How-To: Create a Local Proxy for Cloud RADIUS

This guide will help you create a Local RADIUS Proxy for your Cloud RADIUS setup in EZRADIUS, ensuring high availability and improved performance.

Overview: How to Create a Local RADIUS Proxy for Cloud RADIUS

In this guide, we will walk you through the steps to create a Local RADIUS Proxy for your Cloud RADIUS setup in EZRADIUS. This local proxy will help ensure high availability and improved performance for your authentication requests by handling them locally within your network.

Hosting the Local RADIUS Proxy

The Local RADIUS Proxy is hosted as a Docker container that you can run on any Linux machine within your network. This could be a dedicated server, a virtual machine, or even an embedded device like a Raspberry Pi.

Infrastructure/Hosting Support

While Keytos support can advise on software features and behavior of the local proxy software itself, please note that hosting and managing the underlying hardware for a local RADIUS Proxy is self-service and not included in our basic support. If you would like to meet with a Keytos engineer to discuss a hosting plan and review your system architecture, we offer professional services to help you get set up.

System Requirements for Local RADIUS Proxy

To host the Local RADIUS Proxy, you will need a machine that meets the following requirements:

Operating System: Linux (Ubuntu 24.04 or later is recommended)
CPU: 2 cores minimum
RAM: 4 GB minimum
Software: Docker Engine (20.10 or later)

Docker on Windows Not Supported

Due to limitations with Docker on Windows, where incoming IP addresses are not passed to the container, the local RADIUS proxy will need to run on a Linux machine to function properly.

Network Requirements

Outbound Internet Access: The local RADIUS proxy needs to communicate with the EZRADIUS and the Entra ID cloud servers. Ensure that the server has outbound internet access on port 443 (HTTPS). Inbound access is not required.
Ports: Ensure that your network devices (like VPNs, Wi-Fi access points, and firewalls) can send RADIUS authentication requests to the local RADIUS proxy on UDP ports 1812 (authentication) and 1813 (accounting). These do not need to be open to the internet, only between your devices and the local proxy.

Local RADIUS Proxy Container Specifications

The steps below will guide you through setting up your local RADIUS proxy and its values, but here are the specifications for the container for reference:

Image URL: keytos-eqgzasb8bufxa0cd.azurecr.io/ezradius/local-server:latest
Memory Requirements: 128 MB reserved, 512 MB limit
CPU Requirements: 0.5 CPU reserved, 2 CPUs limit
Ports: The container listens on the following ports:
- 1812/udp for RADIUS authentication requests
- 1813/udp for RADIUS accounting requests
- 2083/tcp for RADIUS Over TLS (RadSec) authentication requests
- 8080/tcp for health checks and management API
Storage Mount: The container requires a mounted volume for its authentication certificate to securely authenticate to the EZRADIUS cloud servers.
- Source: The path on your hosting machine where the certificate is stored (e.g., /home/user/ezradius-proxy/certs/<cert>.pem)
- Destination: The path inside the container where the certificate will be mounted: /app/certificate.pem
- Access: The container needs read/write access to the mounted certificate file to perform authentication and certificate renewal tasks. Make sure to set rw or set read_only to false for the mounted volume in your Docker configuration.
Environment Variables: The container reads from the following environment variables for configuration:
- LocalServer__providerEndpointUrl: The cloud endpoint URL for your EZRADIUS instance (e.g., https://local.usa.ezradius.io/).
- LocalServer__certificateFilePath: The path to the certificate file inside the container (e.g., /app/certificate.pem).
- AppDetails__ClientID: The Client ID of the Entra ID application you created for the local proxy.
- AppDetails__AppID: The Application (client) ID of the Entra ID application you created for the local proxy.
- AppDetails__HomeTenant: The Directory (tenant) ID of your Entra ID tenant.
- APPLICATIONINSIGHTS_CONNECTION_STRING (optional): If you want to use Azure Application Insights for monitoring the local proxy, set this environment variable to your Application Insights connection string. If not set, the proxy will run without sending telemetry data.

How to Create a Local RADIUS Proxy for Cloud RADIUS - Step by Step Guide

Let’s dive into the step-by-step process of creating a Local RADIUS Proxy for your Cloud RADIUS setup in EZRADIUS. This guide will cover everything from setting up the necessary Entra ID application to configuring and running the local proxy on your Linux machine.

