Quickstart: Getting started with RADNAC

Get started quickly with our walk through demo configuration.

Once running, explore our follow up walk throughs to get your service production ready!

The aim of this howto series of guides is to get you running a demo with minimal effort and incrementally improve the compliance side of the deployment. Before installing the service you intend to use, it is recommended you complete the series to understand the moving parts and then consult the detailed instructions when building your main service.

Preflight: Checklist

  • Microsoft Azure account with an active subscription

    • You will require at least the Contributor role for the subscription

  • Wireless equipment supporting ‘WPA Enterprise’ (maybe labeled as ‘802.1X’) networking

    • It is strongly recommended that you use equipment supporting RadSec to improve reliability and privacy

    • The example provided describes how to configure Ubiquiti’s wireless equipment using their UniFi service as they are the only vendor offering out of the box support for both ‘WPA Enterprise’ and ‘RadSec’ at a price that is accessible to small scale deployments. If you know of others, and better still can offer instructions, please do get in touch so we may add them here.

      Ubiquiti limit their access points so that you are unable to use WPA Enterprise without a UniFi controller
      If you do not wish to self-host a UniFi controller, Ubiquiti are not the only ones offering a hosted solution and there are other vendors that include Cloud UniFi and Uniquely Cloud; these are not endorsed services (internally we self host) but instead are provided as suggestions to start you looking for a solution that works for you.

    • Other known vendors you can use RADNAC with that offer WPA Enterprise (but not RadSec) are TP-Link (in particular their Omada products) and NETGEAR

  • Internet connection

    • Strongly recommended is to have a static (fixed) IP address, ask your ISP if you are unsure

Steps

What we will be covering in this howto is:

  1. Installing from Marketplace

  2. Adding a device to RADNAC

  3. Creating a user in RADNAC

  4. Installing the demo server certificate in RADNAC

  5. Configuring your wireless equipment

  6. Doing your first WPA Enterprise (802.1X) wireless authentication

  7. Examining the logs

Installing from Marketplace

  1. Go to the Azure Marketplace and search for ‘RADNAC’; make sure the publisher list for the offer is ‘coreMem Limited’

  2. Click on it and you will be presented with the option to:

  3. Click on Create to begin the installation Wizard

Selecting your plan from the Azure Marketplace

Throughout the wizard, many fields provide a small information icon that you may hover over to get more information on how it affects the deployment.

Basics

  1. Select the ‘Resource Group’ to install the managed application to, this is where you will mostly be interacting with RADNAC

  2. Select a ‘Region’ (and ‘API Region’) near to your location (where you want your data stored)

  3. Leave ‘Azure Infrastructure SLA’ at ‘99.9%’ (three-nines)

  4. Set the ‘Application Name’, the name that will be used for the resource created in the ‘Resource Group’ provided above, to the value ‘radnacdemo’

  5. Leave ‘Application resources Resource group name’, where all the resources of the service will be stored, at its default value

  6. Click the Next button at the bottom left to move to the next section

Basic settings for the deployment

Other

  1. For all the remaining sections, leave everything at their defaults, clicking the Next button at the bottom left to move to the next section until you reach ‘Review + create’

  2. Once you get to the final tab of the wizard, click on the Create button at the bottom left

Reviewing the deployment settings

Deployment

The deployment will now begin, this process typically takes less than ten (10) but may take upward of thirty (30) minutes.

Deploying in progress

When it completes, click on the Go to resource button.

RADNAC deployed

Now click on ‘radnacdemo’ which will take you to the RADNAC managed application.

RADNAC managed application

This is the page where you will do most of your interacting with RADNAC, we will refer to this as the ‘managed application’ page.

Adding a device to RADNAC

For this step you will need the public IP addresses that your Internet connection is assigned.

If you do not have a static (fixed) IP when your router reconnects to the Internet those public IPs may change which will break your wireless network service; if you do not know them, it is likely and best to consider your public IP addresses as ‘dynamic’. Ideally you should ask your ISP to provision you with static IP addresses (strongly recommended!) but if they are unable to and migrating to another ISP is a non-starter then you will be able to follow a later guide in these series to implement RadSec or a VPN connection Azure to mitigate some of the problems around the use of dynamic IP addresses.

