radauth.net Documentation

Technical guides, use cases, and API reference for integrating RADIUS into your network infrastructure.

RADIUS server base URL: app.radauth.net · Auth port: 1812 · Accounting port: 1813
REST API base URL: https://app.radauth.net/api/v1

What is radauth.net?

radauth.net is a cloud-hosted multi-tenant RADIUS server (FreeRADIUS 3). It lets you authenticate network users — WiFi, VPN, PPPoE, 802.1X switches — without installing or maintaining any infrastructure of your own.

Every customer (tenant) operates in complete isolation: their users, NAS devices, groups, and session logs are invisible to all other customers, even though they share the same physical server.

Support for PAP, CHAP, MS-CHAP v1/v2, and EAP (PEAP-MSCHAPv2, EAP-TLS)
Tenant isolation by NAS IP — no additional FreeRADIUS configuration required
REST API with per-tenant Bearer token authentication
Web portal for managing users, groups, NAS devices, and reports
RFC 2866-compatible accounting (Start, Stop, Interim-Update)

Quickstart — Live in 5 minutes

1. Create your account

2. Register your first NAS device

Go to NAS Devices → Add and fill in:

Device IP — the IP address from which RADIUS requests will originate (your AP, router, switch, or BNG)
Shared secret — a random string of at least 16 characters
Name — a descriptive label (e.g. "Main-Floor-AP")

3. Create a RADIUS user

Go to Users → Create, or use the API:

HTTP

POST https://app.radauth.net/api/v1/users
Authorization: Bearer ra_your_api_key_here
Content-Type: application/json

{
  "username": "john.doe",
  "password": "S3cur3Pass!",
  "group":    "staff"
}

4. Point your AP to the RADIUS server

In your AP or router configuration:

RADIUS Server: app.radauth.net
Auth Port: 1812
Accounting Port: 1813
Shared Secret: the secret you defined in step 2

The shared secret is unique per NAS device. Each device you register can have a different secret — this limits the blast radius if one secret is ever compromised.

Key concepts

Tenant

A tenant is an organization or customer within radauth.net. It has its own set of users, groups, NAS devices, and session reports. Isolation is enforced by the source IP of the NAS: every RADIUS request arrives from the IP of an AP, router, or BNG that is registered under a specific tenant.

NAS (Network Access Server)

Any device that sends RADIUS requests to the server: a WiFi AP, an 802.1X switch, a PPPoE router, or a VPN server. It is identified by its IP address and a shared secret.

Realm

A domain suffix appended to the username: user@company.com. The realm is optional — if configured on your tenant, users can authenticate with the suffix, which helps in environments where multiple organizations share the same APs.

Always Accept

A special mode available on the Always Accept plan: the RADIUS server accepts any username/password combination without validating against the database. Accounting still records sessions. Ideal for open hotspots and captive portals where access control is handled by the portal, not RADIUS.

Use case: WiFi WPA Enterprise (802.1X)

WPA Enterprise replaces a shared PSK with per-user credentials. Every employee has their own username and password; when someone leaves, you simply disable their account — no need to change the WiFi password for everyone.

Protocol

radauth.net uses PEAP-MSCHAPv2 (Protected EAP with MS-CHAP version 2). This is the most widely supported method and works out of the box on Windows, macOS, Android, and iOS without any additional software.

Want EAP-TLS (client certificates)? Available on request under the Enterprise plan. Requires issuing and distributing certificates to each device, typically via MDM.

Authentication flow

The device associates to the SSID configured as WPA2/WPA3 Enterprise
The AP sends an EAP-Identity request to the device
The device responds with the username (outer identity)
The AP forwards the RADIUS request to app.radauth.net:1812
FreeRADIUS establishes the TLS tunnel (PEAP) and requests MSCHAPv2 credentials
The server validates against the tenant's database (identified by the AP's IP)
If valid: Access-Accept with the user's group attributes

Server certificate

radauth.net includes an EAP certificate on the server. When connecting for the first time, the device will prompt you to confirm the certificate. You can:

Verify the SHA-256 fingerprint available in the portal under WiFi Enterprise
Download and install the CA certificate on devices for automatic trust
Distribute the CA via MDM (Jamf, Intune, Kandji) for enterprise deployments

Sample configuration — MikroTik AP

RouterOS

# Add RADIUS server
/radius add \
    address=app.radauth.net \
    secret=YourSharedSecret \
    service=wireless \
    authentication-port=1812 \
    accounting-port=1813

# WPA2 Enterprise security profile
/interface wireless security-profiles add \
    name=wpa-enterprise \
    mode=dynamic-keys \
    authentication-types=wpa2-eap \
    eap-methods=peap \
    radius-eap-accounting=yes

# Assign to SSID
/interface wireless set wlan1 \
    ssid="CorpWiFi" \
    security-profile=wpa-enterprise

Use case: Hotspot & Captive Portal

For hotels, cafés, municipalities, and public spaces where access control is required without WPA Enterprise. The captive portal intercepts the browser and prompts for credentials before granting internet access.