Prerequisites for Setting Up Local RADIUS Proxy for Cloud RADIUS

Before you begin, make sure you have the following prerequisites in place:

You have an EZRADIUS Subscription (all tiers supports the local proxy)
You have at least one EZRADIUS Policy
You have an EZCA SCEP CA or EZCA SSL CA to issue client certificates to the proxy, which are used for secure communication between the local proxy and the EZRADIUS cloud servers.
You have a Linux machine ready to host the local RADIUS proxy with Docker installed and running.
You have permissions in Entra ID to create Application Registrations.

How to Create an Entra ID Application for the Local RADIUS Proxy

To allow the local RADIUS proxy to truly operate independent of the EZRADIUS cloud servers during a connectivity issue, we need to create a separate Entra ID Application Registration for the local proxy. This allows the local proxy to authenticate to Entra ID and Intune directly and validate user credentials even if it cannot reach the EZRADIUS cloud servers.

Navigate to the Azure Portal.
Go to Microsoft Entra ID > App registrations > + New registration.
Fill in the details for your application:
- Name: EZRADIUS Local RADIUS Proxy
- Supported account types: Single tenant only - <Your Organization Name>
- Redirect URI: Leave this blank as the local proxy does not require a redirect URI.
Click Register.

How to Add API Permissions For Entra ID Username and Password Validation

Now that you have a new Entra ID application for the local RADIUS proxy, we need to give it permission to authenticate users against Entra ID if you plan to use EAP-TTLS Entra ID username and password authentication.

Only Required for Entra ID Username + Password Authentication

This step is only required if you plan to use EAP-TTLS Entra ID username and password authentication. You can skip this step if you only plan to use certificate-based authentication (EAP-TLS) or any other protocol.

Within your newly created Entra ID application, navigate to API permissions and click on Add a permission.
From the tab bar, select APIs my organization uses and search for “EZRADIUS”. Select the EZRADIUS API from the search results.
Select Delegated permissions, check the box for API.Access permission, and click Add permissions.
Click on the button for Grant admin consent for and click Yes to grant the necessary permissions for the local RADIUS proxy to authenticate users against Entra ID.

Granting Admin Consent

Granting admin consent requires a Global Administrator account in Entra ID. If you do not have Global Admin privileges, please work with your Entra ID administrator to grant the necessary permissions for the local RADIUS proxy application.

How to Add API Permissions For Entra ID Group Checks and Intune Compliance Checks

For the local RADIUS proxy to renew its own client certificate, perform group membership checks, and perform Intune device compliance checks, it needs permissions to read directory data in Entra ID and to read the status of Intune devices.

Within the Entra ID application you created for your local RADIUS proxy, navigate back to API permissions and click on Add a permission.
From the tab bar, select Microsoft APIs and then select Microsoft Graph.
Select Application permissions since these permissions are for the application itself to read directory data and Intune device status, not on behalf of a signed-in user.
Search for and select the following permissions:
- Application.ReadWrite.OwnedBy Allows the local RADIUS proxy service to renew its own client certificate by updating the application registration in Entra ID with the new certificate information when the certificate is close to expiring.
- DeviceManagementManagedDevices.Read.All Allows it to check the device status on your Intune devices when using the Intune Device compliance check.
- Directory.Read.All Allows it to read all directory data in your Entra ID tenant for Group membership checks and to check if the device or user is still active.
Click Add permissions to add these permissions to the local RADIUS proxy application.
Click Grant admin consent for and click Yes to grant the necessary permissions for the local RADIUS proxy to perform certificate renewal, group membership checks, and Intune device compliance checks.
Your application should now look like this (EZRADIUS > API.Access will only show if you completed the previous section for Entra ID username and password authentication):

How to Register a New Local RADIUS Proxy in EZRADIUS

Now that you have your Entra ID application set up for the local RADIUS proxy, you can proceed to register the new local RADIUS proxy in your EZRADIUS instance. This will allow you to download the configuration files needed to set up the local proxy container on your Linux machine.

