> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Getting Started with RADIUS

> Configure your first RADIUS device, group, user, and test authentication from the Altostrat Radius UI.

Use this guide when you are setting up a RADIUS workspace for the first time. It follows the same order shown by the empty-state workflow in the app: add a device, create a group, add users, then organize and monitor.

## Prerequisites

Before you begin, confirm that:

* You can sign in to the Altostrat Radius UI at [radius.altostrat.app](https://radius.altostrat.app).
* You have permission to create NAS devices, groups, users, and realms in the workspace.
* Your network device supports RADIUS or RadSec and can be configured with the values shown in the device detail page.
* You know the first policy attributes you need to return or check, or you have an existing RADIUS configuration to translate into groups.
* If you plan to use CoA or PoD, the NAS can accept control messages from the source address shown in the UI.

## First Setup

<Steps>
  <Step title="Open RADIUS">
    Go to [radius.altostrat.app](https://radius.altostrat.app) and select the workspace you want to configure.
  </Step>

  <Step title="Add a device">
    Open **Settings** and select **Devices**. Create a NAS device with a device name, type, and optional description.
  </Step>

  <Step title="Save device configuration">
    After the device is created, open its detail page. Use the RadSec configuration values and certificate downloads shown there when configuring the network device.
  </Step>

  <Step title="Create a group">
    Open **Settings** and select **Groups**. Create a group for the first reusable access policy, then add check or reply attributes as needed.
  </Step>

  <Step title="Add a user">
    Return to the main RADIUS workspace and add a user. Enter the username, generate or set a password, add an optional display name, choose a folder, and assign groups.
  </Step>

  <Step title="Test authentication">
    Authenticate from the configured NAS device. Open **Live View** or the relevant user/device dashboard to confirm whether the request was accepted or rejected.
  </Step>
</Steps>

## Device Setup Notes

When you add a NAS device, the form supports:

* Device name or NAS identifier.
* Device description.
* Device type: router, switch, access point, VPN gateway, firewall, wireless controller, or other.
* Auto user registration, optionally tied to a default group.
* CoA and PoD replies, including NAS IP address, inbound port, and shared secret.
* Metadata fields for local context.

After saving the device, the detail page exposes RadSec configuration values and downloads for the NAS certificate, client CA certificate, and private key.

<Tip>
  Use the values shown in the current device page as the source of truth. The UI currently shows RadSec service values for `aaa.altostrat.io`, port `2083`, and IP addresses `75.2.67.221` and `166.117.188.111`.
</Tip>

Use RadSec where the device supports it. RadSec gives each NAS its own mutual-TLS identity, and Altostrat normalizes requests to that registered NAS identity before policy is evaluated.

## Group Setup Notes

Groups are where you define reusable RADIUS policy. Add:

* Check attributes for values evaluated during authentication.
* Reply attributes for values returned after successful authentication.
* Metadata when your team needs operational context.

Users can inherit attributes from multiple groups. When you edit a user, the UI shows inherited attributes by group so you can see where an effective policy came from.

If you are migrating from an existing FreeRADIUS deployment, start with one group per reusable plan, role, VLAN, rate limit, or access tier. Then recreate attributes through the picker so the operator, input type, and vendor dictionary are validated before you test on a live NAS.

## User Setup Notes

When you create a user, the form supports:

* Username.
* Optional realm suffix selected through the `@` realm picker.
* Password entry or generated password.
* Optional display name.
* Folder selection.
* Group membership.
* Custom check and reply attributes.
* Metadata fields.

The credentials popover on an existing user lets you copy the username and password. The user detail page also lets you edit the user, reset credentials, suspend or enable access, delete the user, and review sessions and logs.

## Confirm The First Authentication

Open **Live View** after the NAS sends a request. Use the filters to narrow the view by status type, user, device, folder, timeframe, or failures only.

Healthy first-run signs:

* The NAS device appears in logs.
* The username matches the expected user.
* The status is success or an intentional policy rejection.
* The user detail page shows the latest session and recent logs.
* The device dashboard shows requests, success rate, active sessions, and rejects.

If the first request is rejected, start with [Troubleshooting](./troubleshooting) before changing multiple objects at once.

## What To Read Next

<CardGroup cols={2}>
  <Card title="Architecture and Scale" icon="network" href="./architecture" arrow="true">
    Learn how RadSec, policy lookup, metrics, quotas, logs, and imports are designed to scale.
  </Card>

  <Card title="Supported Dictionaries" icon="book-open" href="./supported-dictionaries" arrow="true">
    Review the supported attributes, operators, input types, and validation limits before building broad policy.
  </Card>

  <Card title="CoA and PoD" icon="plug-zap" href="./coa-and-pod" arrow="true">
    Configure dynamic authorization when active sessions need manual or quota-triggered disconnects.
  </Card>
</CardGroup>