WISPGate AAA / RADIUS Engine

Carrier-Grade Authentication, Policy Control & Real-Time Accounting

Book Demo All Features
WISPGate includes a full-featured AAA (Authentication, Authorization, Accounting) and RADIUS engine designed for ISPs, WISPs, FTTx operators, hotspot providers, and enterprise networks. It supports standard RFC-compliant RADIUS libraries while extending functionality through vendor-specific enhancements—particularly for MikroTik environments via direct API integration.
This makes WISPGate not just a RADIUS server, but a real-time policy orchestration engine tightly integrated with billing, CRM, and service control.

AAA Architecture Overview

WISPGate AAA RADIUS Architecture Diagram

WISPGate AAA RADIUS Architecture

WISPGate Subscriber Authentication Flow Diagram

WISPGate Subscriber Authentication Flow

WISPGate Policy Enforcement Architecture Diagram

WISPGate Policy Enforcement Architecture

Authentication Capabilities

WISPGate can authenticate across multiple network environments:

Supported Methods

  • DHCP Authentication
  • PPPoE
  • Static Lease
  • PPP Sessions
  • 802.1X (Dot1X)
  • Hotspot Environments
  • Fiber (OLT environments)
  • Wireless (AP-based NAS)
  • Enterprise LAN

Deployment Environments

  • WISP networks
  • FTTH
  • Campus networks
  • MDU environments
  • Enterprise managed services
  • LTE/Hybrid environments

Authorization Engine

Once authenticated, WISPGate dynamically assigns:

  • Speed limits
  • Data quotas
  • IP pools
  • VLAN profiles
  • Session timeouts
  • Policy rules
  • Vendor-specific attributes

Full Attribute Library

  • Standard RADIUS attributes
  • Vendor-Specific Attributes (VSA)
  • Custom-defined attributes
  • MikroTik Rate-Limit policies
  • CoA (Change of Authorization) support

Operators can define custom RADIUS dictionaries to match specialized hardware.

Accounting & Session Control

The accounting engine tracks:

  • Session start/stop
  • Data usage (upload/download)
  • Online duration
  • Concurrent sessions
  • NAS identification
  • IP address assignment

Accounting data is synchronized with:

  • Billing engine (quota enforcement)
  • CRM subscriber profile
  • Reporting dashboard
  • Fraud detection logic

This ensures real-time financial and operational visibility.

MikroTik Advanced Integration (API-Level Enhancement)

Standard RADIUS deployments are limited to profile-based enforcement.

WISPGate goes further using MikroTik API integration.

Shared Packages

Standard RADIUS logic:

  • One subscriber → one dedicated quota.

WISPGate Enhancement:

  • Multiple users share a single data pool.

Example:

Family Plan 200GB:

  • 4 users share total 200GB.
  • Once pool exhausted → group policy applied.

Useful for:

  • Corporate shared plans
  • Family packages
  • Community WiFi
  • Dormitories

Bundled Packages (Time-Based Policy Profiles)

Allows dynamic switching of bandwidth/data limits based on time schedules.

Time WindowSpeed Limit
08:00–18:0010 Mbps
18:00–00:0050 Mbps
WeekendUnlimited

This allows:

  • Day/Night shaping
  • Weekend bonus speeds
  • Business-hour prioritization
  • Fair usage enforcement

Policy switching occurs automatically based on scheduler rules.

Static Mode (Manual Override Control)

Static Mode allows administrators to temporarily override bandwidth policies manually.

Example Scenarios:

  • Regional outage → remove shaping restrictions.
  • Disaster recovery → grant temporary unlimited speed.
  • VIP customer issue → immediate manual override.
  • Network congestion testing → static shaping enforcement.

Unlike automated policies, Static Mode is direct and immediate—ideal for operational control during emergencies.

Dynamic Control Flow

Real-Time Enforcement Logic

User Connects
   │
Authentication Check
   │
Subscriber Status Valid?
   │
Yes → Assign Policy Profile
   │
Check Special Conditions:
   │
   ├── Dedicated Package?
   ├── Shared Package?
   ├── Bundled Schedule?
   ├── Static Mode Active?
   │
Apply Final Policy
   │
Session Accounting Started

Integration with Billing & CRM

AAA does not operate in isolation.

Cross-Module Synchronization

  • Subscription activation → instantly enables authentication.
  • Billing suspension → automatically blocks access.
  • Installment completion → updates policy eligibility.
  • Overdue invoice → triggers restriction profile.
  • CRM note → visible during policy override.

This removes manual router configuration and human error.

Use Case Scenarios

Scenario 1: MDU Deployment

  • Subscriber: GreenTower Apartments
  • Apt 101 → PPPoE Authentication
  • Apt 102 → DHCP Authentication
  • Office → Static IP + 802.1X
  • All controlled from same AAA engine with independent policy rules.

Scenario 2: Enterprise Shared Quota

Company: TechCorp Ltd.

  • 25 employees
  • 500GB shared pool
  • Weekend unlimited policy

WISPGate handles:

  • Shared usage tracking
  • Time-based policy switching
  • Real-time accounting

Scenario 3: Disaster Mode Activation

Fiber cut in Region A.

Admin activates:

  • Static Mode for affected NAS group.
  • Temporary unlimited bandwidth
  • No shaping
  • Controlled timeframe

Once issue resolved:

Normal policies restored automatically.

Technical Strengths

  • ✔ Vendor-agnostic NAS support
  • ✔ Full RFC-compliant RADIUS
  • ✔ Custom attribute support
  • ✔ MikroTik API-level enhancements
  • ✔ Real-time CoA enforcement
  • ✔ Shared quota pools
  • ✔ Time-based policy bundles
  • ✔ Manual static overrides
  • ✔ Integrated billing synchronization
  • ✔ Scalable architecture (multi-NAS / multi-region)

Strategic Advantage

Most systems provide basic RADIUS authentication.

WISPGate provides:

  • Policy intelligence
  • Revenue protection
  • Emergency operational control
  • Advanced quota logic
  • Vendor-specific optimization
  • Cross-module automation

This transforms AAA from a simple authentication layer into a policy orchestration and revenue enforcement engine tightly coupled with billing and service lifecycle management.