A common question for people installing the server is “what are the hardware requirements for FreeRADIUS?” The answer is both simpler, and more complex than you would think.
The performance of a RADIUS server depends on many factors: what kind of authentication method it is using, the complexity of the business rules, how often it receives accounting packets, and what kind of database is being used.
That being said, we’ve spent twenty years installing RADIUS systems world-wide for ISPs, enterprises, and universities. We’ve discovered that this question has only two answers:
1) Your traffic is low enough that performance doesn’t matter.
2) Your traffic is high enough that you have budget to buy modern systems.
For example, if you are a small ISP or enterprise, just buy a commodity “off the shelf” system, or configure a virtual machine with a “desktop” style configuration. Any laptop or desktop machine that costs $1000 has more than enough CPU, RAM, and disk space to run a RADIUS server that supports thousands of users and handles typical network traffic.
On the other hand, if you are a large ISP with millions of users or a global enterprise with dozens of locations, the cost of RADIUS going down is higher than the cost of a few machines. You should deploy a number of VMs for load balancing and geographic redundancy. Again, the specifications of each individual machine does not really matter that much.
The take-away is that if you have more than a few thousand users, network design and database design matters more than the performance of any individual RADIUS system.
Database design for FreeRADIUS
We have discussed database performance in another article: it’s always the database. In almost all cases, RADIUS server performance is limited by the database.
We have run tests of FreeRADIUS with a minimal configuration, i.e. no database and minimal processing rules. These tests can easily reach 40,000-50,000 packets per second. But when we add a database such as SQL, the performance drops significantly, to around two thousand packets per second.
In this situation, the FreeRADIUS hardware requirements don’t really matter. You are much better off fixing database issues and ensuring that the database server has enough RAM and fast disk to respond quickly to FreeRADIUS.
Network design for FreeRADIUS
If the RADIUS system has to authenticate hundreds of thousands to millions of users, the next priority is network design. For example, a system with many load-balanced RADIUS servers and databases will always be better than one large RADIUS server. A “sharded” and load-balanced system will have higher throughput. It will have higher uptime, as one failed node may lower the maximum performance of the system, but the system as a whole will still operate.
A load-balanced system will have higher scalability, as increased performance can be gained simply by adding more cheap “shards”. This approach supports long-term growth and business operations.
Similar arguments apply for companies that have offices in many different geographic regions. Each region or office can have a local RADIUS system, with a fall-back to a central site. Our design blueprint for universities article discusses this issue in more detail.
CPU, RAM, and disk requirements
By now, we hope you’ve gotten the message that these FreeRADIUS hardware requirements do not really matter. RADIUS is almost thirty years old. Twenty years ago, people were running RADIUS servers for millions of users on hardware that is laughably slow by modern standards.
In general, any modern quad-core system is fine for most purposes. An eight or sixteen-core system will be idle 99.9% of the time. Which is actually what you want from a RADIUS server running smoothly!
FreeRADIUS doesn’t need large amounts of RAM, so any “off the shelf” configuration is OK. 16G is plenty; don’t worry about going a lot past that.
As for disks, a normal hard drive is fine. FreeRADIUS doesn’t read or write enough data for an SSD to make any difference. A 100G disk will be lots and will mostly be used up by the underlying operating system. All logs should be sent off of the systems to a log aggregator, so the disk does not fill up with useless information.
Performance optimisation and monitoring
In the real world, proper performance optimization involves:
- Implementing monitoring tools to track response time
- Regular database performance tuning
- Optimizing data storage strategies
- Ensuring high performance network connectivity
These factors contribute more to running smoothly than raw hardware specifications.
Conclusion
In the end, database design and network design matter much more than CPU, RAM, and disk specifications for FreeRADIUS hardware requirements. While this is not a definitive answer, it is truthful. You should spend your time and money making sure that the overall system is designed correctly. And then deploy a few VMs, or maybe buy a rack-mount system with similar specifications to the average modern desktop.
It will be fine.
Need more help?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
How to connect FreeRADIUS to Active Directory for authentication
Active Directory is widely used in the enterprise and university systems. This article describes how to connect FreeRADIUS with Active Directory, allowing you to authenticate users against your existing directory service while leveraging the power of your RADIUS server for network access control.
RADIUS for Universities
University environments present challenges for RADIUS system design. Every hour, on the hour, thousands of students close their laptops, move to a different location, and open them again. This unique environment requires a unique infrastructure to support it.