FAQs: Frequently Asked Questions

General

What is the difference between the tiers offered?

All tiers offer the same functionality and security features but the ‘home’ end has efficiency, compliance and reliability aspects considered useful to larger entities disabled in the following way:

  • limit of ten (10) simultaneous sessions

    • this means there is no user or device limit, only that a maximum of ten devices simultaneously may be connected at any given moment

  • High Availability (HA) is in effect disabled as for both VMs:

    • they are deployed to the same non-zonal region or zone in a zonal region

    • share the same fault domain so a hardware failure on one affects the other

    • Azure is instructed that both systems may be updated simultaneously causing outages

    • you should therefore only use the two system deployment when testing RADIUS failover scenarios

  • Accelerated Networking is disabled

  • Encryption at Host is disabled

  • EAP-(T)TLS only support RSA certificates which when compared to ECDSA certificates:

    • larger leading to slower authentications as they require more round trips to transmit certificate material

    • requires more CPU resources

  • TLS session resumption is disabled

    • impacts considerably device reconnection times for 802.1X when using EAP-(T)TLS

    • for deployments that have enabled MFA, it will be used for every device connection, including reconnections, making MFA support only suitable for evaluation purposes

  • limited to Standard_B1 instances (1 vCPU with up to 2GiB RAM)

  • limited to Standard SDD and Standard HDD disk types for the OS

  • RADIUS accounting proxying is not available

  • Assigning governance related policies to instances

The ‘team’ tier removes most of these restrictions, in particularly:

  • Unlimited simultaneous sessions

  • Allow the use of Standard_B2 instances

  • High Availability (HA) is effective

  • Proxying RADIUS (federation only)

The ‘enterprise’ tier further allows for:

  • Use of any instance type

  • Assignment of governance related policies to instances

  • Proxying RADIUS Accounting (SSO)

  • Integration with Microsoft Defender for Cloud

Am I permitted to use the ‘home’ pricing tier for my business in production?

Yes.

What options are there for support?

In addition to the online (community) support, for those not on the ‘home’ tier you may contact us to describe your needs and build a tailored solution.

What is considered ‘heavy’ load?

If you expect a peak load of more than one hundred (100) requests per second (rps) then you should consider yourself a heavy load deployment.

You should only expect to see this rate in very large organisations first thing in the morning as staff arrive as well as possibly early afternoon as staff return from lunch. Universities often see this level of load as students place their devices to sleep and wake them up moving between lectures.

In practice servicing more than 10,000 rps per core is relatively easy for a RADIUS server, but slow downs occur when:

  • an Azure ‘vCPU’ tends to be a CPU thread and shared with noisy neighbours

  • using a TLS based EAP method, such as EAP-(T)TLS, strongly recommended for for wired 802.1X and wireless (WPA Enterprise)

    • instead of a single RADIUS Access-Request packet, a whole TLS handshake has to be sent require many packets having to be sent and processed for a single session

    • Round-trip time (RTT) distance to the RADIUS server, for example if this is 100ms and 10 round trips are needed to authenticate your device, this puts a minimum time of at least one (1) second on your authentication

    • If session resumption is not available, this makes every authentication slow

  • Checking databases to support authentication and authorization

  • Communicating with Microsoft Entra ID to authenticate a user

  • Servers have an upper limit on how many concurrent authentications may take place so a RTT and when talking to DB’s or Microsoft Entra ID lowers this limit considerably

What instance type is recommended?

Anything with at least two (2) vCPUs and 2GiB RAM is recommended; the install process recommends Standard_B2 instances.

RAM primarily used to support running the Azure Monitor Agent and providing more than 2GiB of RAM is unnecessary.

More than a single vCPU is useful so that OS update or Azure Monitor Agent events do not impact the actual RADIUS handling components running on the server. Running a single vCPU is likely to cause latency issues if you have a large number of requests.

On a related note, where possible you should use Ephemeral OS disks as they are cheaper and faster otherwise at least a Standard SSD is recommended.

Can I use the cheapest Standard_B1ls instance type Azure offers?

Yes.

You are responsible for testing and validating the performance and reliability of such a deployment yourself
Can I use Ephemeral OS disks?

Yes. This is recommended to improve performance and lower your infrastructure running costs.

I want to use Microsoft Defender for Cloud (or Microsoft Sentinel), how do I install the Azure Monitor Agent?

If you select an instance with at least 2GiB of RAM the agent will automatically be installed.

How does location affect my deployment?

Using an Azure region that is further from your site increases the round-trip time (RTT) which you may be more familiar with as your ping time.

This typically is a problem for EAP-(T)TLS authentications as for large certificate chains only about five hundred (500) bytes can be transmitted in a single round trip; 5kiB to 10kBi in total is not uncommon which for a RTT of 100ms (‘width’ of the US or EU) immediately adds at least one (1) second to the authentication time experienced by your users and this is before delays due to database or Entra ID authentications are taking into consideration.

Using TLS session resumption masks this latency problem (except for the initial TLS handshake) and so is always recommended.

Best is to make sure you pick a region that is always close to you.

Can I used ARM based instances?

No.

The service requires Trusted Launch which is not supported by Azure for their ARM based instances.

Can I run the service on-premises?

Not at this time. The focus of the service is to offer a RADIUS solution to those where if their Internet connection was down, no one would be able to work anyway.

This is not a technical limitation of the service as internally we deploy to on-premise equipment during development, but it is done this way so to protect our Intellectual Property.

If this is a blocker for you, then do please contact us to describe why and maybe we can work something out.