If you do not know what your IP addresses fortunately they likely will be the same as the ones your computer and mobile devices use so you may infer them from an IP reporting tool such as https://test-ipv6.com/. On this page, make a note of both the IPv4 and IPv6 addresses shown.

You might not have an IPv6 address, do not worry, this is due to a limitation of your ISP (or your router and network) though fortunately is not something most would notice or need.

If your public IP addresses are not in ‘CIDR format’ (ie. ‘<ip>/<prefix>’) we need to convert them using a CIDR Calculator. Here you use the ‘Convert to IP Address Range’ (confusing not the ‘Convert to CIDR’) section. When entering an IPv4 address set the value of ‘Prefix Length’ to ‘24’ whilst for an IPv6 address use ‘56’. When you press the Convert button, make a note of the value of the ‘Start IP Address’ and then append it with ‘…​/<prefix-length>’.

Using a CIDR Calculator

For example, if your IPv4 address was ‘198.51.100.43’ then after converting it you would have the value of ‘198.51.100.0/24’. If you used an IPv6 address of ‘2001:db8:1016:61dd:2878:3654:6148:613a’ then after converting it you would have the value of ‘2001:db8:1016:6100::/56’.

Any calculated values for your CIDR’s are approximations that are suitable only for the purposes of this demo.

Now we use these CIDR’s to configure RADNAC to accept authentication requests from your wireless equipment.

From the managed application page navigate the menu on the left Resources (Preview)  RADIUS Devices and click on the Add button at the top to start the wizard. For the values provide a name for your wireless equipment (eg. wifi), add the CIDRs comma separated to the ‘IP Addresses’ box and leave at their defaults ‘Intranet’ (enabled) and ‘Roles’ (‘Client’ only). Now click on the Next button at the bottom of the page. Review the configuration and then click on the Submit button.

You should now see your newly created device edit, click the checkbox to the left of it and click on the Edit button and navigate to the ‘RADIUS’ tab. From here, check the ‘Transport UDP’ checkbox, leave ‘Change-of-Authorization (CoA) and/or Disconnect Port’ at its default (3799), set ‘Shared Secret’ to an unguessable value, leave ‘Shared Secret is Base64 encoded’ at its default (unchecked) and leave ‘Message Authenticator’ left to its default (checked). Now click on the Next button at the bottom of the page until you reach the ‘Review + create’ section and lastly click on the Submit button.

Editing your newly created RADIUS device

Creating a user in RADNAC

From the managed application page navigate the menu on the left Resources (Preview)  Local Users and click on the Add button at the top to start the wizard. For the values provide a username (eg. ‘bob’) and password (eg. ‘hello’).

Do not use any of your existing passwords here, this demo is geared to you kicking the tires as quickly as possible and a later guide below walks your though securing how your passwords are transmitted; this is the s(ecure) in https.

Now click the Next button at the bottom left of the page, review your changes and then click on the Submit button.

Installing the demo server certificate in RADNAC

There two parts to this step:

  1. Create an Azure Key Vault, grant yourself and RADNAC permission to use it and import the demo server certificate

  2. Configure RADNAC to use the demo server certificate

Creating an Azure Key Vault

  1. In the main Azure Portal, navigate to ‘Resource groups’ by typing into the search box at the top ‘resource groups’ and clicking on it.

  2. Create a new resource group by clicking on the Create button at the top, provide the name ‘radnacmisc’ (for the purpose of this demo) then click on the Review + create button at the bottom and after reviewing, click on the Create button at the bottom.

  3. Once the resource group has been created (you may need to click the Refresh button at the top), now either:

    • Directly navigating to the create Azure Key Vault wizard.

    • Manually locating the Key Vault creation wizard by:

      1. Clicking on your newly created resource group (you may need to click the Refresh button at the top) and from within it, click on the Create at the top of the pane that opened.

      2. You will be taken to the Azure Marketplace where you search for ‘key vault’, press the Enter and then check the checkbox ‘Azure services only’.

