Cloud RADIUS Frequently Asked Questions

Find answers to the most frequently asked questions about Keytos EZRADIUS, the leading cloud-native RADIUS Server built for Azure and Microsoft Cloud environments.

EZRADIUS Plans and Pricing

How Does RADIUS Billing Work?

We bill based on the number of unique identities (users or devices) that authenticate to EZRADIUS each month. For example, if you have 100 users in your organization but only 50 of them authenticate in a given month, you will be billed for 50 unique identities for that month. This billing model allows you to scale your RADIUS usage based on actual authentication activity, providing flexibility and cost-effectiveness for your organization.

When using Entra ID usernames + passwords, the count of unique identities is the total number of accounts that authenticated in a given month, even if they authenticated on a large number of devices (phone, laptop, tablet, etc.).

When using certificates, the count of unique identities is the total number of unique certificate subjects that authenticated in a given month. So for user certificates with the User Principal Name (UPN) as the subject, the count of unique identities would be the total number of unique users that authenticated in a given month, even if they authenticated on multiple devices. For device certificates with the device’s hostname as the subject, the count of unique identities would be the total number of unique devices that authenticated in a given month, even if they were authenticated by multiple users.

We cap the number of unique identities at the number of active users in your Entra ID tenant. This means that even if a large amount of devices connect in a month the most you will ever be billed for is the total number of Entra ID users that are active in your tenant. For example, if you have 100 users in your Entra ID tenant, but 500 devices authenticate to EZRADIUS in a month, you will only be billed for 100 unique identities for that month.

Refer to this video for a more detailed explanation of our billing model and how it works in different scenarios. We also have a pricing calculator available on our pricing page to help you estimate your monthly costs based on your expected authentication activity.

Where Can I Estimate My RADIUS Costs?

Refer to our EZRADIUS Pricing Page for detailed pricing information and to use our pricing calculator to estimate your monthly costs based on your expected authentication activity. If you have specific questions about pricing or want a personalized quote, please contact our sales team at sales@keytos.io.

Do I Need Dedicated RADIUS or is Basic RADIUS Enough for My Use Case?

99% of our customers use Basic RADIUS and never need to upgrade to Dedicated RADIUS. Basic RADIUS is a multi-tenant RADIUS service that is designed to handle the authentication needs of most organizations. It provides a cost-effective solution for RADIUS authentication with high availability and scalability. Dedicated RADIUS is a single-tenant RADIUS service that allows you to meet specific compliance or security requirements that may not be possible with a multi-tenant service. If you have specific compliance requirements that requires a dedicated environment, then Dedicated RADIUS may be the right choice for you. However, for most use cases, Basic RADIUS is sufficient and provides a reliable and secure RADIUS authentication solution. Learn more about the differences in our pricing page.

I am Using EZRADIUS for Entra ID Authentication. Do I Need a Certificate Authority (CA)?

No, you do not need to set up a Certificate Authority (CA) when using EZRADIUS for Entra ID (Azure AD) authentication. However, if you are using Intune or another MDM we recommend setting up a CA to issue device certificates for EAP-TLS authentication. This provides an additional layer of security by ensuring that only trusted devices can authenticate to your network.

How Can I Learn More About EZRADIUS and Get Support

Want to learn more about EZRADIUS or get support? Visit our EZRADIUS Support page to explore various support options including free demos, troubleshooting guides, real-time chat, and professional services. For every customer we offer a complimentary video call with a Keytos engineer to learn about and troubleshoot EZRADIUS.

Want additional support integrating EZRADIUS into more complex networks? We also offer a paid Professional Services package which pairs you with a network expert for tailored assistance.

Hosting, Reliability, and Infrastructure

Is There Any Infrastructure I Need to Manage for EZRADIUS?

No, EZRADIUS is a fully managed cloud-native RADIUS solution. This means that Keytos takes care of all the infrastructure management, including server maintenance, software updates, security patches, and backups. You can focus on managing your RADIUS policies without worrying about the underlying infrastructure.

If you want to optionally add a local RADIUS server for an additional layer of reliability to protect against internet outages, you can use our local EZRADIUS RADIUS Proxy to easily set up a local backup RADIUS server that syncs with EZRADIUS.

What Happens if EZRADIUS is Down or We Lose Connectivity to EZRADIUS?

