Ultimate Radius

The problem

Internet providers, Wi-Fi operators and hotels need authentication, accounting and billing that holds up at carrier scale — tens of thousands of simultaneous sessions, accurate volume metering, and instant cut-off when a subscriber runs out of quota. Legacy RADIUS managers buckle under that load: interpreted engines pin the CPU, quota is reconciled too slowly to matter, and multi-tenant billing is bolted on after the fact.

Our approach

• 01

  Split the RADIUS hot path: the wire protocol is handled by a battle-tested C core while every authorization decision is delegated to a concurrent Go service, so auth and accounting sustain roughly 100k concurrent users on a single server with headroom to spare.

• 02

  Built a CoA agent for real-time control — RFC 5176 Change-of-Authorization and Disconnect messages drop or re-rate live sessions the instant a subscriber goes over quota, expires, or is suspended, instead of waiting for the next reconnect.

• 03

  Engineered a quota-management engine: byte-accurate volume quotas (64-bit, gigaword-safe), time and expiry rules, simultaneous-use limits and flexible reset cycles — with live counters in Redis as a single source of truth shared across every node.

• 04

  Layered a multi-tenant SaaS on top: resellers with a prepaid credit ledger, packages, payment gateways (including crypto), and a self-service subscriber panel in multiple languages with full RTL support.

• 05

  Designed for scale and on-prem trust: stateless services behind shared Redis and PostgreSQL, region-sharded deployments, and offline signature-verified licensing so the auth path never depends on a license server.

Outcomes

• ~100K concurrent

  Bulletproof on a single server, with headroom to shard horizontally across regions.

• Instant cut-off

  Over-quota and expired sessions dropped in real time via the RFC 5176 CoA agent.

• Multi-tenant

  Resellers, prepaid credit ledger and self-service billing built in from day one.