Overview

RADNAC is an Azure turnkey compliance solution for companies and the education sector migrating from ‘shared password’ to Entra ID to secure wireless connectivity.

Features

Native Azure Service

The only product that offers a 100% native Azure presentation, in which you interact entirely from within the Azure Portal or using the API exposed as part of Azure’s standard REST API. Similarly, monitoring the service, receiving alerts and generating reports is all maintained using Azure Monitor.

RADNAC only requires you to learn Azure, which is a transferable skill, and does not require you to learn another vendor specific interface.

Data Sovereignty with BYOC

Implemented with a ‘Bring Your Own Cloud (BYOC)’ model where you provide the Azure subscription, install the RADNAC from the Azure Marketplace and you retain all your data within your own Azure account.

The service has no external dependencies and does not exfiltrate or store any of your data outside of the Managed Resource Group located within your account.

This provides you full access controls using RBAC, complete control of the location of the data (geography) and visibility of usage backed by Azure’s immutable (impossible to modify) audit logs.

Compliance

You are provided full visibility and access to Operating System patching as well as inspect the automated firewall policies in place that utilizes ‘Deny by Default’ rules for both ingress (inbound) and egress (outbound) traffic.

You are also able to utilize Azure Policies and Microsoft Defender for Cloud to lean on their baselines or developer your own policies to make sure your deployment meets your compliance needs.

RADIUS Best Practice

RADNAC implements Best Current Practice (BCP) and where you are provided choices that affect this it will warn you when deviating from BCP and suggest an alternative where possible.

Separate Device and Network Policies

RADNAC is not just about supporting network connectivity, you can use it to connect to any of your devices which can utilize RADIUS to authenticate connecting users, such as a VPN, managed network switches and web servers using HTTP Basic Authentication.

Device

RADNAC supports RadSec (TLS) with X.509 and TLS-PSK, TCP and UDP.

It is strongly recommended and preferable to use RadSec for both security and privacy reasons.

Users and Groups

As well as being able to authenticate users based on accounts within Microsoft Entra ID, there is no requirement to use or even provide RADNAC access to your directory, instead you may utilize local accounts managed by RADNAC.

Groups are managed by RADNAC internally but support being tied to a Microsoft Entra ID group (including dynamic groups) to associate all members of that group to the locally managed RADNAC group.

This group then may have settings associated with it such as:

  • Time of Day access (eg. ‘only weekdays, 9 till 5’)

  • VLAN assignment

  • Session Timeout

Faster Authentications

The result of an authentication is cached allowing the RADNAC to skip the slowest step of calling out to Microsoft Entra ID for future attempts; both for correct and incorrectly provided passwords. This also helps to avoid account lockout issues and lower support costs arrising from when a legitimate user device unwittedly retries indefinately the same old incorrect password.

For EAP-TLS and EAP-TTLS authentications, TLS session resumption (fast reconnect) is fully supported substantially reducing the number of packets necessary to use to complete the authentication; helping to improve roaming between wireless access points that are not centrally manage and do not support 802.11r.

Faster Authorization

Group memberships and user attributes (but not passwords!) are replicated to a local database on the servers to avoid slow requests out to Microsoft Entra ID.

Reactive to Changes in Microsoft Entra ID

User and group membership changes are detected and automatically incorporated when evaluating policy.

Examples of this include:

accountEnabled

If the user is allowed to authenticate (eg. connect to the network).

lastPasswordChangeDateTime

Any cached passwords are ignored if they were created before this timestamp.

refreshTokensValidFromDateTime and refreshTokensValidFromDateTime

Any cached TLS sessions (used by EAP-TLS and EAP-TTLS) are ignored if they were created before either of these timestamps.

Proxying

Though a important to many feature, it is not requirement that you use the user or group features and instead you may choose to forward (proxy) by realm (ie. @example.com) requests to your existing RADIUS infrastructure. Supported is to forward authentication (Access-Request packets) requests and additionally (whilst optional) accounting (Accounting-Request` packets) requests.

If you use Microsoft Entra ID, RADNAC will automatically pick up the list of custom domains you have configured.

Proxying is not supported on the ‘Home’ tier

Federation

Suitable for use with eduroam® and OpenRoaming™, you are able to configure RADNAC to handle the authentication of your own users locally against Microsoft Entra ID whilst forwarding visitor authentications (all other realms) to your upstream federation service.

RADNAC supports Operator-Name and assigning a Guest VLAN to place successful visitor authentications to segment their traffic from your own user traffic.

RADIUS SSO

You may configure a copy of RADIUS accounting (Accounting-Request packets) requests to be sent to a RADIUS service which typically is a firewall appliance that can use this information to provide SSO firewall access to users as they connect.

Proxying only accounting (Accounting-Request packets) requests is only supported on the ‘Enterprise’ tier

TLS

Supporting use for both authenticating users (using EAP-TLS and EAP-TTLS) and supporting secure connectivity between your local networking equipment (wireless access points, managed network switches, …​) with RadSec, all certificate management is handled with Azure Key Vault allowing you to pick a process that suits your needs: