main RADIUS workspace and add a user. Enter the username, generate or set a password, add an optional display name, choose a folder, and assign groups.
6

Test authentication

Authenticate from the configured NAS device. Open Live View or the relevant user/device dashboard to confirm whether the request was accepted or rejected.

Device Setup Notes

When you add a NAS device, the form supports:
  • Device name or NAS identifier.
  • Device description.
  • Device type: router, switch, access point, VPN gateway, firewall, wireless controller, or other.
  • Auto user registration, optionally tied to a default group.
  • CoA and PoD replies, including NAS IP address, inbound port, and shared secret.
  • Metadata fields for local context.
After saving the device, the detail page exposes RadSec configuration values and downloads for the NAS certificate, client CA certificate, and private key.
Use the values shown in the current device page as the source of truth. The UI currently shows RadSec service values for aaa.altostrat.io, port 2083, and IP addresses 75.2.67.221 and 166.117.188.111.
Use RadSec where the device supports it. RadSec gives each NAS its own mutual-TLS identity, and Altostrat normalizes requests to that registered NAS identity before policy is evaluated.

Group Setup Notes

Groups are where you define reusable RADIUS policy. Add:
  • Check attributes for values evaluated during authentication.
  • Reply attributes for values returned after successful authentication.
  • Metadata when your team needs operational context.
Users can inherit attributes from multiple groups. When you edit a user, the UI shows inherited attributes by group so you can see where an effective policy came from. If you are migrating from an existing FreeRADIUS deployment, start with one group per reusable plan, role, VLAN, rate limit, or access tier. Then recreate attributes through the picker so the operator, input type, and vendor dictionary are validated before you test on a live NAS.

User Setup Notes

When you create a user, the form supports:
  • Username.
  • Optional realm suffix selected through the @ realm picker.
  • Password entry or generated password.
  • Optional display name.
  • Folder selection.
  • Group membership.
  • Custom check and reply attributes.
  • Metadata fields.
The credentials popover on an existing user lets you copy the username and password. The user detail page also lets you edit the user, reset credentials, suspend or enable access, delete the user, and review sessions and logs.

Confirm The First Authentication

Open Live View after the NAS sends a request. Use the filters to narrow the view by status type, user, device, folder, timeframe, or failures only. Healthy first-run signs:
  • The NAS device appears in logs.
  • The username matches the expected user.
  • The status is success or an intentional policy rejection.
  • The user detail page shows the latest session and recent logs.
  • The device dashboard shows requests, success rate, active sessions, and rejects.
If the first request is rejected, start with Troubleshooting before changing multiple objects at once.

Architecture and Scale

Learn how RadSec, policy lookup, metrics, quotas, logs, and imports are designed to scale.

Supported Dictionaries

Review the supported attributes, operators, input types, and validation limits before building broad policy.

CoA and PoD

Configure dynamic authorization when active sessions need manual or quota-triggered disconnects.