Create Cloud RADIUS Network Policies that Uses Entra ID Passwords

Prerequisites

  1. Registering the application in your tenant
  2. Creating Cloud Radius Instance
  3. Being a Subscription Owner or Network Administrator

Introduction - Managing your Cloud RADIUS Network Policies in EZRADIUS

Network policies are used to define the conditions under which a user or device can connect to your network. In this page we will go through how to create network policies in EZRADIUS.

  1. Go to your EZRADIUS portal.
  2. Click on “Policies”. EZRADIUS Cloud RADIUS Network Policies

What are the RADIUS Server Details?

At the top of the page, you will see the server details. This includes the server location, the server IP address, and the server port. You will need this information to configure your network devices to connect to the Cloud RADIUS server. (EZRADIUS uses the standard RADIUS port 1812 for authentication and 1813 for accounting) EZRADIUS Cloud RADIUS Server Details

Create a new RADIUS Network Policy

Before we dive into creating a new RADIUS network policy, let’s understand the different components of a network policy. Each policy has the following components:

  1. Name: A unique name for the policy.
  2. Allowed IP Addresses: The IP addresses that are allowed to connect to your RADIUS server (these are the Public IP addresses of your access points).
  3. Accepted Certificate Authorities: The certificate authorities that are accepted by the RADIUS server. These CAs are used to validate the certificates of the devices connecting to the network.
  4. Server Certificate: EAP-TLS requires the server uses a certificate that the devices trust for identification of the server. This is the server certificate.
  5. Access Policies: The conditions under which a user or device can connect to your network. This includes the authentication methods, the network policies, and the user groups that are allowed to connect as well as VLAN rule assignment. Each policy can have multiple access policies and they are checked in the order they are sorted.

Now that we understand the components of a network policy, let’s create a new policy.

Set up a new RADIUS Network Policy

  1. First we must set the policy Name. Enter the Policy name.
  2. Enter the IP addresses of your access points by entering the IP Address and entering add. When you click “Add” the IP address will be added to the list of allowed IP addresses and a random shared secret will be created, if you want to change the secret, you can change it in the text field for the shared secret. You will need to configure your network devices with the shared secret. EZRADIUS Cloud RADIUS Network Policy IP Addresses
  3. Now we must add the Certificate Authorities we trust to the RADIUS Service (Since EZRADIUS was designed for EAP-TLS, we require at least one CA, if you are only using EZRADIUS for EAP-TTLS with Entra ID credentials just upload a dummy base 64 certificate), if you are using EZCA our cloud based Certificate Authority, It is a few clicks away, if you are using a different CA, you can upload the CA certificate in PEM format, below you can see the steps to add the CA using each option.
Add Certificate Authorities to RADIUS Using EZCA (Option 1)
  1. If you are using EZCA, Ensure that EZCA is set as the certificate source, then from the dropdown select your EZCA instance (If you are using an EZCA private instance select the private instance checkbox and enter your EZCA URL).
  2. You should now have a dropdown with the CAs you have in your EZCA instance, select the CA you want to add to the RADIUS server. EZRADIUS Cloud RADIUS Network Policy add EZCA Cloud Certificate Authority CA
  3. Select the CAs you want to add and click “Add” (If you have a 2 tier hierarchy please add both your Root CA and your Issuing CA). EZCA and EZRADIUS will take care of the rest. EZRADIUS Cloud RADIUS Network Policy add EZCA Cloud Certificate Authority CA
Add Certificate Authorities to RADIUS Using 3rd Party CA (Option 2)
  1. If you are using a 3rd party CA, ensure that “Local CA” is set as the certificate source.
  2. If you are uploading a Root CA, check the “Root CA” checkbox, if you are uploading an Issuing CA, leave the checkbox unchecked.
  3. Click on “Upload Certificate” and select the CA certificate in PEM format. EZRADIUS Cloud RADIUS Network Policy add CA from Microsoft Cloud PKI, SCEPMAN, or ADCS
  4. Repeat the process for all the CAs you want to add (If you have a 2 tier hierarchy please add both your Root CA and your Issuing CA).

Add Server Certificate to RADIUS

The Next step is to add the server certificate to the RADIUS server. This certificate is used to identify the RADIUS server to the devices connecting to the network. For this, you can use a certificate from EZCA or a 3rd party CA. Below you can see the steps to add the server certificate using each option.

Add Server Certificate to RADIUS Using EZCA (Option 1)
  1. If you are using EZCA, Ensure that EZCA is set as the certificate source, then from the dropdown select your EZCA instance (If you are using an EZCA private instance select the private instance checkbox and enter your EZCA URL).
  2. You should now have a dropdown with the certificates authorities you have in your EZCA instance, select the CA you want to use.

    EZRADIUS will connect to EZCA and create the certificate. This certificate will be automatically renewed by EZRADIUS.

