FAQs: Frequently Asked Questions
General
- What is the difference between the tiers offered?
-
All tiers offer the same functionality and security features but the ‘home’ end has efficiency, compliance and reliability aspects considered useful to larger entities disabled in the following way:
-
Limit of ten (10) simultaneous sessions.
-
Though there is no ‘per-seat’ user or device limit but instead a limitation upon the maximum number of devices that may be simultaneously connected.
-
Devices attempting to connect at this limit will not be allowed to connect until another device disconnects.
-
RADIUS accounting data is used to determine this so make sure you have it configured, see the troubleshooting section regarding home tier sessions for more information.
-
-
Restricted to
Standard_B1andStandard_B2instances up to and inclusive of two (2) vCPUs and 1GiB RAM. -
Restricted to Standard SSD disk type for the OS.
-
Ephemeral OS disks are supported.
-
-
High Availability (HA) is is not supported.
-
Limited to a single VM.
-
-
Proxying RADIUS is disabled.
-
Accelerated Networking is disabled.
-
Encryption at Host is disabled.
-
Trusted Launch is disabled.
-
Assigning governance related policies to instances is blocked.
-
TLS session resumption is disabled.
-
impacts considerably device reconnection times for 802.1X when using EAP-(T)TLS.
-
Though supported, it is not recommended you enable MFA as the connecting user will be prompted on every reconnection which depending on your wireless equipment may happen when roaming between access points.
-
-
EAP-(T)TLS only support RSA certificates, support for ECDSA certificates is disabled.
-
Larger authentication payloads leading to slower authentications as they require more round trips to transmit certificate material.
-
This limitation does not apply to RadSec connections where ECDSA is supported.
-
The ‘team’ tier allows for:
-
Unlimited simultaneous sessions.
-
Use of all
Standard_B1andStandard_B2instances with no vCPU or memory restrictions. -
High Availability (HA) is supported.
-
Allow running of two service VMs.
-
-
Proxying RADIUS (federation only) is supported.
-
Only RADIUS authentication (‘Access-Request’) packets are forwarded.
-
Suitable for use with eduroam®.
-
-
Accelerated Networking is used where available.
-
TLS session resumption is supported.
-
EAP-(T)TLS support for ECDSA certificates.
The ‘enterprise’ tier further allows for:
-
Use of any instance type.
-
Proxying RADIUS accounting (‘Accounting-Request’) packets are forwarded.
-
Suitable for use with OpenRoaming™
-
Suitable for SSO use with WatchGuard™ Firebox, Fortinet FortiOS, SonicWall and other similar appliances.
-
-
Encryption at Host is used where available.
-
Trusted Launch is used where available.
-
Assignment of governance related policies to instances
-
Integration with Microsoft Defender for Cloud
-
- Am I permitted to use the ‘home’ pricing tier for my business in production?
-
Yes.
- What options are there for support?
-
In addition to the online (community) support, those on the ‘enterprise’ tier should contact us to describe your needs and consider use of the ‘co-administrator’ variant of the Enterprise tier plan so that we may assist your with your deployment.
- What is considered ‘heavy’ load?
-
If you expect a peak load of more than one hundred (100) requests per second (rps) then you should consider yourself a heavy load deployment.
You should only expect to see this rate in very large organizations first thing in the morning as staff arrive as well as possibly early afternoon as staff return from lunch. Universities often see this level of load as students place their devices to sleep and wake them up moving between lectures.
In practice servicing more than 10,000 rps per core is relatively easy for a RADIUS server, but slow downs occur when:
-
an Azure ‘vCPU’ tends to be a CPU thread and shared with noisy neighbors
-
using a TLS based EAP method, such as EAP-(T)TLS, strongly recommended for for wired 802.1X and wireless (WPA Enterprise)
-
instead of a single RADIUS
Access-Requestpacket, a whole TLS handshake has to be sent require many packets having to be sent and processed for a single session -
If session resumption is not available, this makes every authentication slow, see recommentations about location placement below for more details
-
-
Checking databases to support authentication and authorization
-
Communicating with Microsoft Entra ID to authenticate a user
RADNAC goes to a lot of effort to mitigate against this but “First Time” authentications (connections made by never seen before new users) are an unavoidable bottleneck that require a direct interaction with Microsoft Entra ID in the hotpath.
Once a user has successfully been authenticated, RADNAC no longer directly interacts with Microsoft Entra ID for further authentications allowing for considerably higher authentication rates.
-
Servers have an upper limit on how many concurrent authentications may take place which due to the overhead of talking to databases or Microsoft Entra ID this limit can be lowered considerably.
-
- What instance type is recommended?
-
Anything with at least two (2) vCPUs and 2GiB RAM is recommended; the install process recommends
Standard_B2instances.RAM primarily used to support running the Azure Monitor Agent and providing more than 2GiB of RAM is unnecessary.
More than a single vCPU is useful so that OS updates or Azure Monitor Agent events do not impact the actual RADIUS handling components running on the server. Running a single vCPU is likely to cause latency issues if you have a large number of requests.
