Does Azure Have a Cloud RADIUS Server for Network Authentication?
Keytos Team |
Does Microsoft Offer Their Own Azure RADIUS Server?
No. There currently isn’t a RADIUS server offered by Microsoft that is native to Azure. Instead, Microsoft recommends to use Network Policy Server (NPS) in an Azure virtual machine (VM) or on-premises server to provide RADIUS services for network authentication.
Microsoft still recommends using NPS Server for RADIUS, which can be deployed in Azure or on-premises.
Should I Still Run NPS Server In Azure For RADIUS Authentication?
While NPS Server can be a viable option for RADIUS authentication, there are a few major drawbacks to consider:
- Hosting: You will need to host and manage the NPS server yourself, either in a Windows Server Azure VM or on-premises. This can add a lot of cost, complexity, and maintenance overhead compared to a cloud service that is fully managed by the provider.
- High Availability: To ensure high availability, you would need to set up multiple NPS servers and configure load balancing between them. This adds additional complexity and cost to your deployment.
- Hybrid & Cloud-First Organizations: If your organization is on or moving to Entra ID, NPS requires an on-prem identity so doesn’t work without “ghost accounts” to keep track of your cloud-first devices and users. This can lead to a lot of administrative overhead and potential security risks if not managed properly.
- Integration with 3rd Party MDM Platforms: If you are using a 3rd party Mobile Device Management (MDM) platform such as Jamf or NinjaOne, NPS Server may not integrate well with these platforms, which can limit your ability to manage and secure your network effectively.
- Management: Each NPS server requires ongoing management, including patching, monitoring, and troubleshooting. This can be time-consuming and may require specialized knowledge to ensure that the server is running smoothly and securely.
From a cost perspective alone, you’re looking at thousands of dollars per month just to keep your NPS servers running between Azure VM hosting, licenses, and the time and resources required to manage and maintain the servers. This is a significant investment compared to cloud-based RADIUS solutions that are fully managed and integrated with the Microsoft ecosystem.
In the same way that most organizations have moved away from on-premises Active Directory Domain Services (AD DS) in favor of Entra ID, many organizations are also moving away from on-premises RADIUS servers in favor of cloud-based RADIUS solutions that are fully managed and integrated with the Microsoft ecosystem.
Are There Any Cloud RADIUS Solutions That Work with Azure?
Yes! While Microsoft doesn’t offer their own Azure-native RADIUS server, there are several cloud RADIUS solutions that work well with Azure, and even integrate natively with Azure billing and Microsoft services. These cloud RADIUS services take care of all the hosting, high availability, and management for you, so you can focus on securing your network and users without worrying about the underlying infrastructure.
Let’s take a look at some of the best cloud RADIUS solutions that work with Azure and Microsoft services.
EZRADIUS - Cloud RADIUS for Microsoft-First Organizations
EZRADIUS by Keytos is a cloud RADIUS server built by ex-Microsoft engineers designed to integrate seamlessly with Azure and Microsoft services. It can be deployed straight from the Azure Marketplace and billed to your subscription without a sales call or contact form to fill out, and is fully managed by Keytos, so you don’t have to worry about hosting, high availability, or management. EZRADIUS also offers native integration with Entra ID, Microsoft Intune, and Microsoft Cloud PKI, making it an ideal choice for Microsoft-first organizations looking for a cloud RADIUS solution that works seamlessly with their existing Microsoft ecosystem.
EZRADIUS supports certificate-based authentication using Microsoft Cloud PKI, AD CS, or any 3rd party certificate authority, as well as username + password authentication using Entra ID. It also supports group checks for both users and devices in Entra ID, as well as device compliance checks in Intune, allowing you to enforce granular access policies based on a wide range of conditions for zero-trust network access.
Plus, with EZRADIUS you only pay for the users and devices that actually authenticate each month, so you only pay for what you use, which can be a significant cost savings compared to hosting and managing your own NPS servers which will cost you thousands of dollars per month regardless of how many users and devices are actually authenticating.
While EZRADIUS was built with Microsoft-first organizations in mind, it also supports integrations with 3rd party MDM platforms such as Jamf and NinjaOne, making it a versatile solution if your organization uses a mix of Microsoft and non-Microsoft services.
FreeRADIUS - Open Source RADIUS Server
FreeRADIUS is a popular open-source RADIUS server that can be deployed in Azure or on-premises. While it is a powerful and flexible solution, it requires significant technical expertise to set up and manage, and it does not offer native integration with Azure or Microsoft services. Additionally, since it’s open-source, there is no official support available, which can be a concern for organizations that require reliable support for their network authentication infrastructure.
If you’re considering FreeRADIUS, be prepared to invest time and resources into managing and maintaining (and paying for) the server, and ensure that you have the necessary expertise on your team to handle any issues that may arise.
