How-To: Create Cloud RADIUS Network Policies for Local User Authentication

In this page we go through how set up your EZRADIUS access policy for local users using PAP, MSCHAPv2, and EAP-TTLS. This allows legacy devices and users without certificates to authenticate against Cloud RADIUS.

Prerequisites

Introduction to Managing Cloud RADIUS Network Policies in EZRADIUS

The Policies page in EZRADIUS allows you to create and manage your Cloud RADIUS network policies. Each policy defines the conditions under which a user or device can connect to your network, including authentication methods, accepted certificate authorities, and access policies.

Visit the Manage RADIUS Policies guide to learn more about the Policies page layout and features.

How to Create Cloud RADIUS Network Policies with Local User Authentication

Now that you are familiar with the layout of the Policies page in EZRADIUS, you can set up a new RADIUS network policy that uses local users for authentication. These are commonly used with PAP, MSCHAPv2, and EAP-TTLS authentication methods for legacy devices or users without certificates. The following steps will guide you through the process.

Step 1: Name Your RADIUS Server Policy

Begin by entering a friendly name for your RADIUS server policy. This name is for your records to help you identify the policy later. Behind the scenes, EZRADIUS will create a unique identifier for the policy, so feel free to choose a name that makes sense to you.

Input field to name your RADIUS server policy in EZRADIUS

Step 2: Enable RadSec and/or Classic RADIUS

Next we have to enable which authentication methods you are going to use, you can use RadSec, Classic RADIUS, or both.

EZRADIUS Cloud RADIUS Network Policy select RadSec and Classic RADIUS

How to Set Up Classic RADIUS for Cloud RADIUS

For Classic RADIUS, you need to specify the IP addresses of your RADIUS clients (e.g., access points, switches). These are the public IP addresses that will be allowed to communicate with your Cloud RADIUS server. We also use these IP addresses to attribute RADIUS requests to the correct policy for audit logs and reporting.

There are two ways to add IP addresses to your RADIUS policy: manually adding them one by one or uploading a CSV file for multiple IP addresses.

  1. Select “Manual” from the dropdown.
  2. Enter the public IP address of your router or VPN server.
  3. Provide a friendly name for the IP address (for your records).
  4. Click Add to add the IP address to the list of allowed RADIUS clients.
  5. A randomly generated shared secret will be created for the IP address. You can change this shared secret if needed. Note that every IP address must have a unique shared secret.
  6. Repeat the process for each additional router or VPN server you want to add.

EZRADIUS Cloud RADIUS Network Policy IP Addresses

If you have multiple IP Addresses you can add them using a CSV file (if you have an CIDR range and want to convert it to IP range, use this site).

CSV File Format

The CSV file must have the format IP Address,Friendly Name,Shared Secret, without headers. For example, a CSV file with two IP addresses would look like this:

12.12.12.12,First Name,SharedSecret1
12.12.12.13,Second Name,SharedSecret2

Make sure you do not include headers in the CSV file, as this will cause an error during the upload process.

Uploading the CSV File

  1. Begin by creating a CSV file with your IP addresses, friendly names, and shared secrets and saving it to your computer.
  2. Drop down the ‘Add IP Addresses’ menu and select ‘CSV File Upload’.
  3. Either drag-and-drop your CSV file into the upload area or click on the area to browse and select your CSV file.

Cloud RADIUS Multiple IP Addresses Network Policy For EAP-TLS

(optional) Always Send Message Authenticator

Depending on your networking device, you may need to enable the “Always Send Message Authenticator” option. This is required by some devices to ensure proper RADIUS communication, especially for devices from Fortinet.

Fortigate RADIUS Message Authenticator

How to Configure RadSec for Cloud RADIUS

If you enabled RadSec, you have to add a certificate authority or certificate that is accepted by the RADIUS server. This is dependant on your networking device (for example, if you are using a Cisco device, you will need to add the Root CA of the certificate that signed the certificate of the device. If you are using a Ubiquiti device, it allows you to upload your own certificate from your CA).

