How do RADIUS servers work in Portnox Cloud?

Portnox Cloud has two RADIUS server farms in the Azure cloud. One in the United States and one in Netherlands.

When you create your Portnox Cloud account, you select if you want to use just one of those locations (for legal reasons) or both of them. This setting cannot be changed later.

If you choose both locations, you can configure your NAS devices to use just one of the two servers (for example, depending on the geographical location) or both of them (for example, prioritizing the one that is closer).

There is no difference between the two server farms except for their location. Both farms have real-time access to all your Portnox Cloud data and both offer the same quality of service and bandwidth.

When you create a cloud RADIUS server instance, you receive a unique combination of an IP address and two port numbers. This combination is not used by any other Portnox Cloud customers – it’s an instance that is dedicated to you.

If you configure your NAS devices to use cloud RADIUS servers, user/IoT devices attempting to connect to the network managed by these NAS devices will cause the NAS device to contact the cloud RADIUS server to authenticate the user/IoT device.

Cloud RADIUS servers work for you 24/7, unless you have Internet connectivity problems. To have access to cloud RADIUS functions even when your NAS devices have no connection to the Internet, see below: How do local RADIUS servers work?

Cloud RADIUS servers work in N+2 redundancy mode. That means that there are at least 3 instances (main and two backups) running 24/7, in each of the geographical locations, to cover for any potential problems with one of the instances.

The local RADIUS server is an optional component that you can install manually in your local network.

The local RADIUS is a secure virtual machine running on Tiny Core Linux. When you start the virtual machine, it downloads the configuration from the cloud and starts responding to RADIUS queries on configured local IP address and ports. There is no remote administration, and any changes made in the console have no effect on the server at all.

The local RADIUS server communicates with the activated cloud RADIUS server that is geographically closest. For example, if you have both cloud RADIUS servers activated and your office with the local RADIUS server is in Europe, the local RADIUS server will communicate with the European cloud RADIUS server.

The local RADIUS server works as a cache. If a NAS device connects to the local RADIUS server and the local RADIUS server has no information about this device, it will get that information during the nearest synchronization event (which happen every minute). If the same NAS device connects to the local RADIUS server later, within configured cache expiration time (7 days), the local RADIUS server replies with the cached information without contacting the cloud.

The local RADIUS server contacts the cloud RADIUS server in one minute intervals and receives information on last updates. These proactive updates help synchronize several local RADIUS caches with one another. Additionally, in one hour intervals, the local RADIUS server performs full synchronization with the cloud RADIUS server, erases its old local cache, and gets full information about all devices connected in the last 7 days. The cache is stored in persistence memory on the local drive and reloaded after a reboot (if the local RADIUS server crashes or there is an outage).

When your NAS devices cannot connect to the Internet and they connect to the local RADIUS server, they receive only information about known devices. You cannot register any new devices in Portnox Cloud until the local RADIUS server can connect to the cloud RADIUS server. If the cached information expires, which happens after 7 days of no access to the cloud RADIUS server, the local RADIUS server will no longer reply with the cached information.

We recommend that you configure the local RADIUS on your NAS devices as lower priority than the cloud RADIUS server or servers. If you need very fast response times and so you prefer a RADIUS server in a local network, you can use the local RADIUS with higher priority, but you will have less detailed logs, and any changes that you make in Portnox Cloud will be visible to your devices only upon cache expiration.