Configure RADIUS forwarding rules

In this topic, you will learn how to configure forwarding rules for cloud RADIUS servers.

Before you begin, you must have an active cloud RADIUS server in Portnox Cloud. To create a cloud RADIUS server, read the following topic: Create cloud RADIUS servers.

RADIUS forwarding rules let you use the cloud RADIUS servers as your main servers, but forward selected RADIUS requests to another server. This may be useful, for example, if you want selected networks or selected domains to be handled by an independent local RADIUS server or another cloud RADIUS server. One of the main applications of this functionality is eduroam

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the right-hand side pane, find and click on the CLEAR RADIUS SERVICE heading.

    The active servers appear under the CLEAR RADIUS SERVICE heading and description along with advanced options.

  3. Click on the Add custom forwarding rule in the FORWARDING RULES section to add a forwarding rule.

    Each forwarding rule has two conditions (Domain name and Network name) and an action (RADIUS Server Provider). Conditions are evaluated as a logical OR – if just one of them is true, the server takes the action. The action can be either to process the request using the cloud RADIUS server that received the request originally, or to forward the request to another external RADIUS server.

    Cloud RADIUS servers process the rules each time that they receive a RADIUS request from a NAS. If the request matches the first rule, Portnox Cloud follows the action that is set for that rule. If not, the process continues with the next rule. If no rule matches, the request is processed by the cloud RADIUS server that received the request.

  4. Select the condition in the Domain name field:

    • If you want this rule to apply to all domain names, select Any domain name.

    • If you want this rule to apply to specific domains only, select Custom domain name list.

      1. Click on the Add domain name link below. In the field that appears, enter a domain name. Click on the Add button below the field.

      2. If you want this rule to apply to more domains, repeat this process by clicking on Add domain name again. If you made a mistake, click on the Remove link to the right of the domain name to remove the domain name.

    Note: The forwarding rules search for domain names in RADIUS User-Name attributes of the requests sent by the NAS to the cloud RADIUS server.
  5. Select the condition in the Network name field:

    • If you want this rule to apply to all network names, select Any network name.

    • If you want this rule to apply to specific networks names only, select Custom network name list.

      1. Click on the Add network name link below. In the field that appears, enter a network name. Click on the Add button below the field.

      2. If you want this rule to apply to more networks, repeat this process by clicking on Add network name again. If you made a mistake, click on the Remove link to the right of the network name to remove the network name.

    Note: The forwarding rules search for network names in the Called-Station-Id attributes of the request sent by the NAS to the cloud RADIUS server. Network names can be, for example, SSIDs.
  6. Select the action in the RADIUS Server Provider field:

    • If you want this rule to keep the request for processing in the cloud RADIUS server that originally received the request, select Clear.

    • If you want this rule to forward the request to another RADIUS server, select Custom.

      1. Enter relevant parameters for the RADIUS server to forward the requests to: Target Authentication Host, Target Authentication Port, Target Accounting Host, Target Accounting Port, and the Shared Secret.

        Note: Each rule can define a different external RADIUS server, but all these servers must be available on a public interface. You cannot forward the request to one of the two cloud RADIUS servers or you risk creating an endless loop if the same server originally receives the request.

      2. Select the Add Stripped-User-Name attribute checkbox, if you want the cloud RADIUS servers to add the Stripped-User-Name attribute to the forwarded request. This attribute contains the user identifier without delimiters and domain names, and may be required by some RADIUS servers.

      3. Select the Assign to a specific VLAN checkbox, if you want the cloud RADIUS servers to forward the request and suggest a specific vlan using the Tunnel-Private-Group-ID attribute. Enter the VLAN name in the VLAN field.

  7. Click on the Save button to save your changes or click on the Cancel button to abandon all changes.

    After you click on one of the buttons, Portnox Cloud will exit the edit mode.

  8. To add more rules, repeat the above process by clicking on the Add custom forwarding rule link.

  9. To edit an existing rule, click on the Edit link next to the rule.

    The editing process is identical to creating a new rule.

  10. To remove an existing rule, click on the Remove link next to the rule.