SecureW2 CloudRADIUS
SecureW2 CloudRADIUS is another cloud RADIUS solution that can integrate with Azure and Microsoft services. Like EZRADIUS, it offers support for EAP-TLS certificate-based authentication and can integrate with your Entra ID and Intune environments for network authentication.
However, SecureW2 CloudRADIUS does not have the same level of native integration with Azure and Microsoft services as EZRADIUS. Entra ID integration requires lengthy SAML configuration with support tickets, which maps your Entra ID users and groups to CloudRADIUS. Intune integration also requires manually managing app secrets that expire every year, leading to costly outages if you forget to renew the secret before it expires. While SecureW2 CloudRADIUS does check the box for Entra ID and Intune integration, the lack of native integration can lead to a lot of administrative overhead and potential security risks if not managed properly.
EZRADIUS, by contrast, has native integration with Microsoft Graph APIs, allowing for real-time user + group checks in Entra ID and device compliance checks in Intune without complex SAML configuration or any app secrets to manage, making it a more seamless and secure solution for Microsoft-first organizations.
Aruba ClearPass RADIUS
Some network vendors such as Aruba ClearPass also offer cloud RADIUS solutions that can work with Azure and Microsoft services. However, these solutions require you to purchase and manage their hardware appliances or virtual machines, as well as licenses for their software, which can be costly and complex to manage. Additionally, while they may offer some level of integration with Azure and Microsoft services, they are not built specifically for Microsoft-first organizations and may not offer the same level of seamless integration as solutions like EZRADIUS.
If you’re already using Aruba network equipment and are looking for a cloud RADIUS solution, Aruba ClearPass can the best option for you. However, if you’re looking for a cloud RADIUS solution that is built specifically for Microsoft-first organizations and offers deep integration with Azure and Microsoft services, while not locking you into a specific network vendor, EZRADIUS is likely the better choice.
Can I Bill a Cloud RADIUS Server to My Azure Subscription?
Yes! EZRADIUS can be deployed straight from the Azure Marketplace and billed directly to your Azure subscription, making it easy to manage your cloud RADIUS service alongside your other Azure services. This also allows you to take advantage of Azure’s cost management and billing features to keep track of your cloud RADIUS costs and optimize your spending. In just a few clicks you can get your EZRADIUS subscription deployed within your existing Azure subscription. Additionally, if you have an Enterprise Agreement (EA) with Microsoft, you can use your MAC (Microsoft Azure Consumption) credits to pay for your cloud RADIUS service, which can provide additional cost savings.
While SecureW2 CloudRADIUS is also listed in the Azure Marketplace, there’s no way to deploy it directly from the Marketplace like you can with EZRADIUS. Instead, you have to set up a call, go through a sales process, and then get a custom private quote to purchase the service, which can add additional time and complexity to getting started with their cloud RADIUS solution.
Do Cloud RADIUS Solutions Support Certificate-Based Authentication with Microsoft Cloud PKI?
Yes! Since Microsoft Cloud PKI issues standard X.509 certificates, any cloud RADIUS solution that supports certificate-based authentication can work with Microsoft Cloud PKI. Both EZRADIUS and RADIUSaaS support certificate-based authentication using Microsoft Cloud PKI, as well as other certificate authorities such as AD CS or 3rd party CAs.
Additionally, EZRADIUS offers deeper integration with Microsoft Intune and Entra ID, allowing you to enforce granular access policies based on device compliance and user and device group membership in Entra ID, which can provide additional security benefits for certificate-based authentication.
Conclusion - Cloud RADIUS Solutions for Azure and Microsoft Services
While Microsoft doesn’t offer their own Azure-native RADIUS server, there are several cloud RADIUS solutions that work well with Azure and Microsoft services. FreeRADIUS can be a viable option if you have the technical expertise to manage it, but it lacks native integration with Azure and Microsoft services. Aruba ClearPass can be a good option if you’re already using Aruba network equipment, but it can be costly and complex to manage. For Microsoft-first organizations looking for a cloud RADIUS solution that integrates seamlessly with Azure and Microsoft services, EZRADIUS by Keytos is likely the best choice, offering native integration with Entra ID, Microsoft Intune, and Microsoft Cloud PKI, as well as flexible authentication options and cost-effective pricing based on actual usage.
Want to learn more about how EZRADIUS can work for your Azure environment? Check out our Azure Marketplace listing or visit the EZRADIUS product page to get started! You can also book a demo if you’d like to see EZRADIUS in action and have any questions about how it can work for your specific use case before getting started (but remember, you can deploy straight from the Azure Marketplace and try it out for yourself without needing to book a demo or talk to sales!).