Add Certificate Authorities to RadSec Using EZCA

If your RadSec certificate is issued by your EZCA Certificate Authority, then you can easily add the CA to the cloud RADIUS server by:

  1. From the “Certificate Source” dropdown, select “EZCA”.
  2. Under the “EZCA Instance URL” dropdown , select your EZCA instance.
  3. Under the “EZCA CA” dropdown, select the CA you want to add.
  4. Click Add CA to add the CA to the RADIUS server.
  5. Your CA will now be listed under the “Trusted Certificate Authorities” section. EZRADIUS Cloud RADIUS Network Policy add EZCA Cloud Certificate Authority CA for RadSec
Add Certificate Authorities to RadSec Using 3rd Party CA

If your device uses a certificate from a 3rd party CA, you can add the CA to the cloud RADIUS server by:

  1. From the “Certificate Source” dropdown, select “Local CA”.
  2. Upload your CA certificate in PEM format.
  3. Your CA will now be listed under the “Trusted Certificate Authorities” section. EZRADIUS Cloud RADIUS Network Policy add CA from Microsoft Cloud PKI, SCEPMAN, or ADCS for RadSec
Add Self-Signed Certificate to RadSec

If your networking device only supports self-signed certificates for RadSec, you can upload the single certificate to your cloud RADIUS policy by:

  1. Leave the “Authorized Certificate Authorities” section empty. You don’t need to add any CAs for self-signed certificates.
  2. Under “Authorized Certificate Templates”, enter a certificate Friendly Name (This is just for your records, useful if have multiple locations).
  3. Upload the certificate in PEM format.
  4. Your certificate will now be listed under the “Trusted Certificates” section. EZRADIUS Cloud RADIUS Network Policy add Self-Signed Certificate for Radsec

Step 3: Add Certificate Authorities to RADIUS for Certificate Authentication

Because local user authentication does not use certificates, you can skip this step and move to the server certificate section.

Step 4: Add Server Certificate to RADIUS

A certificate is required to uniquely identify the RADIUS server to the devices connecting to the network. Without it, your clients will not be able to connect and will return errors. There are three ways to add a server certificate:

  1. Use a free, auto-generated certificate
  2. Use EZCA to create and manage the certificate
  3. Upload a certificate from a 3rd party CA.

Create a Free Certificate with EZRADIUS’ Integrated Certificate Authority

If you do not have a your own CA, you can use EZRADIUS’ integrated CA to create a free certificate. The certificate will be automatically created and renewed by EZRADIUS.

  1. From the ‘Certificate Source’ dropdown, select Auto-Generated Certificate. Automatic Certificate Creation for RADIUS

Add Server Certificate to RADIUS Using EZCA

If you are already an EZCA customer, you can leverage your existing EZCA CA to issue a RADIUS server certificate.

  1. From the ‘Certificate Source’ dropdown, select EZCA.
  2. If you are using an EZCA private instance, select the Private Instance checkbox and enter your EZCA Issuance URL.
  3. From the ‘EZCA CA’ dropdown with the certificates authorities you have in your EZCA instance, select the CA you want to use.
  4. Click Request Certificate to create a new RADIUS server certificate. EZRADIUS will automatically create the certificate for you. You do not need to specify an existing certificate or create a CSR. The certificate will be automatically renewed before it expires. EZRADIUS Cloud RADIUS Network Policy add RADIUS Certificate for EAP-TLS
  5. You should now see the certificate in the list of certificates: EZRADIUS Cloud RADIUS Network Policy add RADIUS Certificate for EAP-TLS
Add Server Certificate to RADIUS Using 3rd Party CA

If you are using a 3rd party CA, you can generate a CSR in EZRADIUS, submit it to your CA, and then upload the signed certificate back to EZRADIUS.

  1. From the ‘Certificate Source’ dropdown, select Local CA.
  2. Click the Create CSR button. EZRADIUS Cloud RADIUS Network Policy add RADIUS Certificate for EAP-TLS
  3. Download the CSR by clicking the Save CSR button. EZRADIUS Cloud RADIUS Network Policy add RADIUS Certificate for EAP-TLS
  4. Submit the CSR to your CA and download the certificate.
  5. Also download the certificate of your root CA.
  6. Once you have the certificate, scroll down and either copy and paste the certificate PEM content or click on Upload Certificate and select the certificate in PEM format. EZRADIUS Cloud RADIUS Network Policy add RADIUS Certificate for EAP-TLS
  7. After you upload your certificate, you must upload the certificate of the Root CA that signed the certificate. Scroll down and either copy and paste the certificate PEM content or click on Upload Root CA Certificate and select the certificate in PEM format. EZRADIUS Cloud RADIUS Network Policy add RADIUS Certificate for EAP-TLS
  8. You will now have both the RADIUS server certificate and the Root CA certificate listed under your certificates. EZRADIUS Cloud RADIUS Network Policy add RADIUS Certificate for EAP-TLS

Step 5: Add Local User Access Policy to RADIUS Network Policy

Now that you have configured Classic RADIUS and/or RadSec, setup your CAs, and added the server certificate, you can add your access policies. Access policies define the conditions under which a user or device can connect to your network. Each policy can have multiple access policies and they are evaluated in the order they are sorted.