While the Keytos EZRADIUS platform is built for high availability and redundancy, there is always a possibility of downtime or connectivity issues. To mitigate this risk, we recommend adding one IP address from each region available in your EZRADIUS subscription to your network controllers. However, if you want network connectivity even if the internet is down, we recommend adding the local EZRADIUS proxy as a backup. This local RADIUS server can be configured to handle authentication requests in the event that EZRADIUS is unreachable during internet outages. You can use our EZRADIUS RADIUS Proxy to easily set up a local backup RADIUS server that syncs with EZRADIUS. This way, you can ensure continuous authentication services even during internet outages or other service disruptions.

Yes, EZRADIUS will work with Starlink internet connections. However, due to the nature of satellite internet, there may be higher latency and occasional connectivity interruptions compared to traditional broadband connections. To optimize performance, we recommend setting up a local RADIUS server as a backup using our EZRADIUS RADIUS Proxy. This local server can handle authentication requests during periods of high latency or connectivity issues, ensuring a smoother experience for your users.

I Have a Dynamic IP Address. Can I Still Use EZRADIUS?

Yes, you can still use EZRADIUS with a dynamic IP address if you don’t have a static IP, but there are some considerations to keep in mind.

Since classic RADIUS requires EZRADIUS to know your IP address in advance, using a dynamic IP address with classic RADIUS can lead to broken connectivity whenever your IP address changes. Most residential ISPs provide dynamic IP addresses, so if you are using EZRADIUS in a home or small office environment, this can be a common issue. If you have a dynamic IP address and don’t have a static IP address, you can either use RadSec or run a local Classic RADIUS proxy server.

With RadSec (RADIUS over TLS), we use certificates instead of IP addresses to match your RADIUS policies. This means that even if the IP address of your network controller changes, as long as the certificate remains valid, your RADIUS authentication will continue to work without interruption. Learn more about setting up RadSec policies here.

Another way is to deploy a local EZRADIUS RADIUS Proxy in your network that handles Classic RADIUS authentication locally. The local proxy can then securely connect to EZRADIUS using an outbound HTTPS connection, which does not require a static IP address. This way, even if your public IP address changes, the local proxy will maintain connectivity with EZRADIUS.

Is there an on-premises version of EZRADIUS for disaster recovery (DR) or internet outages?

Yes, you can run the free local EZRADIUS proxy to run within your network and proxy RADIUS authentication requests to EZRADIUS. During internet outages or other service disruptions the local proxy can use cached credentials to authenticate users until the connection back up to the EZRADIUS servers can be re-established. The local proxy was designed with a small footprint to be able to run in a small VM or even a Raspberry Pi device.

Network Controllers and Hardware

Does EZRADIUS work with my Wi-Fi vendor (Ubiquiti, Cisco, Aruba, MikroTik, Fortinet, Meraki, etc.)?

Yes, EZRADIUS is compatible with a wide range of wireless vendors, including Ubiquiti, Cisco, Aruba, MikroTik, Fortinet, and Meraki. More information is available here Our solution is designed to integrate seamlessly with various RADIUS-enabled access points and wireless controllers. If you have a specific vendor in mind that you’re unsure about, please contact our support team for confirmation.

My Networking Gear Doesn’t Support RadSec, What Do I Do?

The EAP-TLS and EAP-TTLS protocols encrypt communication between the client and the RADIUS server. Even if your networking gear does not support RadSec, you can still securely use Classic RADIUS. Our What are the Differences Between Classic RADIUS and RadSec? article goes into additional detail.

While certain metadata (such as whether an authentication succeeded or failed) is not encrypted, there is no risk of credentials being exposed. If you are using less secure protocols, such as PAP or Mac Address Bypass (MAB), you can use our EZRADIUS RADIUS Proxy to perform the unencrypted authentication locally within your network, and then have the proxy securely connect to our RADIUS server using HTTPS. This way your credentials are always protected.

Can I Use EZRADIUS With My VPN Solution?

It depends on your VPN setup. If your VPN supports certificate authentication, EZRADIUS will work without any issues. However, if your VPN solution relies on username and password authentication, it may not work with EZRADIUS Entra ID integration. This is because Entra ID requires modern authentication methods that may not be supported by all VPN solutions. If your VPN does not support certificate authentication, we recommend exploring alternative authentication or enabling local accounts in EZRADIUS to ensure compatibility.