In another tab, navigate to your EZRADIUS portal. If you’re unsure, you can find your portal endpoint at portal.ezradius.io.
Navigate to the Local Server page.
Under New Server, enter the following details:
- Friendly Name: A name to identify your local RADIUS proxy (e.g., Main Office RADIUS Proxy).
- Entra ID Application ID: The Application (client) ID from the Entra ID application you created for the local RADIUS proxy. You can find this in the Overview page of your Entra ID application.
(optional) If you’d like to send service logs to Azure Application Insights:
1. Create an Application Insights resource for your RADIUS proxy.
2. Copy your Application Insights connection string from the Azure Portal.
3. Paste your Application Insights connection string to the EZRADIUS local proxy registration form.
Under Select EZCA Certificate Authority, select the CA that you set up for your EZRADIUS client certificates. This is the CA that will issue the client certificate for your local RADIUS proxy to authenticate to the EZRADIUS cloud servers.
(optional) For additional configuration you can expand Advanced Settings to configure additional settings such as proxy caching (how long the proxy keeps the information) and certificate length (don’t go too short on this because EZRADIUS will renew the certificate and if there are many certificates in an Entra ID application it breaks Entra ID).
Click Register Local Server
You will be prompted to download a zip file with the configuration for your local RADIUS proxy. This zip file contains the necessary files to set up and run the local RADIUS proxy container on your Linux machine, including:
- The RADIUS proxy configuration file script.sh, which contains your Docker run command with all the necessary environment variables and settings pre-configured based on the information you provided during registration.
- A .pem file with the certificate Note: This file has the private key and should be kept secure.
- A .cer file with the public certificate.
Extract the zip file and keep it in a secure location. You will need the contents of this file to set up your local RADIUS proxy registration and container on your Linux machine in the next steps.
Back in the Azure Portal, navigate back to your Entra ID Application Registration that you previously created.
Click on Certificates & secrets. select the Certificates tab and then click on Upload certificate to upload the .cer file from the zip file you downloaded from EZRADIUS. This will allow your local RADIUS proxy to authenticate to Entra ID using the client certificate when it performs authentication requests and certificate renewal.
Upload the .cer file from the zip file you downloaded from EZRADIUS (not the .pem file).
Click Add to upload and associate the certificate with your Entra ID application.

How to Run Your Local RADIUS Proxy for Cloud RADIUS

Now that you have registered your local RADIUS proxy in EZRADIUS and set up the necessary Entra ID application, you can proceed to run the local RADIUS proxy container on your Linux machine using the configuration files you downloaded from EZRADIUS.

The following steps use the bash script that is included in the zip file you downloaded from EZRADIUS when you registered your local RADIUS proxy. This script will set up and run the Docker container for your local RADIUS proxy with all the necessary environment variables and configurations.

SSH into or open a terminal window on the server where you want to deploy the RADIUS proxy.
Create the directory where you want to deploy the RADIUS proxy. For this example we will use ~/Keytos/EZRADIUS/.
```
mkdir -p ~/Keytos/EZRADIUS/
```
From your local machine, upload the contents of the zip file you downloaded from EZRADIUS to the server. You can use scp or any other method you prefer. For example:
```
scp path/to/your/downloaded/localserver_<GUID>.zip user@your-server-ip:/home/keytos-pi-0/Keytos/EZRADIUS/
```
Back in the terminal on your server, navigate to the directory where you uploaded the zip file.
```
cd ~/Keytos/EZRADIUS/
```
Unzip the zip file.
```
unzip localserver_<GUID>.zip
```
Navigate into the unzipped directory.
```
cd localserver_<GUID>/
```
Make the script executable.
```
 chmod +x script.sh
```
Run the script.
```
./script.sh
```
The script will install and configure the RADIUS proxy.

If you prefer to manually run the Docker container without using the provided bash script, you can use the docker run command that is included in the script.sh file. This command is pre-configured with all the necessary environment variables and settings based on the information you provided during registration of your local RADIUS proxy in EZRADIUS.

