Skip to main content
ISPbills
← Back to Blog
RADIUS13 min readApril 15, 2026

FreeRADIUS + MikroTik for ISPs: Authentication & Accounting Setup

Running an ISP without RADIUS is like running a hotel without a guest register. This guide covers FreeRADIUS installation, MikroTik NAS configuration, Mikrotik-Rate-Limit attributes, CoA disconnect, and how ISPbills automates the entire RADIUS lifecycle.

Why Every ISP Needs RADIUS

RADIUS (Remote Authentication Dial-In User Service) is the industry standard for ISP subscriber management. It handles three critical functions: Authentication (who can connect), Authorisation (what bandwidth they get), and Accounting (usage tracking for billing).

Without RADIUS, you are managing PPP secrets on each router individually. At 100+ subscribers across multiple routers, this becomes an operational nightmare. RADIUS centralises everything into a single database that all your routers query.

Architecture: How RADIUS Fits Your Network

In a RADIUS-enabled ISP, the MikroTik router acts as the NAS (Network Access Server). When a subscriber tries to connect via PPPoE, the router forwards the credentials to the RADIUS server. RADIUS checks the database, returns the authorisation attributes (bandwidth, IP, DNS), and starts accounting.

  • Access-Request — router sends username/password to RADIUS
  • Access-Accept — RADIUS approves with rate-limit attributes
  • Accounting-Start — session begins, logged with timestamp
  • Interim-Update — periodic bandwidth usage reports
  • Accounting-Stop — session ends, total usage recorded
  • CoA/Disconnect — RADIUS can push changes or disconnect users in real-time

Installing FreeRADIUS on Ubuntu/Debian

FreeRADIUS is the most widely deployed RADIUS server. Install it alongside MySQL/MariaDB for the user database.

bash
# Install FreeRADIUS and MySQL module
sudo apt update
sudo apt install -y freeradius freeradius-mysql freeradius-utils

# Enable and start the service
sudo systemctl enable freeradius
sudo systemctl start freeradius

# Test that it's running
radtest testing password123 127.0.0.1 0 testing123

Configuring MikroTik as a RADIUS Client

Add your RADIUS server to MikroTik and enable RADIUS authentication for PPP services.

routeros
/radius
add service=ppp,hotspot,login address=10.10.0.5     secret=StrongRadiusSecret123     authentication-port=1812 accounting-port=1813     timeout=3000ms

/ppp aaa
set use-radius=yes interim-update=5m accounting=yes
set use-circuit-id-in-nas-port-id=yes

The use-circuit-id-in-nas-port-id option passes the interface name where the subscriber connected, useful for identifying physical port locations in OLT/switch deployments.

MikroTik-Specific RADIUS Attributes

MikroTik supports vendor-specific attributes (VSAs) that control bandwidth, address assignment, and more. The most important one is Mikrotik-Rate-Limit.

text
# Format: rx-rate/tx-rate [burst-rx/burst-tx burst-threshold-rx/burst-threshold-tx burst-time]
# Example reply attributes in radcheck/radreply:

Mikrotik-Rate-Limit := "10M/10M 15M/15M 8M/8M 10/10"
Framed-IP-Address := "10.10.1.50"
Framed-Pool := "pool-premium"
Mikrotik-Address-List := "active-subscribers"

The burst parameters allow temporary speed boosts: 15M burst for downloads until 8M threshold is reached, then throttle back to 10M. This gives subscribers a snappy browsing feel while maintaining fair bandwidth allocation.

Change of Authorisation (CoA) for Real-Time Control

CoA allows RADIUS to push changes to active sessions without disconnecting the user. This is critical for package upgrades, suspensions, and real-time bandwidth adjustments.

routeros
# Enable CoA on MikroTik (port 3799)
/radius incoming
set accept=yes port=3799

ISPbills uses CoA to instantly apply package changes, suspend overdue accounts, and restore service after payment — all without requiring the subscriber to reconnect.

Session Monitoring and Accounting

With RADIUS accounting enabled, every session is logged with start time, stop time, bytes transferred, and disconnect reason. This data feeds directly into ISPbills for usage reports, bandwidth analytics, and invoice generation.

bash
# Check active sessions in radacct table
mysql -e "SELECT username, nasipaddress, acctstarttime,   acctinputoctets/1048576 AS upload_mb,   acctoutputoctets/1048576 AS download_mb   FROM radacct WHERE acctstoptime IS NULL   ORDER BY acctstarttime DESC LIMIT 20;" radius

How ISPbills Manages Your RADIUS Server

ISPbills eliminates the need to manually edit RADIUS database tables. When you manage subscribers through the ISPbills dashboard:

  • New subscriber → ISPbills creates radcheck + radreply entries with correct Mikrotik-Rate-Limit
  • Package change → updates rate-limit attributes and sends CoA to apply immediately
  • Suspension → sets Auth-Type := Reject and sends Disconnect-Request
  • Payment received → restores Auth-Type, sends CoA to reconnect
  • Usage reports → reads radacct data and presents in dashboard with graphs

Ready to Automate Your ISP?

ISPbills handles billing, network provisioning, and customer management — free for up to 99 subscribers.

Start Free Trial →

Tags

RADIUSFreeRADIUSMikroTikAAAAuthenticationISP NetworkingPPPoE
← Back to BlogView All Integrations →

Related Articles

MikroTik Security Essentials

Read more →

What is a RADIUS Server?

Read more →

NetFlow Traffic Analysis for ISPs

Read more →

Ready to Transform Your ISP Business?

Join hundreds of ISPs across Bangladesh and South Asia who trust ISPbills to manage their operations. Start your free trial today — no credit card required.

Request DemoStart Free Trial