A common question for people installing the server is “what are the hardware requirements for FreeRADIUS?” The answer is both simpler, and more complex than you would think.
The performance of a RADIUS server depends on many factors. What kind of authentication method it is using, the complexity of the business rules, how often it receives accounting packets, and what kind of database is being used.
That being said, we’ve spent twenty years installing RADIUS systems world-wide for ISPs, enterprises, and universities. We’ve discovered that this question has only two answers:
1) The traffic is low enough that performance doesn’t matter.
2) Your traffic is high enough that you have budget to buy modern systems.
For example, if you are a small ISP or enterprise, just buy a commodity “off the shelf” system, or configure a virtual machine with a “desktop” style configuration. Any laptop or desktop machine which costs $1000 has more than enough CPU, RAM, and disk space to run a RADIUS server which supports thousands of users.
On the other hand, if you are a large ISP with millions of users or a global enterprise with dozens of locations, the cost of RADIUS going down is higher than the cost of a few machines. You should deploy a number of VMs for load balancing and geographic redundancy. Again, the specifications of each individual machine does not really matter that much.
The take-away is that if you have more than a few thousand users, network and database design matters more than the performance of any individual RADIUS system.
We have discussed database performance in another article, it’s always the database. In almost all cases, RADIUS server performance is limited by the database.
We have run tests of FreeRADIUS with a minimal configuration, i.e. no database, and minimal processing rules. These tests can easily reach 40,000-50,000 packets per second. But when we add a database such as SQL, the performance drops significantly, to around two thousand packets per second.
In this situation, the specifications of the RADIUS machine don’t really matter. You are much better off fixing database issues, and ensuring that the database server has enough RAM and fast disk to respond quickly to FreeRADIUS.
If the RADIUS system has to authenticate hundreds of thousands to millions of users, the next priority is network design. For example, a system with many load-balanced RADIUS servers and databases will always be better than one large RADIUS server. A “sharded” and load-balanced system will have higher throughput. It will have higher uptime, as one failed node may lower the maximum performance of the system, but the system as a whole will still operate.
A load-balanced system will have higher scalability, as increased performance can be gained simply by adding more cheap “shards”.
Similar arguments apply for companies which have offices in many different geographic regions. Each region or office can have a local RADIUS system, with a fall-back to a central site. Our design blueprint for universities article discusses this issue in more detail.
CPU, RAM, and Disk requirements
By now, we hope you’ve gotten the message that these hardware specifications do not really matter. RADIUS is almost thirty years old. Twenty years ago, people were running RADIUS servers for millions of users on hardware which is laughably slow by modern standards.
In general, any modern quad-core system is fine for most purposes. An eight or sixteen-core system will be idle 99.9% of the time. Which is actually what you want from a RADIUS server!
FreeRADIUS doesn’t need large amounts of RAM, so any “off the shelf” configuration is OK. 16G is plenty, don’t worry about going a lot past that.
As for disks, a normal hard drive is fine. FreeRADIUS doesn’t read or write enough data for an SSD to make any difference. A 100G disk will be lots, and will mostly be used up by the underlying operating system. All logs should be sent off of the systems to a log aggregator, so that the disk does not fill up with useless information.
In the end, database design and network design matter much more than CPU, RAM, and disk specifications for a RADIUS server. While this is not a definitive answer, it is truthful. You should spend your time and money making sure that the overall system is designed correctly. And then deploy a few VMs, or maybe buy a rack-mount system with similar specifications to the average modern desktop.
It will be fine.
Need more help?
Network RADIUS has been helping clients around the world design and deploy their RADIUS infrastructure for 20 years. We specialize in complex systems and have seen pretty much every variation and problem out there. If you want help from the people who wrote FreeRADIUS, visit our quote page to contact us for a consultation.