      3. Find the item listed as ‘Key Vault’ by Microsoft (should be the first item) and click on it.

      4. On the overview page you are presented with, click on the Create button.

  4. In the wizard, select your newly created resource group, for the demo give the Key Vault the name of ‘radnacdemo’, leave the pricing tier at its default (‘Standard’), leave all other configuration settings at their defaults and click on the Review + create button at the bottom, Create button on the review page, and once the resource is created, click on the Go to resource button

    Creating a Key Vault resource

  5. To grant access to the Key Vault, you will need navigate to Access Control (IAM)  Add  Add role assignment on the left hand menu to open the add role wizard

    If you do not have ‘Key Vault Contributor’ (or ‘Owner’ or ‘User Access Administrator’) access you will need to seek assistance from your IT administrator to complete the rest of this section

  6. Select Role  Job function roles  Key Vault Administrator and then in the Members menu tab, for ‘Assign access to’ select the User, group, or service principal radio button, and under the Members menu select yourself, then Review + assign at the bottom of the page

  7. Repeat the add role wizard, though this time select Role  Job function roles  Key Vault Certificate User and then in the Members menu tab, for ‘Assign access to’ select the ‘Managed identity’ radio button, and under the Members menu select Managed identity  Managed application and choose radnacdemo, then Review + assign at the bottom of the page on, and under the Members menu select yourself, then Review + assign at the bottom of the page

  8. Download the demo server certificate and install it into the Key Vault

  9. Navigate the menu Objects  Certificates  Generate/Import

  10. Select ‘Import’ from the ‘Method of Certificate Creation’ dropdown, set the ‘Certificate Name’ to ‘radnacdemocert’, upload the radnacdemo.pem certificate and left the ‘Password’ field blank, and then click on the Create button

    Importing the demo server certificate into the Key Vault resource

Using the server certificate

  1. From the managed application page navigate the menu on the left Resources (Preview)  Realms, check the ‘NULL’ entry and click on the Edit button at the top

  2. From the wizard that opens, check the ‘Allow EAP-TTLS/{PAP,EAP-GTC}’ option, from the ‘Key Vault holding Host Certificate’ dropdown select radnacdemo and for ‘Name of certificate in Key Vault’ type in ‘radnacdemocert’

  3. Click on the Review + submit button at the bottom and then from the review page click on the Submit button

    Configuring RADNAC to use the demo server certificate into the Key Vault resource

  4. You should now see “Using ‘radnacdemocert’ from the Key Vault ‘radnacdemo’” display for the ‘NULL’ realm, status reported as ‘OK’ with no action being required Realm ‘NULL’ correctly configured with the demo server certificate

Configuring your wireless equipment

For this we need the IP addresses RADNAC provides for the service. To obtain these go to the managed application page and navigate the menu on the right Settings  Parameters and Outputs and listed at the bottom, under the ‘Outputs’ section, are the values we need:

  • ‘primaryIPv4’: our example will use the value ‘203.0.113.14’, your value will be different!

  • ‘primaryIPv6’: our example will use the value ‘2001:db8:1016:2::1fe’, your value will be different!)

The values for ‘secondaryIPv4’ and ‘secondaryIPv6’ will be blank as for the demo only a single service instance is created

Open a new browser window to the administrative management page for your wireless equipment.

Every vendor is different, so if you are not using Ubiquiti’s equipment, you likely will have to read the documentation or seek support for your existing wireless equipment. Fortunately searching for ‘WPA Enterprise’ and ‘RADIUS’ in your instructions will get you close to what you need, then you hopefully will just need to copy values found here into the user interface of your equipment.

In Ubiquiti’s user interface, you need to navigate the menu Settings  Profiles and then click on the ‘RADIUS’ tab and then click ‘Create New’.

Creating a UniFi RADIUS profile

In the right side bar ‘Add RADIUS Server’ panel, fill in the fields with name set to ‘radnacdemo’, leave the VLAN (Wired and Wireless networks) and TLS checkboxes unchecked, type in the ‘primaryIPv4’ from above as the ‘IP Address’, leave ‘Port’ set to its default (1812) and type in the shared secret you used when adding a device to RADNAC earlier. Now click on the `Add’ immediately below the shared secret textbox.

We will not use the ‘primaryIPv6’ field as the UniFi equipment does not support it

Check the ‘Accounting’ checkbox and again add the ‘IP Address’, leave ‘Port’ set to its default (1813), type in the shared secret and click on the `Add’ immediately below the shared secret textbox.

Lastly check ‘Interim Update Interval’, but leave the time period associated with it at its default (3600 seconds). Now click on the Add button at the bottom of the right side panel.

