Cloud RADIUS Frequently Asked Questions
EZRADIUS Plans and Pricing
How Does RADIUS Billing Work?
We bill based on the number of unique identities (users or devices) that authenticate to EZRADIUS each month. For example, if you have 100 users in your organization but only 50 of them authenticate in a given month, you will be billed for 50 unique identities for that month. This billing model allows you to scale your RADIUS usage based on actual authentication activity, providing flexibility and cost-effectiveness for your organization. However, if you are using device based authentication or a mix between users and devices, we cap the number of unique identities at the number of active users in your Entra ID tenant. This means that even if users authenticate on multiple device (phone, tablet, laptop, desktop, etc.) the most you will ever be billed for is the total number of Entra ID users that are active in your tenant. For example, if you have 100 users in your Entra ID tenant, but 200 devices authenticate to EZRADIUS in a month, you will only be billed for 100 unique identities for that month.
Do I Need Dedicated RADIUS or is Basic RADIUS Enough for My Use Case?
99% of our customers use Basic RADIUS and never need to upgrade to Dedicated RADIUS. Basic RADIUS is a multi-tenant RADIUS service that is designed to handle the authentication needs of most organizations. It provides a cost-effective solution for RADIUS authentication with high availability and scalability. Dedicated RADIUS is a single-tenant RADIUS service that allows you to meet specific compliance or security requirements that may not be possible with a multi-tenant service. If you have specific compliance requirements that requires a dedicated environment, then Dedicated RADIUS may be the right choice for you. However, for most use cases, Basic RADIUS is sufficient and provides a reliable and secure RADIUS authentication solution.
I am Using EZRADIUS for Entra ID Authentication. Do I Need a Certificate Authority (CA)?
No, you do not need to set up a Certificate Authority (CA) when using EZRADIUS for Entra ID (Azure AD) authentication. However, if you are using Intune or another MDM we recommend setting up a CA to issue device certificates for EAP-TLS authentication. This provides an additional layer of security by ensuring that only trusted devices can authenticate to your network.
Hosting, Reliability, and Infrastructure
Is There Any Infrastructure I Need to Manage for EZRADIUS?
No, EZRADIUS is a fully managed cloud-native RADIUS solution. This means that Keytos takes care of all the infrastructure management, including server maintenance, software updates, security patches, and backups. You can focus on managing your RADIUS policies without worrying about the underlying infrastructure.
If you want to optionally add a local RADIUS server for an additional layer of reliability, you can use our local EZRADIUS RADIUS Proxy to easily set up a local backup RADIUS server that syncs with EZRADIUS.
What Happens if EZRADIUS is Down or We Lose Connectivity to EZRADIUS?
While the Keytos EZRADIUS platform is built for high availability and redundancy, there is always a possibility of downtime or connectivity issues. To mitigate this risk, we recommend adding one IP address from each region available in your EZRADIUS subscription to your network controllers. However, if you want network connectivity even if the internet is down, we recommend implementing a local RADIUS server as a backup. This local RADIUS server can be configured to handle authentication requests in the event that EZRADIUS is unreachable. You can use our EZRADIUS RADIUS Proxy to easily set up a local backup RADIUS server that syncs with EZRADIUS. This way, you can ensure continuous authentication services even during outages.
We are Using Starlink for our Internet Connection, will EZRADIUS work with Starlink?
Yes, EZRADIUS will work with Starlink internet connections. However, due to the nature of satellite internet, there may be higher latency and occasional connectivity interruptions compared to traditional broadband connections. To optimize performance, we recommend setting up a local RADIUS server as a backup using our EZRADIUS RADIUS Proxy. This local server can handle authentication requests during periods of high latency or connectivity issues, ensuring a smoother experience for your users.
Network Controllers and Hardware
Does EZRADIUS work with my Wi-Fi vendor (Ubiquiti, Cisco, Aruba, MikroTik, Fortinet, Meraki, etc.)?\
Yes, EZRADIUS is compatible with a wide range of wireless vendors, including Ubiquiti, Cisco, Aruba, MikroTik, Fortinet, and Meraki. More information is available here Our solution is designed to integrate seamlessly with various RADIUS-enabled access points and wireless controllers. If you have a specific vendor in mind that you’re unsure about, please contact our support team for confirmation.
My Networking Gear Doesn’t Support RadSec, What Do I Do?
The EAP-TLS and EAP-TTLS protocols encrypt communication between the client and the RADIUS server. Even if your networking gear does not support RadSec, you can still securely use Classic RADIUS. Our What are the Differences Between Classic RADIUS and RadSec? article goes into additional detail.
While certain metadata (such as whether an authentication succeeded or failed) is not encrypted, there is no risk of credentials being exposed. If you are using less secure protocols, such as PAP or Mac Address Bypass (MAB), you can use our EZRADIUS RADIUS Proxy to perform the unencrypted authentication locally within your network, and then have the proxy securely connect to our RADIUS server using HTTPS. This way your credentials are always protected.
Can I Use EZRADIUS With My VPN Solution?
It depends on your VPN setup. If your VPN supports certificate authentication, EZRADIUS will work without any issues. However, if your VPN solution relies on username and password authentication, it may not work with EZRADIUS Entra ID integration. This is because Entra ID requires modern authentication methods that may not be supported by all VPN solutions. If your VPN does not support certificate authentication, we recommend exploring alternative authentication or enabling local accounts in EZRADIUS to ensure compatibility.
NPS Works with Older RADIUS Protocols, such as PAP and CHAP. Does EZRADIUS support These protocols?
Yes, EZRADIUS supports a wide range of RADIUS protocols, including older ones like PAP and CHAP. We have more information here. However, they are only supported when using local accounts in EZRADIUS. If you are using Entra ID (Azure AD) integration, we recommend using more secure authentication methods such as EAP-TLS or EAP-TTLS to ensure the highest level of security for your RADIUS authentication.
Does EZRADIUS Support MFA with Entra ID Wifi Authentication?
No, we do not support MFA with Entra ID Wifi authentication. The reason for this is that the RADIUS protocol does not have a built-in mechanism to handle multi-factor authentication (MFA) challenges and responses. While Entra ID (Azure AD) supports MFA for web-based applications and services, it does not extend this functionality to RADIUS-based authentication. As a result, when using EZRADIUS with Entra ID, the authentication process is limited to single-factor authentication methods such as username/password or certificate-based authentication. Read more about why RADIUS with MFA is a bad idea.
Hybrid and On-Premises Integrations
Can I Use EZRADIUS with my On-Premises Active Directory?
No, EZRADIUS does not currently support direct integration with on-premises Active Directory. EZRADIUS is designed to work with cloud-based identity providers such as Entra ID (Azure AD) to provide secure and scalable RADIUS authentication services. If you need to integrate with on-premises Active Directory, we recommend exploring hybrid identity solutions that synchronize your on-premises AD with Entra ID, allowing you to leverage EZRADIUS for authentication while maintaining your existing directory infrastructure.