RADIUS (Remote Authentication Dial-In User Service) is the backbone protocol for network authentication, authorization, and accounting (AAA). Whether you are managing Wi-Fi hotspots, ISP subscriber access, VPN authentication, or enterprise network access control, a web-based RADIUS management platform is essential for user provisioning, billing integration, and usage reporting. Commercial RADIUS management suites can cost hundreds of dollars per month — but several open-source platforms provide complete RADIUS management on your own infrastructure.

This guide compares three open-source RADIUS management solutions: daloRadius, FreeRADIUS Manager (commercial with community features), and radman alternatives.

Quick Comparison

FeaturedaloRadiusFreeRADIUS Managerradman / Alternatives
LicenseGPLv2Commercial (Community edition available)GPLv2
GitHub Stars868+N/A (commercial)Various
LanguagePHPPHP/JavaPHP/Python
DatabaseMySQL/MariaDBMySQL/PostgreSQLMySQL/MariaDB
Web UIFull-featured dashboardEnterprise dashboardLightweight UI
Billing EngineIntegratedIntegratedBasic
User ManagementFull CRUD + bulk importFull CRUD + APIBasic CRUD
AccountingDetailed usage reportsAdvanced reportingBasic reporting
Docker SupportOfficial composeCustom buildsCommunity images
Best ForISPs, hotspots, SMBsEnterprise deploymentsSmall networks

daloRadius — The Open-Source RADIUS Standard

daloRadius is the most widely deployed open-source RADIUS management platform, with over 860 GitHub stars. It provides a comprehensive web interface for managing FreeRADIUS deployments, featuring user management, graphical reporting, accounting, and a built-in billing engine.

Key Features

  • User Management: Full CRUD operations for RADIUS users, groups, and hotspot profiles
  • Accounting & Reporting: Visual charts for session duration, data usage, and revenue tracking
  • Billing Engine: Integrated invoicing system with payment tracking for ISP deployments
  • OpenStreetMap Integration: Geolocation mapping for hotspot access points
  • Batch Operations: Bulk user import/export via CSV for large-scale provisioning
  • Multi-Language Support: Translated into 15+ languages

Docker Deployment

daloRadius provides an official Docker Compose configuration that bundles FreeRADIUS, MySQL, phpMyAdmin, and the daloRadius web UI:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

version: "3.8"

services:
  mysql:
    image: mysql:8.0
    container_name: radius-mysql
    environment:
      MYSQL_ROOT_PASSWORD: radius_root_pass
      MYSQL_DATABASE: radius
      MYSQL_USER: radius
      MYSQL_PASSWORD: radius_password
    volumes:
      - mysql_data:/var/lib/mysql
      - ./init-db.sql:/docker-entrypoint-initdb.d/init.sql
    restart: unless-stopped

  daloradius:
    image: lirantal/daloradius:latest
    container_name: daloradius
    ports:
      - "80:80"
    environment:
      DB_HOST: mysql
      DB_PORT: 3306
      DB_USER: radius
      DB_PASS: radius_password
      DB_NAME: radius
    depends_on:
      - mysql
    restart: unless-stopped

  freeradius:
    image: freeradius/freeradius-server:latest
    container_name: freeradius
    ports:
      - "1812:1812/udp"
      - "1813:1813/udp"
    volumes:
      - ./freeradius-configs:/etc/freeradius/3.0
    environment:
      DB_HOST: mysql
      DB_NAME: radius
      DB_USER: radius
      DB_PASS: radius_password
    depends_on:
      - mysql
    restart: unless-stopped

volumes:
  mysql_data:

FreeRADIUS SQL Configuration

To connect FreeRADIUS to the MySQL database used by daloRadius:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

# /etc/freeradius/3.0/mods-enabled/sql
sql {
    driver = "rlm_sql_mysql"
    dialect = "mysql"
    server = "mysql"
    port = 3306
    login = "radius"
    password = "radius_password"
    radius_db = "radius"

    read_groups = yes
    read_profiles = yes
    read_clients = yes

    delete_stale_sessions = yes
}

This configuration enables FreeRADIUS to read user credentials, group memberships, and client definitions from the same MySQL database that daloRadius manages through its web interface.

FreeRADIUS Manager — Enterprise RADIUS Administration

FreeRADIUS Manager (by NetworkRADIUS) is the commercial management platform built by the creators of FreeRADIUS itself. While not fully open-source, it offers a community edition with core functionality and provides the most tightly integrated management experience for FreeRADIUS deployments.

Key Features

  • Vendor-Supported: Built and maintained by the FreeRADIUS core development team
  • REST API: Full programmatic access for integration with external systems
  • Advanced Reporting: Custom report builder with scheduled PDF/CSV exports
  • High Availability: Active-active deployment support for enterprise resilience
  • LDAP/AD Integration: Sync user accounts from Active Directory or LDAP directories
  • RADIUS Proxy Management: Configure and monitor RADIUS proxy chains from the web UI

