More than almost any other business, internet service providers (ISPs) need to provide their customers with fast, reliable internet connection to their computer network. Any downtime can be catastrophic to their business operations. Slow connection speeds will drive customers away to other providers. This means that ISPs need to ensure that their network has several levels of redundancy in order to provide stable service at all times.
This article outlines our ISP RADIUS deployment design best practices for enterprise networking. At InkBridge Networks, we have been successfully using these principles for over ten years, with customers who are distributed across the world. These practices have been tested and proven in real-world production environments. These practices apply to all ISPs, from small to large, though the individual methods can vary depending on the ISPs size and needs.
Small, single site ISPs
In general, small ISPs should usually prioritize a system design that minimizes IT network management overhead. In practice, this design usually means:
- All the RADIUS functionality is on a single system. Unlike larger networks, there is usually no need to separate the authentication and accounting tasks onto different machines.
- A separate machine to run the database which holds user information and manages IP addresses. Maintaining separate hardware for the RADIUS server and the database helps to ensure that the system is less likely to be overloaded when surges of authentication requests happen.
- Leveraging virtualization as much as possible. We usually recommend putting the RADIUS server and database onto VMs and taking regular snapshots. The archive of snapshots makes it easier to recover from unexpected events or upgrades gone wrong. The cost to “restore from snapshot” is significantly less than the cost to rebuild a machine from scratch!
A well-designed RADIUS implementation enables ISPs to effectively authenticate users seeking to gain access to their network resources. This is essential for maintaining security while providing seamless service to legitimate customers through various access points and WiFi wireless networks.
Scaling for growth
Larger ISPs will likely find this simple network design insufficient for their needs. As the size of the ISP grows, we see several common scenarios, each of which require a specific design approach. These design blueprints are not mutually exclusive and can be mixed and matched to suit your specific needs and constraints.
Authentication protocols are at the heart of a secure RADIUS implementation. They define how network devices communicate with the RADIUS server, ensuring both security and reliability when customers connect from various access points. A comprehensive authentication, authorization, and accounting system provides the foundation for robust network security.
Multi-site design
ISPs and other enterprises that have geographically dispersed locations usually also need a distributed RADIUS server management system. Our design for a multi-site RADIUS deployment recommends deploying more than one primary database instance for the directory service. This provides much stronger network resilience and more responsive service, and it dramatically reduces the risk of service outages. Different sites can fail over to each other, ensuring that there is no single point of failure in the network. This multi-site design also allows for easy maintenance, as there is little impact to taking part of the network offline for upgrades.
Read more: How to design RADIUS for multi-site networks
Heavy accounting query requirements
Some large ISPs regularly run large and complex accounting billing queries. When Authentication and Accounting functions are being performed by the same database, the increased load from billing can prevent users from authenticating into the network. The solution is to separate these databases, so that a high load on one does not impact the other.
The separation is essential for reliable network management, allowing the authentication system to operate smoothly even during peak billing periods. For ISPs with thousands of network devices to manage, this optimization can make a significant difference in overall system performance.
Read more: Separating RADIUS Authentication and Accounting functionality
Tracking fraudulent authentication in multiple locations
Some of our larger clients have issues with people fraudulently sharing credentials with friends and family in other locations. A naive “multi-site” design as above will not be able to catch this behavior, which leads to loss of revenue and increased costs. The system design needs to take additional steps in order to prevent this abuse. To support this requirement, without sacrificing performance, the network design should create secondary copies of session databases at each site.
This approach allows ISP to monitor authentication patterns across different WiFi wireless networks and internet connection points, identifying suspicious access attempts that may indicate credential sharing.
Read more: Preventing fraudulent logins across multiple sites
Implementation considerations
When implementing RADIUS solutions for ISPs, it's important to consider how the authentication server will interact with various network devices like routers, switches, and access points. Each device must be properly configured to communicate with the RADIUS server, ensuring that only authorized users can gain access to the network.
For enterprise networking environments, the RADIUS server often needs to integrate with existing identity management systems, adding another layer of complexity to the implementation. Our design approaches account for these integration requirements, ensuring smooth deployment even in complex environments.
Need more help?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
Why you should separate historical data from live data
ISPs and telecoms are often legally required to keep user session data for long periods of time. However, keeping these records can result in enormous databases tables which significantly affect the performance of your RADIUS system. This article explores how to optimize database performance so that you can maintain operational efficiency while storing years of user activity data.
Authorized users only: Why use RADIUS and 802.1x to control network access?
Controlling which users and what devices are on your network has become significantly more complex in the current corporate environment. Network administrators must adapt to wireless access, remote working, bring-your-own-device scenarios and cloud computing. Each employee could have multiple devices using different operating systems.