Now we will create a new wireless network for your mobile phone to connect to. Navigate the menu Settings  Wifi and click on ‘Create New’. Set the fields as:

  • Name: radnacdemo

  • Network: Native Network

  • Advanced: Manual

  • Security Protocol: WPA2 Enterprise

    Ideally you would use ‘WPA3 Enterprise’ here but for the purpose of a frictionless demo we use ‘WPA2 Enterprise’ to avoid support (iOS and Android) and reliability issues (especially on Android).

  • RADIUS Profile: radnacdemo

Leave all other fields at their defaults and click on the Add WiFi Network button at the bottom.

Connecting using WPA Enterprise (802.1X)

Finally it is time to connect to your new wireless network.

Android

  1. Open the wireless settings page by either

    • Long press holding the wireless tile

    • Navigate to Settings  Network and Internet  Wi-Fi

  2. After a few moments your phone should show the ‘radnacdemo’ wireless network from the list of available networks

  3. Tap on the ‘radnacdemo’ entry

  4. A configuration dialog will open where you should set:

    EAP method

    TTLS

    Phase 2 authentication

    PAP

    CA certificate

    Select ‘Trust on First Use’ (Android 13 or later) or if not an option use ‘None’ (Android 12) or ‘Do not validate’ (Android 11 and earlier)

    In a later guide we describe how to secure this but for the purpose reducing friction in our demo we are skipping this for now.
    Identity

    Type in the username of the user you created in RADNAC

    Password

    Set to the password of the user you created in RADNAC

  5. Leave all other fields at their default values

  6. Click on the Connect button at the bottom

  7. If using Android 13, you may be prompted to confirm that you trust the network, it should show ‘radnacdemo’ and you should click on ‘Yes, connect’

  8. You should now be connected

Configuring Android to connect to the wireless network

iOS

  1. Open the wireless settings page by going to Settings  Wi-Fi

  2. Tap on your new wireless network ‘radnacdemo’

  3. You will be prompted for a username and password, use the values for the user you created above in RADNAC

  4. Tap on ‘Join’ in the top right

  5. You will be presented with a dialog asking you if you trust the ‘radnacdemo’ certificate, which you should tap ‘Trust’ in the top right

  6. You should now be connected

Examining the logs

To see the logs of your login:

  1. Go to the managed application page and click on the linked next to the ‘Managed resource group’ near the top right of the page.

  2. Click on the ‘appiservice’ resource, this is where you interact with the logs of the service and understand its usage

  3. This page presents an ‘Overview’ of failed logins, response time and number of requests served.

    Log overview

  4. There are a number of other data views available:

    Service Map (navigate via Investigate  Application map)

    Provides a top down view of how the service is functioning, what it talks to and how long it takes. If a link has errors, it will show up colorized in red as somewhere to begin investigating problems if they occur. Examining the map overview of service performance

    This is particularly useful for eduroam® and OpenRoaming™ participates
    Requests (navigate via Investigate  Transaction search)

    Fetch the data by either clicking on the button See all data in the last 24 hours or picking a timeframe from the top left. The result is a number of rows labeled ‘TRACE’ (green) represents every packet between your wireless equipment and RADNAC and ‘REQUEST’ (blue) corresponds to each authentication, clicking on the latter shows an overview of how long it took and how the authentication took place

    Inspecting the request transactions

    A summary of what you are seeing:

    Purple Dots

    Represent individual packets received and sent by the service. For when they appear on the ‘inner’ access requests these are the embedded contents that make up the inner request.

    Opaque Blue Section

    The duration of the entire request made up of a sequence of two (usually one request and one response) or more packets.

    Partially Opaque Blue Section

    The duration of the virtual request; same as the main request but associated with either the devices (clients and proxies) involved or the embedded inner request wrapped by the main request.

    Arrows

    This shows which latter (and former) requests are associated with this request. This means you can determine which EAP-(T)TLS sessions TLS session resumption was coupled to as well as which accounting (usage) sessions were created based on which authentication.

    Failures (navigate via Investigate  Failures)

    View showing the errors (failed authentications) and allowing you to drill down into the issue.

    User Logins (navigate via Usage  Users)

    Explore how each one of your users is connecting, use the filter ‘Authenticated user Id’ to search for a given user (for example ‘Authenticated user Id == bob’).

    Sessions (navigate via Usage  Sessions)

    Explore how long connections were maintained.

Take the next step