  3. Click “Add” to add the certificate to the RADIUS server. EZRADIUS Cloud RADIUS Network Policy add RADIUS Certificate for EAP-TLS
  4. You should now see the certificate in the list of certificates. EZRADIUS Cloud RADIUS Network Policy add RADIUS Certificate for EAP-TLS
Add Server Certificate to RADIUS Using 3rd Party CA (Option 2)
  1. If you are using a 3rd party CA, ensure that “Local CA” is set as the certificate source.
  2. Click the Create CSR button. EZRADIUS Cloud RADIUS Network Policy add RADIUS Certificate for EAP-TLS
  3. Download the CSR by clicking the “Save CSR” button. EZRADIUS Cloud RADIUS Network Policy add RADIUS Certificate for EAP-TLS
  4. Submit the CSR to your CA and download the certificate and the certificate of your root CA.
  5. Once you have the certificate, scroll down and either copy and paste the certificate PEM content or click on “Upload Certificate” and select the certificate in PEM format. EZRADIUS Cloud RADIUS Network Policy add RADIUS Certificate for EAP-TLS
  6. After you upload your certificate, you must upload the certificate of the Root CA that signed the certificate. Scroll down and either copy and paste the certificate PEM content or click on “Upload Root CA Certificate” and select the certificate in PEM format. EZRADIUS Cloud RADIUS Network Policy add RADIUS Certificate for EAP-TLS
  7. Now that you have added both the server certificate and the root CA certificate, we can move on to creating the access policies. (Please note that this has not been saved yet, we must add the access policies and click save to save the policy.) EZRADIUS Cloud RADIUS Network Policy add RADIUS Certificate for EAP-TLS

Add Entra ID Password Access Policy to RADIUS Network Policy

Now that we have added the IP addresses, the CAs, and the server certificate, we can add the access policies. Access policies define the conditions under which a user or device can connect to your network. Each policy can have multiple access policies and they are checked in the order they are sorted.

  1. You will see an empty new access policy, under the red “No Access Policies” text. EZRADIUS Cloud RADIUS Network Policy Access Policies
  2. Enter the name of the access policy. This is just for your records. In this example I will set our RADIUS server as if it was for a school, so I will name the access policy “Students”. EZRADIUS Cloud RADIUS Network Policy Access Policies for Students
  3. For this policy we only want to enable EAP-TTLS, with Entra ID credentials, so we will select the “Enable Password Authentication” checkbox and then click “Enable Identity Provider (IDP) Delegation”

    When you enable IDP Delegation, EZRADIUS will disable PEAP-MSCHAPv2 and PAP since they are not compatible with IDP Delegation.

    Entra ID Authentication with EZRADIUS The Best Cloud RADIUS
  4. In this specific case, we will leave the rest of the certificate settings as default, but you can change them if you need to. here is s a video on how to configure the certificate settings
  5. Next we can fine tune the authorization for this specific policy by enabling Entra ID Group Membership requirement. To do this click on “Check Group Membership” EZRADIUS Cloud RADIUS Network Policy Access Policies for Entra ID users with Entra ID Group Membership Check
  6. Go to Entra ID and find the group you want to use for this policy, copy the group ID. Entra ID Group ID
  7. Go Back to the EZRADIUS portal and paste the group ID in the “Group ID” field EZRADIUS Cloud RADIUS Network Policy Access Policies for Entra ID users with Entra ID Group Membership Check
  8. By default, EZRADIUS will not assign a VLAN to the user, but you can enable VLAN assignment by selecting “Assign Static VLAN” from the VLAN Management Dropdown and entering the VLAN ID you want to assign to the user. EZRADIUS Cloud RADIUS Network Policy Access Policies for Students EAP-TLS policy with Static VLAN Assignment
  9. Once you have configured the access policy, click on “add policy” At the top of the access policy. EZRADIUS Cloud RADIUS Network Policy Access Policies for Students EAP-TLS policy with Static VLAN Assignment

Access Policy Order

The access policies are checked in the order they are sorted, you can change the order of the access policies by clicking on the up and down arrows on the right side of the access policy. EZRADIUS Cloud RADIUS Network Policy Access Policies for Students EAP-TLS policy with Dynamic VLAN Assignment

  1. Once your policy is ready, click “Save Changes” at the top to save the policy changes. EZRADIUS Cloud RADIUS Network Policy Access Policies Save Entra ID Policy

Entra ID Conditional Access Policies

If you are using Entra ID conditional access policies that require multi-factor authentication, you will need to add an exception to EZRADIUS IP addresses, allowing us to bypass the conditional access policies to authenticate the user. You can find the list of EZRADIUS outbound IP addresses below.

Instance Outbound IP Addresses
USA 52.15.112.49/32

How to Add EZRADIUS IP Addresses to Trusted IP Addresses in Entra ID Conditional Access Policies

  1. Go to your Conditional Access Policies in Entra ID.
  2. Select Named Locations. Entra ID Conditional Access Policies Trusted Networks
  3. Click on IP Ranges location at the top. Entra ID Conditional Access Policies Add Trusted Networks
  4. Enter the Name of the IP Range, for example, “EZRADIUS”.
  5. Enter the IP Addresses for your EZRADIUS instance from the table above (If you have a private instance your account engineer will provide you your outbound addresses).
  6. Click “Create”. Entra ID Conditional Access Policies Add Trusted Networks
  7. Go back to your Conditional Access Policies.
  8. Find your Conditional Access Policy that requires multi-factor authentication.
  9. Click on “Conditions” and then “Locations”.
  10. Click on “Exclude” and then “Selected networks and locations”.
  11. Select the location you created for EZRADIUS. Entra ID Conditional Access Policies Add Trusted Networks
  12. Click “Save” Entra ID Conditional Access Policies Add Trusted Networks

How To Troubleshoot Entra ID Cloud RADIUS Password Authentication Not Working

For Entra ID Password Authentication to work, the PAP over EAP-TTLS protocol must be used. Some devices by default will try to use PEAP-MSCHAPv2, which is not compatible with Entra ID Password Authentication due to Entra ID not Supporting MSCHAPv2. To resolve this, you have two options, you can either configure the device to use EAP-TTLS with PAP or you can enable self service user management in EZRADIUS where the user can set up their own password and use the EZRADIUS self service portal to manage their password.