How to set up the firewall for the local RADIUS instance to connect to Portnox Cloud

In this topic, you will learn how to configure your firewall to make sure that the local RADIUS instance can communicate with the Cloud.

Required firewall setup

In this section, you will find a list of FQDNs and ports that must be accessible so a local RADIUS instance can communicate with the Cloud.

You need to open the following ports on your firewall:

FQDN or IP range Protocol Ports Direction
20.85.190.232/29 TCP 80, 443, 8081 Outbound
20.67.6.144/29 TCP 80, 443, 8081 Outbound
radius.portnox.com TCP 443 Outbound
rad-events-clear-prod-eastus.servicebus.windows.net TCP 443 Outbound
rad-events-clear-prod-westeu.servicebus.windows.net TCP 443 Outbound
devices-ingress-clear-prod-eastus.servicebus.windows.net TCP 443 Outbound
devices-ingress-clear-prod-westeu.servicebus.windows.net TCP 443 Outbound
cloudcentraalstoreprodus.blob.core.windows.net TCP 443 Outbound
cloudcentraalstoreprod.blob.core.windows.net TCP 443 Outbound
pnxeusprdclrinstallers.blob.core.windows.net TCP 443 Outbound
pnxweuprdclrinstallers.blob.core.windows.net TCP 443 Outbound
logs-consolidation-prod-eastus.servicebus.windows.net TCP 443 Outbound
logs-consolidation-prod-westeu.servicebus.windows.net TCP 443 Outbound
Note:
These rules are relevant for local RADIUS revision 1.1.8 and above.

Failure to apply all of these rules may result in the following issues:

  • The local RADIUS server not connecting to the Cloud at all

  • The local RADIUS server failing to update with the following status: Active, Not Updated

Additionally, if you want to use the CoA functionality with a local RADIUS Docker container, you must also open the following ports:

FQDN Protocol Ports Direction
portnox-centraal-prod.servicebus.windows.net TCP 80, 443, 5671, 5672 Outbound
portnox-centraal-prod-eastus.servicebus.windows.net TCP 80, 443, 5671, 5672 Outbound
Warning:
Since Microsoft services can change their public IP addresses (as has happened in the past), we recommend avoiding the use of static IP addresses. Instead, use fully qualified domain names (FQDNs) as listed above.

If your firewall software does not support FQDNs or encounters issues, such as failing to recognize some IP addresses resolved from the FQDNs, you can use this official Azure script to retrieve the IP addresses associated with an Azure FQDN. You can then add all these IP addresses to the firewall instead of the FQDNs. However, be sure to regularly monitor connectivity and check for any updates, as Microsoft may add or remove IP addresses over time.

Script to check connectivity

In this section, you will learn where to find a script that lets you automatically check for connectivity issues caused by firewall setup.

The Portnox team has prepared a script that lets you automatically test connectivity between a local RADIUS instance and Portnox Cloud. You only need to run this script on the local RADIUS instance as described below. The script is available on the Portnox GitHub.
  1. Log in to your local RADIUS virtual machine or the Docker host where you run your Portnox local RADIUS Docker container.
    Note:
    To access the virtual machine using SSH, follow the instructions in the following topic: How to troubleshoot the local RADIUS/TACACS+ instance using SSH.
  2. Download and run the script in a shell.

    Use one of the following methods: wget or curl.

    • wget https://raw.githubusercontent.com/portnox/scripts/refs/heads/main/localradfwtest.sh \
&& chmod +x localradfwtest.sh \
&& ./localradfwtest.sh
    • curl -o localradfwtest.sh \
https://raw.githubusercontent.com/portnox/scripts/refs/heads/main/localradfwtest.sh \
&& chmod +x localradfwtest.sh \
&& ./localradfwtest.sh
    Note:
    If your Docker runs on a Windows machine using WSL (Windows Subsystem for Linux), type wsl in the Windows Search field. This will open an Ubuntu terminal window where you can run the script.
    Note:
    If your Docker runs on a macOS machine, the script may need the following prerequisites: 
    curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh -o install_homebrew.sh
    /bin/bash install_homebrew.sh
    brew install coreutils
    alias timeout=gtimeout
    brew install bash