How do RADIUS servers work in Portnox Cloud?
In this topic, you will learn the difference between cloud RADIUS and local RADIUS servers in Portnox™ Cloud.
To secure network connections, your network devices need to communicate with AAA servers. The most common protocol used by these servers is RADIUS. Portnox Cloud lets you run cloud RADIUS servers dedicated to your organization as well as local RADIUS servers that act like proxies.
How do cloud RADIUS servers work?
-
Portnox Cloud has two RADIUS server farms in the Azure cloud. One in the United States and one in Netherlands.
-
When you create your Portnox Cloud account, you select if you want to use just one of those locations (for legal reasons) or both of them. This setting cannot be changed later.
-
If you choose both locations, you can configure your NAS devices to use just one of the two servers (for example, depending on the geographical location) or both of them (for example, prioritizing the one that is closer).
-
There is no difference between the two server farms except for their location. Both farms have real-time access to all your Portnox Cloud data and both offer the same quality of service and bandwidth.
-
When you create a cloud RADIUS server instance, you receive a unique combination of an IP address and two port numbers. This combination is not used by any other Portnox Cloud customers – it’s an instance that is dedicated to you.
-
If you configure your NAS devices to use cloud RADIUS servers, user/IoT devices attempting to connect to the network managed by these NAS devices will cause the NAS device to contact the cloud RADIUS server to authenticate the user/IoT device.
-
Cloud RADIUS servers work for you 24/7, unless you have Internet connectivity problems. To have access to cloud RADIUS functions even when your NAS devices have no connection to the Internet, see below: How do local RADIUS servers work?
-
Cloud RADIUS servers work in N+2 redundancy mode. That means that there are at least 3 instances (main and two backups) running 24/7, in each of the geographical locations, to cover for any potential problems with one of the instances.
How do local RADIUS servers work?
-
The local RADIUS server is an optional component that you can install manually in your local network.
-
The local RADIUS can be deployed as a secure virtual machine running on Tiny Core Linux or a Docker container. When you start it, it downloads the configuration from the cloud and starts responding to RADIUS queries on configured local IP address and ports. There is no remote administration, and any changes made in the console have no effect on the server at all.
-
The local RADIUS server communicates with the activated cloud RADIUS server that is geographically closest. For example, if you have both cloud RADIUS servers activated and your office with the local RADIUS server is in Europe, the local RADIUS server will communicate with the European cloud RADIUS server.
-
The local RADIUS server works as a cache. If a client device connects to the local RADIUS server and the local RADIUS server has no information about this device, it will get that information from the cloud RADIUS. If the same client device connects to the local RADIUS server later, within the fixed cache expiration time (7 days), the local RADIUS server replies with the cached information without contacting the cloud RADIUS. If you deploy the local RADIUS as a virtual machine, the cache is stored in persistence memory on the local drive and reloaded after a reboot (for example, if the local RADIUS server crashes or there is a power outage).
-
Every hour, the local RADIUS servers synchronize their cache with all other local RADIUS servers configured in the tenant. For example, if one local RADIUS server has cached information about a specific device, all other local RADIUS servers for the same tenant will also get cached information about this device from cloud RADIUS. Also, during this hourly synchronization, all entries that are more than 7 days old are purged.
-
When your local RADIUS server cannot connect to the cloud RADIUS server (for example, during an Internet outage), your NAS devices receive only information about known devices. You cannot register any new devices in Portnox Cloud until the local RADIUS server can connect to the cloud RADIUS server. If the local RADIUS cannot contact the cloud RADIUS server, it will not delete any cached information, and so cached information may stay in the local RADIUS cache indefinitely until a connection to the cloud RADIUS server is reestablished.
-
The local RADIUS server also has a fast session resumption cache, with a cache lifetime that is configured when creating or editing the local RADIUS server in Portnox Cloud. This is an EAP session resumption mechanism, completely unrelated to the primary RADIUS cache function, which lets client devices resume their network connection quickly when roaming between wireless access points. This cache only stores MAC addresses of the client devices and lets you avoid the full EAP re-authentication process when reconnecting.
-
You should configure the local RADIUS on your NAS devices as first priority, higher than the priority of cloud RADIUS server or servers. This allows the local RADIUS to act as a cache. If your NAS devices connect to the cloud RADIUS servers and not to the local RADIUS server, there will be no cached information in the local RADIUS server in case of an outage. The downside of this setup is that you will have less detailed logs, and any changes that you make in Portnox Cloud will be visible to your devices only upon cache expiration.