Always Accept mode

With the Always Accept plan, radauth.net accepts any credential without validation. This allows:

Using the router's built-in captive portal (MikroTik Hotspot, pfSense) as the front-end
The portal generates temporary credentials or accepts any input
RADIUS records the session in accounting (MAC address, user, bytes, time)
No user database required — the router manages access

Credential-based mode

If you need per-user control (vouchers, hotel room accounts, etc.), use any standard plan and create users via API from your reservation system or PMS.

MikroTik — Hotspot RADIUS

/ip hotspot profile set default \
    use-radius=yes

/radius add \
    address=app.radauth.net \
    secret=YourSecret \
    service=hotspot \
    authentication-port=1812 \
    accounting-port=1813

Use case: ISP / WISP — PPPoE RADIUS

Internet service providers use RADIUS to authenticate PPPoE sessions and enforce per-subscriber policies. radauth.net is compatible with any BNG or BRAS that supports standard RADIUS.

PPPoE authentication flow

The CPE (customer router) initiates a PPPoE session with username and password
The BNG (MikroTik, Cisco, Huawei) sends an Access-Request to app.radauth.net:1812
radauth.net validates the credentials and responds with Access-Accept + attributes
Group attributes (speed, IP assignment, session time) are applied to the PPPoE session
Accounting Start/Stop records session start, end, and data transferred

RADIUS attributes for speed control

Define attributes on user groups to automatically apply service policies:

Attributes on group "plan-10mbps" (via portal)

# MikroTik Rate-Limit
Mikrotik-Rate-Limit = 10M/10M

# With burst allowance
Mikrotik-Rate-Limit = 10M/10M 20M/20M 512k/512k 30/30 8

# Maximum session time (seconds)
Session-Timeout = 86400

# Static IP assignment (optional)
Framed-IP-Address = 192.168.100.50

Billing system integration via API

When a subscriber upgrades, downgrades, or is suspended, your billing platform can update their group via API:

HTTP — Update subscriber plan

PUT https://app.radauth.net/api/v1/users/customer001
Authorization: Bearer ra_your_api_key

{
  "group": "plan-50mbps"
}

# Suspend on non-payment:
PUT https://app.radauth.net/api/v1/users/customer001
{
  "status": "disabled"
}

Use case: VPN with RADIUS authentication

Centralize VPN authentication so employees use the same credentials as their corporate WiFi. One user directory, unified access logs across all entry points.

OpenVPN + RADIUS plugin

openvpn — /etc/openvpn/radiusplugin.cnf

NAS-Identifier=openvpn-gateway
serviceType=5
radiusServer=app.radauth.net
sharedSecret=YourSecret
authPort=1812
accountingPort=1813
accountingEnabled=true

openvpn — server.conf (excerpt)

plugin /usr/lib/openvpn/radiusplugin.so \
    /etc/openvpn/radiusplugin.cnf

pfSense L2TP/IKEv2

In pfSense: System → User Manager → Authentication Servers → Add

Type: RADIUS
Hostname: app.radauth.net
Shared Secret: your secret
Services Offered: Authentication and Accounting

Then assign this server in the VPN section (L2TP or IPsec/IKEv2).

Use case: University campus

Typical scenario: 5,000+ students and staff who need WPA Enterprise with institutional credentials, managed from the student information system.

Recommended architecture

The Student Information System (SIS) creates or updates users in radauth.net via API whenever a student enrolls or graduates
Campus APs (Ubiquiti UniFi, Cisco, Aruba) are registered as NAS devices
Students and faculty connect with studentid@university.edu and their institutional password
The realm suffix automatically identifies the tenant
Separate groups for students, faculty, and staff — with different VLAN or bandwidth attributes

Bulk sync via API

PHP — Sync students from SIS

function syncStudentsToRadauth(array $students): void {
    foreach ($students as $s) {
        Http::withToken('ra_your_api_key')
            ->put("https://app.radauth.net/api/v1/users/{$s['id']}", [
                'password' => $s['password'],
                'group'    => $s['role'] === 'faculty' ? 'faculty' : 'students',
                'status'   => $s['active'] ? 'active' : 'disabled',
            ]);
    }
}

API reference — Authentication

The API uses Bearer tokens generated from the portal under API Keys → Create. Each token has full read/write access to the tenant that issued it.

