Configure advanced RADIUS server options

In this topic, you will learn how to configure advanced options for cloud RADIUS servers in Portnox™ Cloud.

Before you begin, you must have an active cloud RADIUS server in Portnox Cloud. To create a cloud RADIUS server, read the following topic: Create cloud RADIUS servers.

Settings described in this topic are optional and allow you to have more control over your RADIUS servers.

Note: Custom RADIUS attributes are now defined not as advanced RADIUS server options but as policies. See the following topic for more information: Create or edit a custom RADIUS attribute policy.
  1. In the Cloud portal top menu, click on the Settings option.

  2. In the right-hand side pane, find and click on the CLEAR RADIUS SERVICE heading.

    The active servers appear under the CLEAR RADIUS SERVICE heading and description along with advanced options.

  3. Edit the security options for active RADIUS servers.
    1. Click on the selected RADIUS server to show its configuration.
    2. Click on the Edit link on the right-hand side.

    3. Click on the Enable RADIUS over TLS (RadSec) checkbox to activate it, if you want to allow your NAS devices to communicate with the selected RADIUS server using RadSec.

    4. If you enabled RADIUS over TLS, click on the Download root certificate link on the right-hand side to download the root certificate file.
      You must copy this root certificate to NAS devices that support RadSec so they can communicate with the RADIUS server.
    5. In the RESTRICT ACCESS TO CLEAR RADIUS SERVICE section, you can change the setting from the default Allow access from any IP address to Allow access only from the following IP addresses.

      If you select this option, only the NAS devices with the listed public IP addresses or ranges will be able to communicate with this RADIUS server.

    6. If you selected the Allow access only from the following IP addresses option, click on the Add new IP addresses to Permitted list link and in the IP Address or CIDR IP Address range field, enter the IP address or the IP address range in the CIDR format, and click on the Add button.

    7. If you want to remove a selected IP address or range, click on the Remove link on the right-hand side of the IP address or range.
    8. Click on the Save button to save your changes or click on the Cancel button to abandon all changes.

      After you click on one of the buttons, Portnox Cloud will exit the edit mode.

  4. Manage the RADIUS anti-flood protection.
    1. If you suspect your devices are blocked due to excessive activity, click on the Blocked devices for excessive activity link.

      Your browser will open the BLOCKED DEVICES FOR EXCESSIVE ACTIVITY screen.

    2. Select checkboxes next to blocked devices and click on the Unblock button to unblock.
    3. When finished, click on the Back button in the top-right corner.

  5. Configure RADIUS forwarding rules.

    RADIUS forwarding rules let you redirect selected RADIUS requests to other RADIUS servers.

    To configure RADIUS forwarding rules, read the following topic: Configure RADIUS forwarding rules.

  6. Modify the advanced configuration.

    At the moment, the ADVANCED CONFIGURATION section only has one option.

    1. Click on the ADVANCED CONFIGURATION heading.
      Your browser will show advanced configuration options under the ADVANCED CONFIGURATION heading.
    2. Click on the Edit link to edit advanced configuration options.
    3. Select the Use Radius request's public IP for NAS detection during VPN authentication checkbox to activate this option.

      If you turn this option on, the cloud RADIUS server will use the public IP address from the incoming RADIUS request to identify the NAS from which the VPN authentication is being initiated. This can be useful in scenarios where the NAS is located behind a NAT device or a load balancer.