On a related note, where possible you should use Ephemeral OS disks as they are cheaper and faster otherwise at least a Standard SSD is recommended.
- Can I use the cheapest B-series instance types Azure offers?
-
Yes, B-series instance types, in particularly
Standard_B1lsinstances, make for a great instance type for those sensitive to costs such as home tier users.Azure are retiring B-series instances in October 2028 with the affect of that for new subscriptions they are already unavailable.
This means users of the particularly favourably priced
Standard_B1lsinstance type ($4.31/month) will be forced to migrate:-
To the next least expensive
Standard_B2ats_v2instance type ($7.74/month).-
ARM based instances allow you to use
Standard_B2pts_v2($6.13/month).
-
-
Supported B2 instances do not support ephemeral OS disks and so an additional $0.33/month for 4GiB of Standard SSD disk (E1) is necessary.
Our recommendation is to move to ARM based instances and work to remove public IPv4 addresses (each cost $3.60/month) from your deployment to reduce your monthly running infrastructure costs.
-
- Can I use Ephemeral OS disks?
-
Yes, ephemeral OS disks are in fact recommended to improve performance and lower your infrastructure running costs.
Though ephemeral OS disks are desirable for most users, this really only makes sense for B-series instances as the disk savings for other instance types that support this are negligible in comparison to the cost of the instance its-self.
- I want to use Microsoft Defender for Cloud (or Microsoft Sentinel), how do I install the Azure Monitor Agent?
-
If you select an instance with at least 2GiB of RAM the agent will automatically be installed.
- How does location affect my deployment?
-
Using an Azure region that is further from your site increases the round-trip time (RTT) which you may be more familiar with as your ping time.
This typically is a problem for EAP-(T)TLS authentications as for large certificate chains only about one thousand (1000) bytes can be transmitted in a single round trip; 2kiB to 5kiB in total is not uncommon which for a RTT of 100ms (‘width’ of the US or EU) immediately adds at 200 milliseconds (one fifth of a second) to the authentication time experienced by your users and this is before delays due to database or Microsoft Entra ID authentications are taking into consideration. This will only get work as the downside of solutions to Post-Quantum (PQ) attacks are large certificate chains, as much as three (3) to five (5) times larger.
Using TLS session resumption masks this latency problem (except for the initial TLS handshake) and so is always recommended.
Best is to make sure you pick a region that is always close to you.
- Can I used ARM based instances?
-
Not yet, but ARM based instances are roadmapped and should be coming really soon.
- Can I run the service on-premises?
-
Not at this time. The focus of the service is to offer a RADIUS solution to those where if their Internet connection was down, no one would be able to work anyway.
This is not a technical limitation of the service as internally we deploy to on-premise equipment during development, but it is done this way so to protect our Intellectual Property.
If this is a blocker for you, then do please contact us to describe why and maybe we can work something out.
- Why are ‘Standard HDD’s not supported?
They are more expensive due to the banded pricing Azure use for managed disks and that RADNAC does not need more than 4GiB of disk space, as a summary pricing per month is:
-
8GiB (P2) of Premium SSD (SLA of 99.9%) costs $1.50
-
8GiB (E2) of Standard SSD (SLA of 99.5%) costs $0.66
-
32GiB (S4) of Standard HDD SLA of 95.0%) costs $1.69
-
This is the smallest disk size option available.
-
In addition to being more expensive:
-
Azure’s SLA is substantially lower for ‘Standard HDD’s
-
Very poor performance as an OS disk, which can lead to service impact during OS updates
-
Use as an OS disk is being retired by Azure at the end of September 2028
For RADNAC, this makes the SSD options always cheaper, better performing and more reliable than the non-SSD option.
- Can RADNAC be used for only proxying?
-
Yes. You can configure by realm (eg.
@example.com) which RADIUS server to forward authentication (Access-Request) and (optionally) accounting (Accounting-Request) packets to whilst sending all other realms to a pool of upstream federation RADIUS servers (such as eduroam® and OpenRoaming™).This is useful if you already have a RADIUS service you are happy with but are seeking a solution to allow visitor access without igniting your bank account on any per-user/device licensing arrangements you may use there.
The typical solution here would be to deploy something like FreeRADIUS to handle this for you, which requires either in-house expertise or the use of a consultant.
- Can RADNAC be used for wired 802.1X and assigning VLANs?
-
Yes, as well as assignment of VLANs for wireless access is also supported, RADNAC is indifferent to the access medium (eg. wired or wireless).
- Can RADNAC be used to authenticate access to devices, such as servers and switch management interfaces?
-
Yes. As long as your network (wired and wireless) access has in its RADIUS
Access-Request's the attributeService-Typeset toFramed-User, any other value is treated as a device login. You can then use RADNAC groups to apply a different policy to network and device requests. - Is there an API?
-
Yes, but it is not documented yet but is roadmapped to be so.
- Why is the API (affecting the UI) slow?