HTTP Header

Authorization: Bearer ra_xxxxxxxxxxxxxxxxxxxxxxxxxxxx

API keys have full read/write access to your tenant. Store them as environment variables — never commit them to source code or version control repositories.

API reference — RADIUS users

List users

GET/api/v1/users

Parameter	Type	Description
`page`	integer	Page number (default: 1) optional
`per_page`	integer	Items per page, max 100 (default: 20) optional
`group`	string	Filter by group name optional

Get a user

GET/api/v1/users/{username}

Create a user

POST/api/v1/users

Field	Type	Description
`username`	string	Unique username within the tenant required
`password`	string	Plaintext password (stored hashed) required
`group`	string	Name of an existing RADIUS group optional
`status`	string	`active` \| `disabled` (default: active) optional
`expires_at`	datetime	Expiry in ISO 8601, e.g. `2026-12-31T23:59:59Z` optional

Response 201 Created

{
  "id":         142,
  "username":   "john.doe",
  "group":      "staff",
  "status":     "active",
  "expires_at": null,
  "created_at": "2026-06-16T10:23:45Z"
}

Update a user

PUT/api/v1/users/{username}

Accepts the same fields as creation. Only the fields you send are updated (partial update).

Delete a user

DELETE/api/v1/users/{username}

Returns 204 No Content on success. Active sessions are not terminated automatically (CoA support available on Enterprise).

API reference — NAS devices

List NAS devices

GET/api/v1/nas

Add a NAS device

POST/api/v1/nas

Field	Type	Description
`nasname`	string	IP address of the NAS device required
`shortname`	string	Descriptive name required
`secret`	string	Shared secret (min. 12 chars) required
`type`	string	NAS type (other, cisco, mikrotik, etc.) optional

Update / Delete a NAS

PUT/api/v1/nas/{id}

DELETE/api/v1/nas/{id}

Changing a NAS shared secret requires updating the configuration on the physical device as well. If the secrets don't match, RADIUS requests will be silently rejected.

Device guide: MikroTik RouterOS

PPPoE + RADIUS (BRAS)

RouterOS CLI

# 1. Configure RADIUS server
/radius add \
    address=app.radauth.net \
    secret=YourSecret \
    service=ppp \
    authentication-port=1812 \
    accounting-port=1813 \
    timeout=3s

# 2. Enable RADIUS on PPPoE server
/ppp aaa set use-radius=yes accounting=yes

# 3. IP pool for PPPoE (if not using Framed-IP-Address)
/ip pool add name=pppoe-pool ranges=10.0.0.1-10.0.0.254

# 4. PPPoE Server
/interface pppoe-server server add \
    service-name=internet \
    interface=ether1 \
    default-profile=pppoe-profile \
    authentication=chap,mschap2

Hotspot + RADIUS

RouterOS CLI

# RADIUS for hotspot
/radius add \
    address=app.radauth.net \
    secret=YourSecret \
    service=hotspot \
    authentication-port=1812 \
    accounting-port=1813

# Enable RADIUS in hotspot profile
/ip hotspot profile set hsprof1 use-radius=yes

# Enable accounting
/radius incoming set accept=yes

Device guide: Ubiquiti UniFi

Configuration is done through the UniFi Network Controller (web UI):

Go to Settings → Profiles → RADIUS → Create New RADIUS Profile
Profile name: radauth-net
Authentication Server: app.radauth.net · Port: 1812 · Password: your shared secret
Enable Accounting: same IP · Port: 1813
Go to Settings → WiFi → edit or create your corporate SSID
Security: WPA2 Enterprise · RADIUS Profile: radauth-net
Save and apply. APs update their configuration automatically.

For per-user VLAN assignment, add the Tunnel-Private-Group-ID attribute to RADIUS groups with the target VLAN ID. UniFi applies it automatically.

Device guide: pfSense / OPNsense

Captive Portal + RADIUS

Go to Services → Captive Portal → add or edit a zone
Under Authentication: select RADIUS Authentication
Primary RADIUS Server: app.radauth.net · Port: 1812 · Shared Key: your secret
Enable RADIUS Accounting → Port: 1813
Save. The portal will automatically redirect to the login page.

VPN L2TP + RADIUS

Go to System → User Manager → Authentication Servers → Add
Type: RADIUS · Hostname: app.radauth.net · Shared Secret: your secret
Save and assign the server under VPN → L2TP (Authentication section)

In OPNsense the flow is identical. The RADIUS server is configured under System → Access → Servers.