Security

What am I allowed to edit in the Managed Resource Group?

The resources are placed in a resource group with a read-only deny assignment blocking access to most changes. Some permissions have been allowed, including:

Microsoft Advisor shows recommendations for some resources and/or ‘AzureLinuxBaseline’ lists issues, should I be worried?

No. They are known of and actively being addressed.

These issues can be grouped into a two classes:

Azure limitations, bugs and false positives

We are actively working with Azure to resolve them.

Increased running costs

Some items, such as using larger instances (including to support updating management and attestation), an Azure Firewall or NAT gateway, you can resolve yourself. Other items, such as using Private Link connections and the use of premium App Service or Service Bus tiers, we have roadmapped to provide you checkboxes during the deployment allowing you to opt into this if you so wish.

If you have a particular concern that is blocking you using RADNAC, then do please contact us to describe why and we may be able to schedule work sooner to resolve it.

Why does Multi-Factor Authentication (MFA) only support push notifications?

Server side this is supportable but the issue lies in the lack of support client side (in the device supplicant) for this to work.

To do this you would use EAP-TTLS with EAP-GTC as your inner method but unfortunately the OS vendors (Android, Microsoft Windows, …​) have broken implementations of EAP-GTC as from a user-interface perspective it is treated as a generic ‘prompt for password’ field that leads to:

  • unable to display dynamic challenge text to the end user

    • “type ‘42’ into your mobile authenticator app”

  • remembers previous used challenges (no longer re-prompting)

    • “type the OTP generated into your connecting device”

Is RADNAC immune to BlastRADIUS?

Yes, only if you use and your equipment supports Message-Authenticator for the UDP.

It is recommended you use RadSec where possible for reasons of security as well as user privacy.

What authentication methods are supports?

Only PAP, EAP-GTC, EAP-TLS and EAP-TTLS using PAP and/or EAP-GTC as an inner method.

Do you support TLS version 1.3?

For RadSec (transport) and EAP-TLS, TLS version 1.3 is supported. For EAP-TTLS only TLS version 1.2 as supplicant support currently has interopability issues; at some later stage this restriction may be lifted.

Attempts to use a TLS version lower than 1.2 is rejected for both transport and authentication purposes.
Microsoft Windows 11 does not support TLS resumption for EAP-TTLS.

Other

Are you able to offer bespoke solutions?

Everything is possible, so please do contact us as we should be able to work something out and determine if a private offer arrangement may better fit your needs.

Can RADNAC be used for only proxying?

Yes. You can configure by realm (eg. @example.com) which RADIUS server to forward authentication (Access-Request) and (optionally) accounting (Accounting-Request) packets to whilst sending all other realms to a pool of upstream federation RADIUS servers (such as eduroam® and OpenRoaming™).

This is useful if you already have a RADIUS service you are happy with but are seeking a solution to allow visitor access without igniting your bank account on any per-user/device licencing arrangements you may use there.

The typical solution here would be to deploy something like FreeRADIUS to handle this for you, which requires either inhouse expertise or the use of a consultant.

Why can I not just forward a copy of accounting (Accounting-Request) packets when using the home or team tier?

This functionality is only used by enterprise environments for either firewall applicance based SSO or special network audit or Intrusion Detection Systems (IDS).

In the spirit of not harming functionality, proxying (either authentication or both authentication and accounting) for the purposes of federation based access is allowed on the team tier but of note the home tier does not allow proxying.

Where can I learn more about the Azure Marketplace?

Azure provide Microsoft Marketplace customer documentation covering a wild range of topics from how offers are listed, how to transact with them and how the process of refunds are handled.

Can RADNAC be used for wired 802.1X and assigning VLANs?

Yes, as well as assignment of VLANs for wireless access is also supported, RADNAC is indifferent to the access medium (eg. wired or wireless).

Is there an API?

Yes, consult the usage documentation on how to use and where to obtain a OpenAPI 2.0 (Swagger) definition.

How do you maintain User Privacy and protect PII over RADIUS?

Where a device is marked Intranet (by default enabled) for EAP-TTLS the inner User-Name attributed copied to the outer Access-Accept response which allows you to monitor network and device usage from your equipment and know who is connecting.

For non-Intranet marked devices, typically upstream federation proxies, your own users roaming will have the User-Name attribute removed from any Access-Accept responses and instead a Chargeable-User-Identity (CUI) in its place. This identity is fixed for all devices the user uses but is rotated once a week. The purpose of the CUI is to aid abuse reports so an operator of a remote site can communicate to you that a particular user has caused them problems and to have you take action or alternatively choose to block that CUI to deny local service.

It is important to configure your device supplicants to present an anonymous user name as this is communicated in the clear between proxies. For example, for EAP-TTLS, the inner authentication would present bob@example.com whilst the outer unencrypted identity would be set to @example.com (with an empty username componment). The home realm needs to be present on the outer layer for routing purposes whilst the inner identity is protected by being wrapped in a TLS jacket.
I turned off the Managed Application System Assigned Identity, what now?

Services that access will now no longer be working:

  • Azure Key Vault

    • Server certificates for EAP-(T)TLS and RadSec will be broken

  • Microsoft Entra ID

    • Information about your users, groups, devices and verified domains will be broken

    • This only applies if you used the recommended non-application integration

      To resolve, the service hopefully will recover if you: . Turn back on the System Assigned Identity for the Managed Application . Go to each VM in the managed resource group, and click on 'Restart'

      + After five to ten minutes, the service should recover.