You must change the default password before continuing.

At least 8 characters.

RADIUS Platform

Dashboard

Endpoints

Active Sessions

Pending Approvals

Network Devices

Sites

Total Rejects

Recent Auth Events

View all →
TimeIdentityMethodResultVLANReason
No auth events yet

Clients

NameStatusCreatedActions
No clients yet

Sites & VLANs

No sites yet

Network Devices

NameTypeRADIUS Client IPVendorPorts

No network devices yet

Endpoints

HostnameTypeStatusAccessDescriptionActions

No endpoints yet

Pending Approvals

No pending approvals

Access Policies

PriorityMatch TypeMatch ValueResultVLANActions

No access policies yet

Auth Events

TimeIdentityMethodResultVLANReasonPort
No auth events

Accounting Sessions

Session IDMACVLANPortStartedStatus
No sessions

Guest Portal Configuration

Configure captive portal branding, Stripe payment, pricing plans, and guest access behavior.

Preview Portal

RADIUS Server Public Endpoint

Use this as the RADIUS server address in UniFi/MikroTik.

Auth / Accounting / CoA

/ /

UDP 1812/1813 inbound required; UDP 3799 if using CoA disconnect.

RADIUS Client IP Reminder

Each Network Device's RADIUS Client IP is the source IP this server sees from the client site (its public WAN or VPN/RadSec tunnel IP). Do not enter the RADIUS server's own IP unless the device is on the same LAN as the server.

Guest Captive Portal URL (for this client)

Set this as the external/captive portal URL on the client’s UniFi or MikroTik. The AP appends the guest MAC automatically. Click Preview to test it now.

Portal Branding & Access Methods

logo

Stripe

Stripe webhook URL: https:///api/guest/stripe-webhook

Add Pricing / Access Plan

Current Guest Plans

NameMethodDurationPriceVLANActions
No guest plans configured yet

Recent Guest Sessions

MACStatusMethodGuestVLANExpires
No guest sessions yet

Certificates & PKI

Manage Certificate Authorities and issue EAP-TLS client/server certificates.

No Certificate Authority yet. Create one to enable EAP-TLS.

Certificates —

Subject CNSerialStatusExpiresActions
No certificates issued from this CA yet

WiFi Networks

Define SSIDs and push them to UniFi / MikroTik equipment.

No WiFi networks defined yet.

Enrollment Tokens

Generate self-service links so users can onboard devices and download certificates.

New enrollment link — copy it now, the full token is shown only once:

TokenPurposeUsesExpires
No enrollment tokens yet

Identity & Group Mappings

Connect Entra ID / OAuth and map directory groups to VLANs.

Identity Providers

No identity providers configured

Group → VLAN Mappings

GroupVLANPriority
No group mappings yet

Client Setup Wizard

Guided onboarding — from organization to a verified RADIUS deployment in 8 steps.

Team & Access

Manage internal/admin users, their roles, and per-client access.

platform_owner Full control, incl. billing & user management
platform_admin Manage all clients & users
client_admin Full control of assigned client(s)
client_operator Day-to-day changes, no user mgmt
client_auditor Read-only access
UserScopeRolesStatusActions
No users yet

Settings

Global platform configuration. Changes apply immediately — no restart. Values feed the dashboard, RadSec bundles, and setup guides.

Public RADIUS Endpoint

What client sites (UniFi/MikroTik) point at. The hostname is preferred for RadSec/TLS; the IP is the fallback.

Preferred. Baked into every RadSec bundle, appliance .env, and the UniFi guide.

Sites will be told to use:

Ports

Defaults are standard; change only if your firewall/NAT remaps them.

Branding

logo

PNG/JPEG/GIF/WebP, max 2 MB. Shown in the dashboard header.

Device Onboarding (NAC)

One SSID: devices with an Intune-deployed certificate auto-join the corporate network via EAP-TLS. Devices without a cert fall back to username/password and land on the BYOD network.

Where password-auth (no cert) devices go. Per-site override: create a VLAN with purpose "byod" at each site (SD-WAN sites can use different tags).

Source:

Note: the RadSec/EAP server TLS certificate is separate — if you change the hostname, re-issue the server cert with the new name (see the RadSec docs) so certificate validation still matches.