Many ISP networks and enterprise environments handle both Authentication and Accounting functions through the same RADIUS servers and databases. While this configuration works well for small and low-load systems, there are compelling reasons to separate these critical network security functions. Implementing dedicated RADIUS Authentication servers and RADIUS Accounting servers can dramatically increase performance, enhance security, and improve scalability of your network infrastructure.
Why authentication speed matters for network security
ISP customers and network users expect immediate and reliable access to network resources. To provide a good customer experience, ISPs and organizations need the Authentication and Authorization functions to be extremely responsive to user credential verification and authentication requests.
However, when accounting queries (used for monthly billing statements or compliance reporting) compete for the same resources as authentication requests, the entire system can slow down, compromising both user experience and security.
Authentication delays can create significant security vulnerabilities. When legitimate authentication requests are delayed, it becomes more difficult to identify suspicious login attempts that might indicate potential data breaches. Slow authentication processes also impact user productivity and satisfaction, potentially pushing remote users to seek workarounds that compromise security controls.
The strategic solution: dedicated RADIUS servers
The best solution here is to implement network segmentation at the RADIUS protocol level by splitting functionality between dedicated servers. We recommend that ISPs deploy at least two separate RADIUS servers at each site.There should be a clear division of responsibilities between the servers.
- Dedicated Authentication and Authorization RADIUS server that handles all user credential verification and grants access to network resources
- Dedicated Accounting RADIUS server that processes all accounting data, session tracking, and reporting functions
This diagram illustrates how this could work for multiple sites.
Each of the four sites has its own dedicated RADIUS Accounting server and Authentication server
This design has the following characteristics:
- Each location maintains dedicated RADIUS servers to handle Accounting and Authentication functions separately.
- Authentication servers communicate primarily with the secondary instance of the Directory Service at their location.
- Any traffic related to updating or reporting on accounting is directed to the RADIUS Accounting server.
- Accounting servers communicate primarily with the Session Database at their location, keeping sensitive data properly segregated.
(This system of separate RADIUS servers also works well for preventing fraudulent logins.)
By separating the responsibilities of each server, the design guarantees that the system responding to Authentication requests will be unaffected by any Accounting-related traffic. Sensitive data handling is optimized for each function, and security issues in one area don't compromise the entire authentication system.
The key benefits of separated authentication and accounting functions
The reason this system split works well is that the RADIUS protocol provides for retransmissions of Accounting traffic. If the Accounting system is busy, the NAS will simply resend the packets until it gets a response. This retransmission still happens whether or not the remote users are still online! These retransmissions can happen for many minutes, or, if necessary, hours.
In contrast, Authentication traffic is much more time-sensitive. While the RADIUS network protocol does provide for retransmitting Authentication traffic, users are much less forgiving. When users fail to get authenticated quickly, they are unhappy and likely to complain or change providers.
Fortunately, this problem can be avoided by a careful design of the AAA network.
More about ISP RADIUS design best practices
RADIUS design for internet service providers
How to design RADIUS for multi-site networks
Preventing fraudulent logins across multiple sites
Need more help?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
Why you should separate historical data from live data
ISPs and telecoms are often legally required to keep user accounting data for long periods of time. However, keeping these records can result in enormous databases which then affect the performance of your RADIUS system. There are ways of optimizing the database so that you can keep high performance while maintaining years of accounting data.
How Authentication Protocols Work
Choosing an authentication protocol is one of the most important decisions when designing a RADIUS ecosystem.
There are a variety of authentication protocols to choose from, each with their own set of advantages, disadvantages, and constraints. In general, we recommend using PAP whenever possible. It is compatible with all known back-end databases, and it has no known security issues.