  1. Begin in the Access Policies section of the RADIUS network policy. By default, there will be no access policies listed.

    An empty Access Policies section, showing no EZRADIUS Cloud Radius policies

  2. Enter the friendly name of the access policy which is used for your records to easily identify the policy. For this example we’ll use “Local Users”, but you can replace this with a name that makes sense for your use case.

    The Policy Name field being named Local Users, showing a policy that is specifically for local users

  3. For this policy we will want to enable username and password authentication for local users. To do this, check the box for Enable Password Authentication, which will allow PAP, PEAP-MSCHAPv2, and EAP-TTLS RADIUS methods to be used for authentication.

    The Enable Password Authentication selection being checked, enabling PAP, PEAP-MSCHAPv2, and EAP-TTLS RADIUS methods

  4. Leave Enable Identity Provider (IDP) Delegation unchecked, as this is only needed when using Entra ID for authentication. When you check this box, PAP and PEAP-MSCHAPv2 authentication methods will be disabled.

  5. By default, EZRADIUS will not assign a VLAN to the user, but you can enable VLAN assignment by selecting Assign Static VLAN from the VLAN Management Dropdown and entering the VLAN ID you want to assign to the user.

    The VLAN Management dropdown is selecting Assign Static VLAN and the VLAN Name is set to 2

  6. Once you have configured the access policy, click on Add Policy At the top of the access policy.

    The Add Policy button is highlighted which will save the policy

Done!

You have successfully created a Cloud RADIUS network policy that uses local users for authentication. Make sure to test the configuration with a device to ensure everything is working as expected.

Advanced Settings

We try to keep the UI and policies as simple as possible but we understand that some of our customers have more advanced requirements, for this reason we have added some advanced settings that you can enable by expanding on the “Advanced Settings” tab.

  1. Enable MAC Authentication Bypass: If you want to enable MAC Authentication Bypass, you can check the “Enable MAC Authentication Bypass” checkbox, then you will have to whitelist the MAC addresses of the devices you want to allow to bypass the authentication. EZRADIUS Enable MAC Address Bypass
  2. Check OCSP: EZRADIUS check CRLs (Certificate Revocations Lists) by default, if in addition to CRLs you want to check OCSP, you can check the “Enable OCSP” checkbox. you can read more about the difference between CRL and OCSP here
  3. Require Extended Key Usage: If you want to require that the certificate has specific Extended Key Usages such as “Client Authentication”, you can check the “Require Extended Key Usage” checkbox.
  4. Matching Attributes in Request: If you want to match attributes in the request (for example, matching the SSID name sent as a calling station ID), you can add the attributes in the “Match Attributes in Request” and enter the value and the matching scheme (either contains or equals). Some common attributes to match are:
    • Calling-Station-ID: Usually set-up to contain the SSID of the network or the MAC address of a device when carrying out MAC-Authentication-Bypass
    • NAS Identifier (NAS-ID): Usually set-up to contain the SSID of the network or the MAC address of a device when carrying out MAC-Authentication-Bypass
  5. Sent Attributes in Response: If you want to send attributes in the response (for example, sending the Filter-Id to the device), you can add the attributes in the “Sent Attributes in Response” and enter the value. Supported attributes are:
    • Filter-Id: Can be used to assign a pre-defined access control list (ACL) to the user that successfully authenticates with the access policy
    • Cisco-AVPair: Cisco-specific attribute

EZRADIUS Cloud RADIUS Network Policy Advanced Settings EKU

Priority Order of Access Policies

The access policies are checked in the order they are sorted, you can change the order of the access policies by clicking on the up and down arrows on the right side of the access policy. EZRADIUS Cloud RADIUS Network Policy Access Policies for Students EAP-TLS policy with Dynamic VLAN Assignment

  1. Once your policy is ready, click “Save Changes” at the top to save the policy changes. EZRADIUS Cloud RADIUS Network Policy Access Policies Save Entra ID Policy