NPS Works with Older RADIUS Protocols, such as PAP and CHAP. Does EZRADIUS support These protocols?

Yes, EZRADIUS supports a wide range of RADIUS protocols, including older ones like PAP and CHAP. We have more information here. However, they are only supported when using local accounts in EZRADIUS. If you are using Entra ID (Azure AD) integration, we recommend using more secure authentication methods such as EAP-TLS or EAP-TTLS to ensure the highest level of security for your RADIUS authentication.

Does EZRADIUS Support MFA with Entra ID Wifi or VPN Authentication?

No, we do not support MFA with Entra ID Wifi or VPN authentication. The reason for this is that the RADIUS protocol does not have a built-in mechanism to handle multi-factor authentication (MFA) challenges and responses. While Entra ID (Azure AD) supports MFA for web-based applications and services, it does not extend this functionality to RADIUS-based authentication. As a result, when using EZRADIUS with Entra ID, the authentication process is limited to single-factor authentication methods such as username/password or certificate-based authentication. Read more about why RADIUS with MFA is a bad idea.

Hybrid and On-Premises Integrations

Can I Use EZRADIUS with my On-Premises Active Directory?

No, EZRADIUS does not currently support direct integration with on-premises Active Directory. EZRADIUS is designed to work with cloud-based identity providers such as Entra ID (Azure AD) to provide secure and scalable RADIUS authentication services. If you need to integrate with on-premises Active Directory, we recommend exploring hybrid identity solutions that synchronize your on-premises AD with Entra ID, allowing you to leverage EZRADIUS for authentication while maintaining your existing directory infrastructure.

Integrations and Partnerships

Do I Need an Entra ID Tenant to Use EZRADIUS?

Yes, an Entra ID (formerly Azure AD) tenant is currently required to create an EZRADIUS subscription. This allows you to sign in to the EZRADIUS portal using your Entra ID credentials and manage your RADIUS policies and settings. From there you can continue to use Entra ID as your identity provider for RADIUS authentication with your users, or you can configure certificate-based authentication, local accounts, or MAC Address Bypass (MAB) as alternative authentication methods which do not require Entra ID for your RADIUS users. Visit the Entra ID website for more information on creating an Entra ID tenant if you don’t already have one.

Does EZRADIUS Integrate with Other Identity Providers Like Okta or Ping Identity?

Not yet, currently EZRADIUS is designed to work specifically with Entra ID (formerly Azure AD) as the identity provider. We do not currently support other identity providers such as Okta, Ping Identity, or others. However, we are constantly exploring new integrations and partnerships to expand our offerings and provide more options for our customers. If you have a specific identity provider in mind, please reach out to our sales team to discuss potential future integrations.

Do I Need Microsoft Intune to Use EZRADIUS with Entra ID?

No, you do not need Intune to use EZRADIUS with Entra ID (formerly Azure AD). EZRADIUS can work with Entra ID independently of Intune, using other popular MDM solutions like Jamf or by leveraging self-service certificate + WiFi profile support within EZRADIUS. These allow you to push WiFi profiles and certificates (if you’re using EAP-TLS) to your devices without requiring Intune.

Does EZRADIUS Support Multi-Factor Authentication (MFA) when Using Entra ID Username/Password Authentication?

No, EZRADIUS does not support Multi-Factor Authentication (MFA) when using Entra ID (formerly Azure AD) Username/Password authentication. This is due to limitations in the RADIUS protocol, which does not natively support MFA challenges and responses. As a result, when using EZRADIUS with Entra ID for username/password authentication, only single-factor authentication methods are supported. For enhanced security, we recommend using certificate-based authentication methods such as EAP-TLS, which provide strong security without relying on MFA. Refer to this guide for more information on adding an exception to your Conditional Access policies for RADIUS authentication.

Can I Use EZRADIUS with Multiple Entra ID Tenants for User Authentication

Partially, and only for EAP-TLS certificate authentication. When configuring your EZRADIUS Access Policies, you can add any certificate authority (CA) which issues certificates to users/devices in any Entra ID tenant. When the certificate is presented to EZRADIUS, it will validate the certificate irrespective of the user or device’s Entra ID tenant and complete the authentication. However, advanced features like Entra ID group checks and Intune device compliance checks will not work for users and devices not in the primary Entra ID tenant where the EZRADIUS subscription is configured.