-
The API is served by an Azure Function hosted on a Flex Consumption plan that is configured to be serverless (scale-in to zero) to save costs. The effect is when the API is considered by Azure to be idle, resources are deallocated and you are no longer billed for it.
The disadvantage is cold starts that manifest as slow API calls that make the UI feel slow.
Unfortunately Microsoft do not expose controls to set our own idle time thresholds and so the only solution to this would be to use always ready instances which add a minimum of $5/month to your Azure bill.
As the API is expected to be only occasionally used, for some only once when you configure your deployment, we decided to lean towards cost savings.
Security
- What am I allowed to edit in the Managed Resource Group?
-
The resources are placed in a resource group with a read-only deny assignment blocking access to most changes. Some permissions have been allowed, including:
-
Monitoring
-
Networking
-
Instances
-
Start, Stop and Restart
-
Assign Policy - ‘enterprise’ tier only
-
-
Web Apps
-
Start, Stop and Restart
-
- Microsoft Advisor shows recommendations for some resources and/or ‘AzureLinuxBaseline’ lists issues, should I be worried?
-
No. They are known of and actively being addressed.
These issues can be grouped into a two classes:
- Azure limitations, bugs and false positives
-
We are actively working with Azure to resolve them.
- Increased running costs
-
Some items, such as using larger instances (including to support updating management and attestation), an Azure Firewall or NAT gateway, you can resolve yourself. Other items, such as using Private Link connections and the use of premium App Service or Service Bus tiers, we have roadmapped to provide you checkboxes during the deployment allowing you to opt into this if you so wish.
If you have a particular concern that is blocking you using RADNAC, then do please contact us to describe why and we may be able to schedule work sooner to resolve it.
- Is RADNAC immune to BlastRADIUS?
-
Yes, only if you use and your equipment supports
Message-Authenticatorwhen using UDP.It is recommended you use RadSec where possible for reasons of security as well as user privacy.
- What authentication methods are supported?
-
Only PAP, EAP-GTC, EAP-TLS and EAP-TTLS using PAP and/or EAP-GTC as an inner method.
- Do you support TLS version 1.3?
-
For RadSec (transport) and EAP-TLS, TLS version 1.3 is supported. For EAP-TTLS only TLS version 1.2 is enabled as supplicant (ie. device connecting) support is lacking and leads to interoperability issues; at some later stage this restriction may be lifted.
Attempts to use a TLS version lower than 1.2 is rejected for both transport and authentication purposes. Microsoft Windows 11 has known limitations and issues when using TLS 1.3 and does not support TLS resumption for EAP-TTLS (or PEAP).
For these reasons you should stick with TLS 1.2 which works as expected.
As of June 2026, Microsoft has been testing support for TLS 1.3 session resumption for EAP-TTLS and PEAP (though not TEAP) in Windows Insider preview builds (
26220.8474and later). No timeline has been provided for when this will be generally available instructions on how to enable it may be found on the FreeRADIUS website. Though RADNAC will not use TLS 1.3 for EAP-TTLS, it has been roadmapped to provide controllable support for this.
Other
- Does RADNAC include any analytics tracking code?
-
No and it also does not use the metered billing APIs.
Your deployment is your own and private to you.
We have no visibility in how you use it, other than if you choose to use a 'co-administrator' plan which is not the default and not recommended for most users.
We do received lifecycle notifications described in our privacy policy.
- How do you maintain User Privacy and protect PII over RADIUS?
-
Where a device is marked
Intranet(by default enabled) for EAP-TTLS the innerUser-Nameattributed copied to the outerAccess-Acceptresponse which allows you to monitor network and device usage from your equipment and know who is connecting.For non-Intranet marked devices, typically upstream federation proxies, your own users roaming will have the
User-Nameattribute removed from anyAccess-Acceptresponses and instead aChargeable-User-Identity(CUI) in its place. This identity is fixed for all devices the user uses but is rotated once a week. The purpose of the CUI is to aid abuse reports so an operator of a remote site can communicate to you that a particular user has caused them problems and to have you take action or alternatively choose to block that CUI to deny local service.It is important to configure your device supplicants to present an anonymous user name as this is communicated in the clear between proxies.
For the example of EAP-TTLS, there is an ‘outer’ (public) and ‘inner’ (private) identity. To preserve privacy where the user identity is
bob@example.com, the outer identity should be set to@example.com. Having an empty user component may look strange, but it is valid best practice.To support federated deployments the outer identity must contain the realm (domain) of user so that the request may be routed back to their home servers. The importance here is to make sure the username componment (the bit before the
@) is protected by a TLS jacket that prevents evesdropped from tracking your users. - Where can I learn more about the Azure Marketplace?
-
Azure provide Microsoft Marketplace customer documentation covering a wild range of topics from how offers are listed, how to transact with them and how the process of refunds are handled.
- Are you able to offer bespoke solutions?
-
Everything is possible, so please do contact us as we should be able to work something out and determine if a private offer arrangement may better fit your needs.