How To Create a Local Proxy for Cloud RADIUS

Prerequisites to Create a Local Proxy for Cloud RADIUS

• EZRADIUS Subscription (This is included in all EZRADIUS tiers).
• Setup your Access Policies.
• EZCA SCEP or SSL CA to issue client certificates to the proxy.
• Local Server (Linux) to host the proxy
• Permissions to create an Entra ID Application
  Note

  Please note that setting up the Local RADIUS Proxy is self service and not included in our basic support, if you need help from Keytos engineers you will need to purchase our professional services.

Create your Local Proxy Entra ID Application

1. Go to the Azure Portal.
2. Navigate to “Entra ID” > “App registrations” > “New registration”.
3. Fill in the details for your application:
   • Name: EZRADIUS Local RADIUS Proxy
   • Supported account types: Accounts in this organizational directory only
4. Click “Register”.

How to Add API Permission For Entra ID Username and Password Validation in Cloud RADIUS

If you are using your Cloud RADIUS for Entra ID username and password, you need to add the delegated permission for the application to authenticate against EZRADIUS to validate the Entra ID user credentials. If you are only using certificate based authenication skip to the next section to add the other permissions.

1. Then in that same application we are going to go to “API permissions”.
2. Click on “Add a permission”.
3. At the Top Select “APIs my organization uses”.
4. Search for “EZRADIUS” and select the “EZRADIUS” API.
5. Select “Delegated permissions”.
6. Select API.Access permission and Click Add permission.
7. Now we have to give it admin consent so each user doesn’t have to grant consent. Go back to Entra ID and Select Enterprise Applications.
8. Search for your application > Permissions > Grant admin consent for [Your Organization].
9. Authenticate with a Global Administrator account.
10. Click “Next”.
11. Click “Accept” to grant the permissions.

How to Enable Cloud RADIUS to Read Entra ID and Intune Device Information

Then we have to give the local application permission to read Entra ID and Intune device information. This will allow it to do the complex network segmentation and authentication tasks that EZRADIUS is famous for.

1. Go to the Application we created in Entra ID.
2. Go to “API permissions” > “Add a permission”.
3. Click on “Add a permission”.
4. Click on Microsoft Graph.
5. Select “Application permissions”.
6. Select the following permissions:
   • Application.ReadWrite.OwnedBy Allows it to automatically rotate its own certificate when EZRADIUS Proxy renews it.
   • DeviceManagementManagedDevices.Read.All Allows it to check the device status on your Intune devices when using the Intune Device compliance check.
   • Directory.Read.All Allows it to read all directory data in your Entra ID tenant for Group membership checks and to check if the device or user is still active.
7. Click “Add permissions”.
8. Now your application should look like this:
9. Now we have to give it admin consent so it can read the directory data. With a global admin account login and grant admin consent for the application.
10. Click “Yes”. Now that we have created the application and granted the necessary permissions, we can proceed to configure the local RADIUS proxy.

How to Register a new RADIUS Proxy for Cloud RADIUS

1. In another tab, Go to your EZRADIUS instance.
2. Navigate to the “Local Server” section.
3. Enter a friendly name for the new RADIUS proxy.
4. In Another Tab, navigate to the Entra ID Application we created earlier.
5. Copy the Application (client) ID from the Overview page.
6. Paste the Application (client) ID into the “Entra ID Application ID” field in EZRADIUS.
7. In Azure, Create an application insights resource for your RADIUS proxy.
8. Copy your application insights connection string.
9. Add your Application Insights Connection String.
10. Select your EZCA Instance and EZCA CA you would like to use for the RADIUS proxy.
11. If you want, you can expand the “Advanced” section to configure additional settings. Such as: Proxy caching (How long the proxy keeps the information), Certificate length (don’t go too short on this because EZRADIUS will renew the certificate and if there are many certificates in an Entra ID application it breaks Entra ID).
12. Click “Register Local Server”.
13. This will download a Zip file. The zip file will contain:
    • The RADIUS proxy configuration file script.sh.
    • a PEM file with the certificate Note: This file has the private key and should be kept secure.
    • a .cer file with the public certificate.
    • A README file with instructions on how to set up the RADIUS proxy.
14. Extract the zip file, and go back to the tab where you have your Entra ID Application open.
15. Click on Certificates & secrets.
16. Click on Upload Certificate.
17. Upload the .cer file from the zip file you downloaded from EZRADIUS.
18. Click on Add.

How to Configure the RADIUS Proxy for Cloud RADIUS

Now that we have the files and we have registered the RADIUS proxy, we can proceed to configure it.

1. SSH into the server where you want to deploy the RADIUS proxy.