Cloud RADIUS Frequently Asked Questions

Find answers to the most frequently asked questions about Keytos EZRADIUS, the leading cloud-native RADIUS Server built for Azure and Microsoft Cloud environments.

EZRADIUS Plans and Pricing

How Does RADIUS Billing Work?

We bill based on the number of unique identities (users or devices) that authenticate to EZRADIUS each month. For example, if you have 100 users in your organization but only 50 of them authenticate in a given month, you will be billed for 50 unique identities for that month. This billing model allows you to scale your RADIUS usage based on actual authentication activity, providing flexibility and cost-effectiveness for your organization. However, if you are using device based authentication or a mix between users and devices, we cap the number of unique identities at the number of active users in your Entra ID tenant. This means that even if users authenticate on multiple device (phone, tablet, laptop, desktop, etc.) the most you will ever be billed for is the total number of Entra ID users that are active in your tenant. For example, if you have 100 users in your Entra ID tenant, but 200 devices authenticate to EZRADIUS in a month, you will only be billed for 100 unique identities for that month.

Do I Need Dedicated RADIUS or is Basic RADIUS Enough for My Use Case?

99% of our customers use Basic RADIUS and never need to upgrade to Dedicated RADIUS. Basic RADIUS is a multi-tenant RADIUS service that is designed to handle the authentication needs of most organizations. It provides a cost-effective solution for RADIUS authentication with high availability and scalability. Dedicated RADIUS is a single-tenant RADIUS service that allows you to meet specific compliance or security requirements that may not be possible with a multi-tenant service. If you have specific compliance requirements that requires a dedicated environment, then Dedicated RADIUS may be the right choice for you. However, for most use cases, Basic RADIUS is sufficient and provides a reliable and secure RADIUS authentication solution. Learn more about the differences in our pricing page.

I am Using EZRADIUS for Entra ID Authentication. Do I Need a Certificate Authority (CA)?

No, you do not need to set up a Certificate Authority (CA) when using EZRADIUS for Entra ID (Azure AD) authentication. However, if you are using Intune or another MDM we recommend setting up a CA to issue device certificates for EAP-TLS authentication. This provides an additional layer of security by ensuring that only trusted devices can authenticate to your network.

How Can I Learn More About EZRADIUS and Get Support

Want to learn more about EZRADIUS or get support? Visit our EZRADIUS Support page to explore various support options including free demos, troubleshooting guides, real-time chat, and professional services. For every customer we offer a complimentary video call with a Keytos engineer to learn about and troubleshoot EZRADIUS.

Want additional support integrating EZRADIUS into more complex networks? We also offer a paid Professional Services package which pairs you with a network expert for tailored assistance.

Hosting, Reliability, and Infrastructure

Is There Any Infrastructure I Need to Manage for EZRADIUS?

No, EZRADIUS is a fully managed cloud-native RADIUS solution. This means that Keytos takes care of all the infrastructure management, including server maintenance, software updates, security patches, and backups. You can focus on managing your RADIUS policies without worrying about the underlying infrastructure.

If you want to optionally add a local RADIUS server for an additional layer of reliability, you can use our local EZRADIUS RADIUS Proxy to easily set up a local backup RADIUS server that syncs with EZRADIUS.

What Happens if EZRADIUS is Down or We Lose Connectivity to EZRADIUS?

While the Keytos EZRADIUS platform is built for high availability and redundancy, there is always a possibility of downtime or connectivity issues. To mitigate this risk, we recommend adding one IP address from each region available in your EZRADIUS subscription to your network controllers. However, if you want network connectivity even if the internet is down, we recommend implementing a local RADIUS server as a backup. This local RADIUS server can be configured to handle authentication requests in the event that EZRADIUS is unreachable. You can use our EZRADIUS RADIUS Proxy to easily set up a local backup RADIUS server that syncs with EZRADIUS. This way, you can ensure continuous authentication services even during outages.

Yes, EZRADIUS will work with Starlink internet connections. However, due to the nature of satellite internet, there may be higher latency and occasional connectivity interruptions compared to traditional broadband connections. To optimize performance, we recommend setting up a local RADIUS server as a backup using our EZRADIUS RADIUS Proxy. This local server can handle authentication requests during periods of high latency or connectivity issues, ensuring a smoother experience for your users.

I Have a Dynamic IP Address. Can I Still Use EZRADIUS?

Yes, you can still use EZRADIUS with a dynamic IP address, but there are some considerations to keep in mind.

Since classic RADIUS requires EZRADIUS to know your IP address in advance, using a dynamic IP address with classic RADIUS can lead to broken connectivity whenever your IP address changes. Most residential ISPs provide dynamic IP addresses, so if you are using EZRADIUS in a home or small office environment, this can be a common issue. If you have a dynamic IP address, you can either use RadSec or run a local Classic RADIUS proxy server.

With RadSec (RADIUS over TLS), we use certificates instead of IP addresses to match your RADIUS policies. This means that even if the IP address of your network controller changes, as long as the certificate remains valid, your RADIUS authentication will continue to work without interruption. Learn more about setting up RadSec policies here.

Another way is to deploy a local EZRADIUS RADIUS Proxy in your network that handles Classic RADIUS authentication locally. The local proxy can then securely connect to EZRADIUS using an outbound HTTPS connection, which does not require a static IP address. This way, even if your public IP address changes, the local proxy will maintain connectivity with EZRADIUS.

