Use this page to plan capacity, onboarding, and operational expectations for Altostrat Radius. The limits below are default account limits. Where a row is marked adjustable, contact Altostrat before you design around the higher value.
This page covers feature coverage, availability, retention, and operational limits.
Feature Coverage
| Capability | Support | Notes |
|---|
| RadSec TLS | Supported | Use RadSec for encrypted RADIUS transport and NAS identity. |
| EAP-PEAP | Supported | Used for Wi-Fi and 802.1X environments where the NAS and client stack support it. |
| EAP-TTLS | Supported | Used for tunneled EAP deployments. |
| PAP, CHAP, MS-CHAP, and MS-CHAPv2 | Supported | Common for broadband, VPN, PPP, and access-network devices. |
| External identity providers for EAP | Supported | Examples include Microsoft Azure, Google Workspace, and Okta. |
| Custom attributes | Supported | Attribute names, operators, and value types must pass validation. |
| Webhook events | Supported | Use events for external automation and operational workflows. |
| Full-text search | Supported | Search is designed for operational lookup across RADIUS data. |
| Authentication logs | Supported | Retained for 12 months. |
| Accounting data storage | Supported | Retained for 12 months. |
| Accounting triggers | Supported | Use triggers for usage-based actions, such as taking action after a monthly usage threshold. |
| Management interface | Web based | Operators manage users, groups, NAS devices, realms, logs, and settings through the web UI. |
| REST API integration | Supported | Use the API for provisioning and external systems integration. |
| Altostrat Workflows integration | Supported | Use workflows to automate follow-up actions from RADIUS events. |
Security And Data Protection
| Control | Coverage |
|---|
| Encryption in transit | Supported. |
| Encryption at rest | Supported. |
| Point-in-time recovery | Per-second recovery granularity for 15 days. |
| DDoS protection | Supported. |
Availability Targets
| Target | Value | Notes |
|---|
| RADIUS availability guarantee | 99.999% | SLA-backed. |
| Data durability | 99.999999999% | 11 nines, SLA-backed. |
| Service IP availability | 99.99% per IP | SLA-backed. |
| Authentication time | At most 80 ms | Target authentication processing time. |
| Service IP addresses | 2 | Exposed for service reachability. |
| Availability Zones per region | 3 | Each always-on region uses multiple AZs. |
| AZ failover | Yes | Designed to fail over within milliseconds. |
| Always-on regions | 3 | Virginia, Sydney, and Cape Town. |
| Regional failover | Yes | Designed to fail over within minutes. |
| Limit | Default | Adjustable |
|---|
| Maximum concurrent authentication attempts per NAS device | 1,000 per second | No |
| Maximum concurrent authentication attempts per workspace | 12,000 per second | No |
| Minimum accounting data frequency | 300 seconds | No |
| Management API rate limit | 600 requests per minute | Yes |
Migration Limits
Migration limits apply individually to customer records, RADIUS accounts, attribute groups, and NAS devices.
| Limit | Default | Adjustable |
|---|
| CSV import size | 500 MB | No |
Customer Record Limits
| Limit | Default | Adjustable |
|---|
| Customer records | 500,000 | Yes |
| Metadata pairs per customer record | 20 | No |
| Tags per customer record | 10 | No |
| RADIUS accounts per customer record | 25,000 | Yes |
RADIUS Account Limits
| Limit | Default | Adjustable |
|---|
| RADIUS accounts | 1,000,000 | Yes |
| Attribute groups per RADIUS account | 5 | No |
| Check attributes per RADIUS account | 5 | No |
| Reply attributes per RADIUS account | 10 | No |
| Metadata pairs per RADIUS account | 20 | No |
| Tags per RADIUS account | 10 | No |
NAS Device Limits
| Limit | Default | Adjustable |
|---|
| NAS devices | 25,000 | Yes |
| Metadata pairs per NAS device | 20 | No |
Attribute Group Limits
| Limit | Default | Adjustable |
|---|
| Attribute groups | 15,000 | Yes |
| Check attributes per group | 15 | No |
| Reply attributes per group | 25 | No |
| RADIUS accounts in an attribute group | 1,000,000 | Yes |
| Metadata pairs per attribute group | 20 | No |
| Tags per attribute group | 10 | No |
Design Guidance
- Use groups for reusable policy so account-level attributes stay small and easy to reason about.
- Keep metadata focused on operational lookup fields; avoid storing secrets in metadata.
- Use tags for coarse filtering, ownership, and lifecycle state rather than high-cardinality data.
- Keep accounting interim updates at or above the supported minimum interval when usage, sessions, quotas, and triggers depend on accounting.
- Ask Altostrat about adjustable limits before a migration, reseller model, or large customer deployment depends on higher ceilings.