For EAP-TTLS Entra ID username + password authentication, EZRADIUS only works for users within the primary Entra ID tenant where the subscription was created. Any users from outside this main tenant cannot authenticate and will require a separate EZRADIUS subscription and access policies.

How Can I Create SCEP Certificates for EZRADIUS?

SCEP certificates are a great way to automate the issuance and management of device certificates for EAP-TLS authentication with EZRADIUS. You can use a variety of SCEP providers to create and manage these certificates, including Microsoft Intune, Jamf, and other third-party SCEP services.

Alternately, you can leverage self-service certificate + WiFi profile support within EZRADIUS to allow users to request and install their own certificates for EAP-TLS authentication, leveraging an EZCA SCEP CA. This approach simplifies the certificate management process and reduces the administrative overhead associated with traditional certificate issuance methods.

Devices and Compatibility

Do I Need to Push WiFi Profiles to My Devices?

In most cases, yes, you will need to push WiFi profiles to your devices to ensure they are configured correctly for RADIUS authentication with EZRADIUS. WiFi profiles contain the necessary settings, such as SSID, security type, and authentication method, that allow devices to connect to your RADIUS-enabled network. For example, iOS doesn’t default to using EAP-TTLS for Entra ID Username/Password authentication, so you will need to push a profile to configure this setting. You can either use an MDM solution like Intune or Jamf to push these profiles, or leverage self-service certificate + WiFi profile support within EZRADIUS to allow users to request and install their own profiles.

I Didn’t Add MAC Address Bypass (MAB) to My Network Policy But I am Still Seeing MAB Authentication Attempts. Why is This Happening?

When a device cannot complete the full EAP authentication (for example, if it doesn’t support EAP-TLS or EAP-TTLS), many network controllers will automatically fall back to using MAC Address Bypass (MAB) as a last resort. This is a common behavior in many networking devices to ensure that devices can still connect to the network even if they don’t support the primary authentication methods. Some network controllers may have configuration settings that allow you to disable this automatic fallback to MAB. Check your network controller’s documentation or settings to see if there is an option to disable MAB entirely or to prevent it from being used as a fallback method.

Compliance and Security

Is EZRADIUS SOC 2 Type 2 Compliant?

Yes, Keytos and EZRADIUS are SOC 2 Type 2 compliant, and we have successfully completed the SOC 2 Type 2 audit. This means that we have implemented and maintained effective controls to ensure the security, availability, processing integrity, confidentiality, and privacy of our systems and data.

Copies of our SOC 2 Type 2 report are available within your EZRADIUS portal under the Trust Center section. If you have any questions or need further information about our compliance, please contact our support team.

Is EZRADIUS ISO 27001 Certified?

Yes, Keytos and EZRADIUS are ISO 27001 certified, demonstrating our commitment to maintaining a robust information security management system (ISMS). This certification ensures that we follow best practices for managing sensitive information and protecting our customers’ data.

Copies of our ISO 27001 certificate are available within your EZRADIUS portal under the Trust Center section. If you have any questions or need further information about our certification, please contact our support team.

Help and Support

How Can I Get Support for EZRADIUS?

If you need support for EZRADIUS, there are several options available to you:

  • EZRADIUS Documentation: Our comprehensive documentation provides detailed guides, troubleshooting steps, and best practices for using EZRADIUS. You can access the documentation here.
  • EZRADIUS Portal: Log in to your EZRADIUS portal to access support resources, including the ability to submit support tickets directly to our team. Subscriptions with Premium Support also have access to a dedicated support line for faster response times.
  • Email Support: You can reach out to our support team via email at support@keytos.io.
  • Real-Time Chat: For immediate assistance, you can use the real-time chat feature available on our website. We have an AI Agent trained specifically on EZRADIUS to help answer your questions and troubleshoot any issues you may encounter, but you can also escalate to a live support agent at any time if you need more in-depth assistance.
  • Professional Services: For help integrating EZRADIUS into your network or for more complex troubleshooting, we offer a paid Professional Services package that pairs you with a network expert for tailored assistance. Email our sales team at sales@keytos.io to inquire about a Deployment Consultation or to learn more about our Professional Services offerings.