Network Controllers and Hardware

Does EZRADIUS work with my Wi-Fi vendor (Ubiquiti, Cisco, Aruba, MikroTik, Fortinet, Meraki, etc.)?

Yes, EZRADIUS is compatible with a wide range of wireless vendors, including Ubiquiti, Cisco, Aruba, MikroTik, Fortinet, and Meraki. More information is available here Our solution is designed to integrate seamlessly with various RADIUS-enabled access points and wireless controllers. If you have a specific vendor in mind that you’re unsure about, please contact our support team for confirmation.

My Networking Gear Doesn’t Support RadSec, What Do I Do?

The EAP-TLS and EAP-TTLS protocols encrypt communication between the client and the RADIUS server. Even if your networking gear does not support RadSec, you can still securely use Classic RADIUS. Our What are the Differences Between Classic RADIUS and RadSec? article goes into additional detail.

While certain metadata (such as whether an authentication succeeded or failed) is not encrypted, there is no risk of credentials being exposed. If you are using less secure protocols, such as PAP or Mac Address Bypass (MAB), you can use our EZRADIUS RADIUS Proxy to perform the unencrypted authentication locally within your network, and then have the proxy securely connect to our RADIUS server using HTTPS. This way your credentials are always protected.

Can I Use EZRADIUS With My VPN Solution?

It depends on your VPN setup. If your VPN supports certificate authentication, EZRADIUS will work without any issues. However, if your VPN solution relies on username and password authentication, it may not work with EZRADIUS Entra ID integration. This is because Entra ID requires modern authentication methods that may not be supported by all VPN solutions. If your VPN does not support certificate authentication, we recommend exploring alternative authentication or enabling local accounts in EZRADIUS to ensure compatibility.

NPS Works with Older RADIUS Protocols, such as PAP and CHAP. Does EZRADIUS support These protocols?

Yes, EZRADIUS supports a wide range of RADIUS protocols, including older ones like PAP and CHAP. We have more information here. However, they are only supported when using local accounts in EZRADIUS. If you are using Entra ID (Azure AD) integration, we recommend using more secure authentication methods such as EAP-TLS or EAP-TTLS to ensure the highest level of security for your RADIUS authentication.

Does EZRADIUS Support MFA with Entra ID Wifi Authentication?

No, we do not support MFA with Entra ID Wifi authentication. The reason for this is that the RADIUS protocol does not have a built-in mechanism to handle multi-factor authentication (MFA) challenges and responses. While Entra ID (Azure AD) supports MFA for web-based applications and services, it does not extend this functionality to RADIUS-based authentication. As a result, when using EZRADIUS with Entra ID, the authentication process is limited to single-factor authentication methods such as username/password or certificate-based authentication. Read more about why RADIUS with MFA is a bad idea.

Hybrid and On-Premises Integrations

Can I Use EZRADIUS with my On-Premises Active Directory?

No, EZRADIUS does not currently support direct integration with on-premises Active Directory. EZRADIUS is designed to work with cloud-based identity providers such as Entra ID (Azure AD) to provide secure and scalable RADIUS authentication services. If you need to integrate with on-premises Active Directory, we recommend exploring hybrid identity solutions that synchronize your on-premises AD with Entra ID, allowing you to leverage EZRADIUS for authentication while maintaining your existing directory infrastructure.

Integrations and Partnerships

Does EZRADIUS Integrate with Other Identity Providers Like Okta or Ping Identity?

Not yet, currently EZRADIUS is designed to work specifically with Entra ID (formerly Azure AD) as the identity provider. We do not currently support other identity providers such as Okta, Ping Identity, or others. However, we are constantly exploring new integrations and partnerships to expand our offerings and provide more options for our customers. If you have a specific identity provider in mind, please reach out to our sales team to discuss potential future integrations.

Do I Need Intune to Use EZRADIUS with Entra ID?

No, you do not need Intune to use EZRADIUS with Entra ID (formerly Azure AD). EZRADIUS can work with Entra ID independently of Intune, using other popular MDM solutions like Jamf or by leveraging self-service certificate + WiFi profile support within EZRADIUS. These allow you to push WiFi profiles and certificates (if you’re using EAP-TLS) to your devices without requiring Intune.

How Can I Create SCEP Certificates for EZRADIUS?

SCEP certificates are a great way to automate the issuance and management of device certificates for EAP-TLS authentication with EZRADIUS. You can use a variety of SCEP providers to create and manage these certificates, including Microsoft Intune, Jamf, and other third-party SCEP services.

Alternately, you can leverage self-service certificate + WiFi profile support within EZRADIUS to allow users to request and install their own certificates for EAP-TLS authentication, leveraging an EZCA SCEP CA. This approach simplifies the certificate management process and reduces the administrative overhead associated with traditional certificate issuance methods.

Devices and Compatibility

Do I Need to Push WiFi Profiles to My Devices?

In most cases, yes, you will need to push WiFi profiles to your devices to ensure they are configured correctly for RADIUS authentication with EZRADIUS. WiFi profiles contain the necessary settings, such as SSID, security type, and authentication method, that allow devices to connect to your RADIUS-enabled network. For example, iOS doesn’t default to using EAP-TTLS for Entra ID Username/Password authentication, so you will need to push a profile to configure this setting. You can either use an MDM solution like Intune or Jamf to push these profiles, or leverage self-service certificate + WiFi profile support within EZRADIUS to allow users to request and install their own profiles.