Common RADIUS Reference Architectures on Keytos Docs

How-To: Add a Default/Fallback RADIUS Policy That Matches When No Other Policies Match

Fri, 24 Apr 2026 12:00:00 -0700

Overview - How to Add a Default/Fallback RADIUS Policy

When designing your RADIUS architecture in EZRADIUS, it’s important to consider what happens when a user’s authentication request does not match any of your defined access policies. By default, if no access policies match an authentication request, the request will be rejected and the user will not be authenticated to the network. However, you may want to have a default or fallback access policy that matches any incoming authentication request with a valid certificate or valid Entra ID credentials, even if the request does not meet the specific conditions of your other access policies. This default/fallback policy can be used to ensure that users are still able to authenticate to the network and get some level of access, even if their device or user attributes do not match any of your more specific access policies.

How-To: Control RADIUS Policies and Behavior Based on Entra ID Group Membership

Fri, 24 Apr 2026 12:00:00 -0700

Overview - How to Match RADIUS Policies on Entra ID Group Membership

In this pattern, you can use a user or device’s Entra ID group membership to control authentication behavior. A common use case of this is to place devices in different VLANs based on their Entra ID group membership. This approach allows you to segment your network based on user or device attributes, enhancing security and ensuring that different groups of users or devices have access to the resources they need while restricting access for others.

How-To: Control RADIUS Policies and Behavior Based on Intune Device Compliance

Fri, 24 Apr 2026 12:00:00 -0700

Overview - How to Match RADIUS Policies on Intune Device Compliance

In this pattern, you can use a device’s Intune compliance state to control authentication behavior. A common use case of this is to place compliant devices in a separate VLAN than non-compliant devices. This approach allows you to segment your network based on device compliance, enhancing security and ensuring that compliant devices have access to the resources they need while restricting non-compliant devices.

How-To: Control RADIUS Policies and Behavior Based on SSID Name

Fri, 24 Apr 2026 12:00:00 -0700

Overview - How to Control Authentication and Access Policies Based on SSID Name

In this pattern, you can use EZRADIUS to control RADIUS policies and behavior based on the SSID name that a device is connecting to. This approach allows you to create different access policies for different SSIDs, enabling you to segment your network and apply specific authentication and authorization rules based on the network a device is connecting to. For example, you could have one SSID for corporate-owned devices that requires certificate-based authentication and places devices in a secure VLAN, and another SSID for BYOD devices that uses Entra ID authentication and places devices in a separate VLAN with more restricted access.

How-To: Control RADIUS Policies and Behavior for BYOD/Personal Devices

Fri, 24 Apr 2026 12:00:00 -0700

Overview - How to Control RADIUS Policies and Behavior for BYOD/Personal Devices

In this pattern, you can have separate RADIUS policies for BYOD and corporate-owned devices. This approach allows you to segment your network and VLANs based on device ownership, enhancing security and ensuring that corporate-owned devices have access to the resources they need while restricting personal BYOD devices.

How Are Devices Evaluated for Ownership?

There are a couple different ways to separate BYOD devices from corporate-owned devices in EZRADIUS, depending on how you want to evaluate device ownership: