What You Manage
Users
Create RADIUS identities, reset credentials, assign groups, place users in folders, suspend access, and review per-user sessions and usage.
Folders
Organize users into nested containers, pin important folders, set priority, move users, merge folders, and manage bulk onboarding.
Groups and Attributes
Define reusable check and reply attributes, then assign those policy sets directly to users or automatically through realms.
Supported Dictionaries
Pick from the Standard, MikroTik, WISPr, Ubiquiti, Cisco, Aruba, Ruckus, Juniper, Microsoft, and System attributes surfaced by the UI.
NAS Devices
Register routers, switches, access points, VPN gateways, firewalls, wireless controllers, and other RADIUS clients.
CoA and PoD
Configure dynamic authorization for manual disconnects, quota-triggered disconnects, and supported session control workflows.
Architecture and Scale
Understand the global RadSec data plane, mTLS device identity, control plane, analytics plane, multi-region storage, and streaming imports.
Limits and Availability
Review feature coverage, retention, availability targets, throughput limits, migration limits, and default account limits.
Realms
Match usernames such as
tim@example.com and automatically apply group attributes to users in that realm.Live Monitoring
Watch authentication volume, failures, active sessions, device logs, and per-user behavior from the Live View and entity dashboards.
App Map
| Area | Route in the RADIUS UI | What it is for |
|---|---|---|
| Main workspace | /radius | Browse folders and users, create identities, create folders, move users, and perform bulk actions. |
| Folder detail | /radius/container/... | Work inside a nested folder while preserving the same folder and user controls. |
| User detail | /radius/users/{id} | Review credentials, status, group membership, inherited attributes, sessions, usage, logs, and metadata. |
| Devices | /radius/nas | Register and manage NAS/RADIUS clients and open per-device dashboards. |
| Groups | /radius/groups | Create policy groups, edit attributes, and manage group members. |
| Realms | /radius/realms | Create realm suffixes and apply groups automatically to matching usernames. |
| Live View | /radius/live | Filter live authentication data by status, user, device, folder, timeframe, and failures. |
| Settings | /radius/settings | Customize labels and manage metadata shortcuts. |
Platform Architecture
Altostrat Radius separates live packet handling from policy management and analytics. The ArcRadius data plane uses global ingress, regional load balancing, RadSec mutual TLS, and horizontally scalable RADIUS workers to process authentication close to the nearest healthy regional deployment. The control plane stores and evaluates users, folders, groups, realms, NAS devices, quotas, metadata, and logs. The analytics plane streams accounting and post-authentication events into time-series storage for dashboards, triggers, search, quotas, and reporting. This separation keeps authentication traffic isolated from operator activity, imports, accounting bursts, and long-running queries.Architecture and Scale
See how RadSec, mTLS identity, caching, sharding, quotas, metrics, and imports fit together.
Supported Dictionaries
Review the current Standard, MikroTik, WISPr, Ubiquiti, Cisco, Aruba, Ruckus, Juniper, Microsoft, and System attributes.
Limits and Availability
See availability targets, authentication throughput limits, migration ceilings, retention, and object limits.
Recommended Setup Order
Add a NAS device
Start by registering the router, VPN gateway, access point, wireless controller, or other RADIUS client that will send authentication requests.
Create groups
Build groups for the common policies you want to reuse, such as access tiers, device roles, customer plans, or operational exceptions.
Add users
Create users manually or in bulk, generate credentials, assign groups, and place users in folders when you need hierarchy.
Add realms when usernames use domains
Create realms for suffix-based policy, such as
example.com, so matching usernames automatically inherit selected group attributes.Enable dynamic authorization only where needed
Configure CoA and PoD settings on NAS devices when active sessions must be disconnected manually or after quota enforcement.
Terminology
| Term | Meaning in Altostrat Radius |
|---|---|
| User | An account that authenticates to the RADIUS service. The UI can also show a display name from user metadata. |
| Folder | A container for organizing users and nested folders. Your workspace may relabel folders as containers or another local term. |
| Group | A reusable policy object that carries check attributes, reply attributes, metadata, and member users. |
| Check attribute | An attribute used during authentication checks. |
| Reply attribute | An attribute returned after successful authentication. |
| NAS device | A Network Access Server or RADIUS client, such as a router, VPN gateway, access point, switch, firewall, or wireless controller. |
| Realm | A normalized suffix used with usernames such as tim@example.com to apply groups automatically. |
| Metadata | Custom key-value context on users, groups, realms, or NAS devices. |
| RadSec | RADIUS over TLS. Altostrat uses RadSec with mutual TLS for device identity and secure transport. |
| CoA | Change of Authorization, used when a NAS supports changing an active session after login. |
| PoD | Packet of Disconnect, used to terminate an active session through a Disconnect-Request. |
| Dictionary | The supported attribute catalog that drives the attribute picker, validation, operators, and input types. |
The UI lets admins customize labels for users, folders, devices, and groups. If your workspace uses different labels, the workflows are the same even when the nouns differ.
Where To Go Next
Set Up Your First RADIUS Workspace
Follow the first-run path from NAS registration through test authentication.
Organize Users and Folders
Learn how to create users, use folders, bulk add records, and manage user details.
Build Policy Groups
Understand check attributes, reply attributes, inheritance, and quota-aware presence modes.
Configure CoA and PoD
Enable dynamic authorization for manual disconnects, quota-triggered disconnects, and session control.
Monitor Authentication
Use Live View, logs, metrics, sessions, and dashboards for day-two operations.
Plan Capacity
Check availability targets, retention, throughput, migration, and object limits before a rollout.