> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# RADIUS Overview

> Learn how the Altostrat Radius web UI organizes devices, users, groups, realms, attributes, live logs, and operational settings.

Altostrat Radius is the managed access-control workspace for networks that authenticate users through RADIUS or RadSec. You use it to register the network devices that send authentication requests, create the users who sign in, apply policy through groups and attributes, and monitor authentication outcomes in real time.

Open the RADIUS UI at [radius.altostrat.app](https://radius.altostrat.app). The UI is organized around the same operational objects you manage day to day: folders, users, groups, devices, realms, live logs, and settings.

## What You Manage

<CardGroup cols={2}>
  <Card title="Users" icon="user" href="./containers-and-users">
    Create RADIUS identities, reset credentials, assign groups, place users in folders, suspend access, and review per-user sessions and usage.
  </Card>

  <Card title="Folders" icon="folder-tree" href="./containers-and-users">
    Organize users into nested containers, pin important folders, set priority, move users, merge folders, and manage bulk onboarding.
  </Card>

  <Card title="Groups and Attributes" icon="users" href="./groups-and-attributes">
    Define reusable check and reply attributes, then assign those policy sets directly to users or automatically through realms.
  </Card>

  <Card title="Supported Dictionaries" icon="book-open" href="./supported-dictionaries">
    Pick from the Standard, MikroTik, WISPr, Ubiquiti, Cisco, Aruba, Ruckus, Juniper, Microsoft, and System attributes surfaced by the UI.
  </Card>

  <Card title="NAS Devices" icon="server" href="./nas-devices">
    Register routers, switches, access points, VPN gateways, firewalls, wireless controllers, and other RADIUS clients.
  </Card>

  <Card title="CoA and PoD" icon="plug-zap" href="./coa-and-pod">
    Configure dynamic authorization for manual disconnects, quota-triggered disconnects, and supported session control workflows.
  </Card>

  <Card title="Architecture and Scale" icon="network" href="./architecture">
    Understand the global RadSec data plane, mTLS device identity, control plane, analytics plane, multi-region storage, and streaming imports.
  </Card>

  <Card title="Limits and Availability" icon="gauge" href="./limits-and-availability">
    Review feature coverage, retention, availability targets, throughput limits, migration limits, and default account limits.
  </Card>

  <Card title="Realms" icon="globe" href="./realms">
    Match usernames such as `tim@example.com` and automatically apply group attributes to users in that realm.
  </Card>

  <Card title="Live Monitoring" icon="activity" href="./live-monitoring">
    Watch authentication volume, failures, active sessions, device logs, and per-user behavior from the Live View and entity dashboards.
  </Card>
</CardGroup>

## App Map

| Area           | Route in the RADIUS UI  | What it is for                                                                                           |
| -------------- | ----------------------- | -------------------------------------------------------------------------------------------------------- |
| Main workspace | `/radius`               | Browse folders and users, create identities, create folders, move users, and perform bulk actions.       |
| Folder detail  | `/radius/container/...` | Work inside a nested folder while preserving the same folder and user controls.                          |
| User detail    | `/radius/users/{id}`    | Review credentials, status, group membership, inherited attributes, sessions, usage, logs, and metadata. |
| Devices        | `/radius/nas`           | Register and manage NAS/RADIUS clients and open per-device dashboards.                                   |
| Groups         | `/radius/groups`        | Create policy groups, edit attributes, and manage group members.                                         |
| Realms         | `/radius/realms`        | Create realm suffixes and apply groups automatically to matching usernames.                              |
| Live View      | `/radius/live`          | Filter live authentication data by status, user, device, folder, timeframe, and failures.                |
| Settings       | `/radius/settings`      | Customize labels and manage metadata shortcuts.                                                          |

## Platform Architecture

Altostrat Radius separates live packet handling from policy management and analytics. The ArcRadius data plane uses global ingress, regional load balancing, RadSec mutual TLS, and horizontally scalable RADIUS workers to process authentication close to the nearest healthy regional deployment.

The control plane stores and evaluates users, folders, groups, realms, NAS devices, quotas, metadata, and logs. The analytics plane streams accounting and post-authentication events into time-series storage for dashboards, triggers, search, quotas, and reporting. This separation keeps authentication traffic isolated from operator activity, imports, accounting bursts, and long-running queries.