Deployment Considerations

FreeRADIUS Manager is typically deployed as a commercial package, but community-supported Docker images exist. A typical deployment uses:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

version: "3.8"

services:
  radius-manager:
    image: networkradius/radius-manager:latest
    container_name: radius-manager
    ports:
      - "443:443"
    volumes:
      - ./manager-config:/etc/radius-manager
      - ./certs:/etc/radius-manager/certs:ro
    environment:
      DB_HOST: postgres
      DB_NAME: radius_manager
    depends_on:
      - postgres
    restart: unless-stopped

  postgres:
    image: postgres:15
    container_name: radius-manager-db
    environment:
      POSTGRES_PASSWORD: manager_pass
      POSTGRES_DB: radius_manager
    volumes:
      - pg_data:/var/lib/postgresql/data
    restart: unless-stopped

volumes:
  pg_data:

Lightweight RADIUS Management Alternatives

For smaller deployments that do not need the full feature set of daloRadius or FreeRADIUS Manager, several lightweight alternatives exist:

radman

radman is a minimal RADIUS user management tool focused on basic user CRUD operations and simple accounting. It is suitable for small ISPs or organizations with fewer than 1,000 RADIUS users.

Custom FreeRADIUS REST API

FreeRADIUS 3.x includes a built-in REST module (rlm_rest) that allows you to build custom management interfaces. By combining FreeRADIUS with a lightweight web framework (Flask, Express.js), you can create a tailored management portal that fits your exact requirements.

When to Use Each Platform

ScenarioRecommended Platform
ISP with billing requirementsdaloRadius
Enterprise with AD integrationFreeRADIUS Manager
Wi-Fi hotspot managementdaloRadius
Small office/school networkLightweight alternatives
Custom integration needsFreeRADIUS REST API
High-availability deploymentFreeRADIUS Manager

For network access control integration with RADIUS, see our NAC platforms comparison and AAA server guide.

Why Self-Host Your RADIUS Management?

  • Data Ownership: User credentials and accounting data stay on your infrastructure
  • No Per-User Licensing: Open-source platforms scale without per-user fees
  • Custom Billing: daloRadius’s built-in billing engine eliminates third-party payment processors
  • Full Control: Customize authentication flows, group policies, and reporting without vendor restrictions
  • Cost Savings: Self-hosted RADIUS management costs less than $10/month in hosting versus $200–2,000/month for commercial platforms

For captive portal deployments that integrate with RADIUS authentication, our captive portal guide covers hotspot deployment patterns.

Deploying RADIUS in Production: Security Best Practices

When deploying RADIUS management platforms in production, security considerations are paramount. The RADIUS protocol transmits authentication credentials, and misconfigurations can expose sensitive user data.

Shared Secret Management: Every RADIUS client (network access server, switch, or wireless controller) shares a secret key with the RADIUS server. These secrets must be unique per client, rotated regularly, and stored securely. daloRadius stores client secrets in the MySQL database — ensure the database itself is encrypted at rest and accessible only from the RADIUS server.

RADIUS over TLS (RadSec): For RADIUS traffic traversing untrusted networks, deploy RadSec (RFC 6614) to encrypt RADIUS packets over TLS. FreeRADIUS supports RadSec natively. Configure RadSec for communication between your RADIUS proxies and home servers.

Network Segmentation: Place RADIUS servers on a dedicated management VLAN. Restrict access to the RADIUS management web UI to administrative IPs only. The FreeRADIUS daemon itself should only accept connections from known network access servers.

Database Hardening: Both daloRadius and FreeRADIUS Manager store sensitive data in SQL databases. Apply the principle of least privilege — the database user should only have SELECT, INSERT, UPDATE, and DELETE permissions on the RADIUS schema. Never use the root database account for application connections.

Audit Logging: Enable FreeRADIUS detailed logging (detail module) to record every authentication attempt, including success/failure status, NAS identifier, and timestamps. Forward these logs to your centralized log management system for correlation and alerting.

For complementary network security infrastructure, our zero-trust network access guide covers modern alternatives to traditional RADIUS-based access control.

FAQ

What is daloRadius used for?

daloRadius is a web-based management platform for FreeRADIUS servers. It is used by ISPs, hotels, schools, and enterprises to manage RADIUS user accounts, track bandwidth usage, generate billing invoices, and monitor network authentication events through a graphical dashboard.

Do I need FreeRADIUS installed to use daloRadius?

Yes, daloRadius is a management frontend that reads from and writes to the same MySQL/MariaDB database that FreeRADIUS uses for SQL-based authentication. Both components must share the database backend for the system to work.

Can daloRadius handle RADIUS accounting data?

Yes, daloRadius includes full RADIUS accounting support. It tracks session start/stop events, data usage (upload/download bytes), session duration, and generates visual reports. The accounting data is stored in the MySQL database and can be exported for billing purposes.

How many users can daloRadius manage?

daloRadius can handle tens of thousands of RADIUS users efficiently. Performance depends on your MySQL database configuration and server hardware. For deployments exceeding 50,000 users, consider database optimization (indexing, query caching) and potentially migrating to FreeRADIUS Manager for advanced scalability features.

Is daloRadius secure for production use?

daloRadius includes standard web application security features (CSRF tokens, session management, input validation). For production deployments, always run it behind an HTTPS reverse proxy, enforce strong passwords, restrict database access to localhost, and keep both daloRadius and FreeRADIUS updated to the latest versions.

What is the difference between RADIUS authentication and accounting?

RADIUS authentication verifies user credentials (username/password, certificates) and determines whether to grant network access. RADIUS accounting tracks what the user does after authentication — session start/stop times, data transferred, and other usage metrics. daloRadius manages both functions through its web interface.