<CardGroup cols={2}>
  <Card title="Architecture and Scale" icon="network" href="./architecture" arrow="true" cta="Read Architecture">
    See how RadSec, mTLS identity, caching, sharding, quotas, metrics, and imports fit together.
  </Card>

  <Card title="Supported Dictionaries" icon="book-open" href="./supported-dictionaries" arrow="true" cta="Open Dictionary">
    Review the current Standard, MikroTik, WISPr, Ubiquiti, Cisco, Aruba, Ruckus, Juniper, Microsoft, and System attributes.
  </Card>

  <Card title="Limits and Availability" icon="gauge" href="./limits-and-availability" arrow="true" cta="Review Limits">
    See availability targets, authentication throughput limits, migration ceilings, retention, and object limits.
  </Card>
</CardGroup>

## Recommended Setup Order

<Steps>
  <Step title="Add a NAS device">
    Start by registering the router, VPN gateway, access point, wireless controller, or other RADIUS client that will send authentication requests.
  </Step>

  <Step title="Create groups">
    Build groups for the common policies you want to reuse, such as access tiers, device roles, customer plans, or operational exceptions.
  </Step>

  <Step title="Add users">
    Create users manually or in bulk, generate credentials, assign groups, and place users in folders when you need hierarchy.
  </Step>

  <Step title="Add realms when usernames use domains">
    Create realms for suffix-based policy, such as `example.com`, so matching usernames automatically inherit selected group attributes.
  </Step>

  <Step title="Enable dynamic authorization only where needed">
    Configure CoA and PoD settings on NAS devices when active sessions must be disconnected manually or after quota enforcement.
  </Step>

  <Step title="Watch live authentication">
    Use Live View and entity dashboards to confirm accepts, rejects, missing attributes, bad passwords, suspended accounts, and active sessions.
  </Step>
</Steps>

## Terminology

| Term            | Meaning in Altostrat Radius                                                                                                      |
| --------------- | -------------------------------------------------------------------------------------------------------------------------------- |
| User            | An account that authenticates to the RADIUS service. The UI can also show a display name from user metadata.                     |
| Folder          | A container for organizing users and nested folders. Your workspace may relabel folders as containers or another local term.     |
| Group           | A reusable policy object that carries check attributes, reply attributes, metadata, and member users.                            |
| Check attribute | An attribute used during authentication checks.                                                                                  |
| Reply attribute | An attribute returned after successful authentication.                                                                           |
| NAS device      | A Network Access Server or RADIUS client, such as a router, VPN gateway, access point, switch, firewall, or wireless controller. |
| Realm           | A normalized suffix used with usernames such as `tim@example.com` to apply groups automatically.                                 |
| Metadata        | Custom key-value context on users, groups, realms, or NAS devices.                                                               |
| RadSec          | RADIUS over TLS. Altostrat uses RadSec with mutual TLS for device identity and secure transport.                                 |
| CoA             | Change of Authorization, used when a NAS supports changing an active session after login.                                        |
| PoD             | Packet of Disconnect, used to terminate an active session through a Disconnect-Request.                                          |
| Dictionary      | The supported attribute catalog that drives the attribute picker, validation, operators, and input types.                        |

<Note>
  The UI lets admins customize labels for users, folders, devices, and groups. If your workspace uses different labels, the workflows are the same even when the nouns differ.
</Note>

## Where To Go Next

<CardGroup cols={2}>
  <Card title="Set Up Your First RADIUS Workspace" icon="rocket" href="./getting-started" arrow="true" cta="Start Setup">
    Follow the first-run path from NAS registration through test authentication.
  </Card>

  <Card title="Organize Users and Folders" icon="folder-tree" href="./containers-and-users" arrow="true" cta="Open Guide">
    Learn how to create users, use folders, bulk add records, and manage user details.
  </Card>

  <Card title="Build Policy Groups" icon="users" href="./groups-and-attributes" arrow="true" cta="Read Policy Docs">
    Understand check attributes, reply attributes, inheritance, and quota-aware presence modes.
  </Card>

  <Card title="Configure CoA and PoD" icon="plug-zap" href="./coa-and-pod" arrow="true" cta="Open Controls">
    Enable dynamic authorization for manual disconnects, quota-triggered disconnects, and session control.
  </Card>

  <Card title="Monitor Authentication" icon="activity" href="./live-monitoring" arrow="true" cta="View Operations">
    Use Live View, logs, metrics, sessions, and dashboards for day-two operations.
  </Card>

  <Card title="Plan Capacity" icon="gauge" href="./limits-and-availability" arrow="true" cta="Review Limits">
    Check availability targets, retention, throughput, migration, and object limits before a rollout.
  </Card>
</CardGroup>