The following docker run command requires a volume mount for the client certificate that you downloaded from EZRADIUS, so make sure to update the path to the certificate file on your server in the --volume parameter. See the Docker Container reference section above for more details on the container specifications and environment variables.

docker run --detach --restart=always \
	--publish 1812:1812/udp --publish 1813:1813/udp --publish 2083:2083/tcp --publish 8080:8080 \
	--env LocalServer__providerEndpointUrl=https://local.<region>.ezradius.io/ \
	--env LocalServer__certificateFilePath=/app/certificate.pem \
	--env AppDetails__ClientID=<YourClientID> \
	--env AppDetails__AppID=<YourAppID> \
	--env AppDetails__HomeTenant=<YourHomeTenant> \
    --env APPLICATIONINSIGHTS_CONNECTION_STRING="<YourApplicationInsightsConnectionString>" \
	--volume <YourCertificateFile>.pem:/app/certificate.pem:rw \
	keytos-eqgzasb8bufxa0cd.azurecr.io/ezradius/local-server:latest

If you prefer to use Docker Compose to manage your local RADIUS proxy container, you can create a docker-compose.yml file with the following content. Make sure to update the environment variables and volume mount path with the correct values for your setup.

See the Docker Container reference section above for more details on the container specifications and environment variables.

name: ezradius

services:
  local-server:
    image: keytos-eqgzasb8bufxa0cd.azurecr.io/ezradius/local-server:latest
    restart: always
    ports:
      - "1812:1812/udp" # RADIUS authentication
      - "1813:1813/udp" # RADIUS accounting
      - "2083:2083/tcp" # RADIUS Over TLS (RadSec)
      - "8080:8080/tcp" # Health checks and management API
    environment:
      LocalServer__providerEndpointUrl: "https://local.<region>.ezradius.io/"
      LocalServer__certificateFilePath: "/app/certificate.pem"
      AppDetails__ClientID: "<YourClientID>"
      AppDetails__AppID: "<YourAppID>"
      AppDetails__HomeTenant: "<YourHomeTenant>"
      APPLICATIONINSIGHTS_CONNECTION_STRING: "<YourApplicationInsightsConnectionString>"
    volumes:
      - type: bind
        source: ./data/setup/<YourCertificateFile>.pem
        target: /app/certificate.pem
        read_only: false

Your local RADIUS proxy should now be up and running.

How to Update your Network Devices to Point to Your Local RADIUS Proxy

Now that your local RADIUS proxy is up and running, you need to update the configuration of your network devices (like VPNs, Wi-Fi access points, and firewalls) to point to the IP address of your local RADIUS proxy for authentication requests. This typically involves changing the RADIUS server settings on your devices to use the IP address of your local proxy instead of pointing directly to the EZRADIUS cloud servers.

Use Both Local and Cloud RADIUS Servers

We recommend configuring your network devices to point to both the local RADIUS proxy and the EZRADIUS cloud servers for redundancy. This way, if the local proxy is unavailable for any reason, authentication requests can still be processed by the cloud servers (or vice versa). This ensures that users can continue to access your network without interruption.

You can refer to our network guides for specific instructions on how to configure popular network devices to work with EZRADIUS.

Network Device Configuration Guides

How to Add Your Local IP Addresses to Your EZRADIUS Cloud RADIUS Policy

Now that your local RADIUS proxy is up and running, you need to add the IP address of the server hosting your local RADIUS proxy to your EZRADIUS policy’s Classic RADIUS IP list. This allows the EZRADIUS cloud servers to recognize authentication requests coming from your local proxy and process them accordingly.

Required for Classic RADIUS Only

This step is only required if you are using Classic RADIUS for authentication. If you are using RADIUS Over TLS (RadSec), you can skip this step as RadSec uses the client certificate for authentication and does not require IP address allowlisting.

In your EZRADIUS portal, navigate to the Policies page and find your RADIUS policy.
Under Classic RADIUS Allowed IP Addresses, make sure you have:
- Your network’s public IP address. This allows authentication requests directly to the cloud RADIUS servers when the local proxy is not available.
- The IP address(es) of your network’s Access Points or controllers that devices connect to and which perform RADIUS authentication.
Click Save on your EZRADIUS policy to save the changes.

Not sure what your AP IP addresses are? You can attempt an authentication attempt and check your Audit Logs in EZRADIUS. Any failed authentication attempts from a local RADIUS proxy that is not on the allowed IP list will show the source IP address in the logs, which you can then add to the allowed IP list.

Troubleshooting the Local RADIUS Proxy for Cloud RADIUS

Infrastructure/Hosting Support

My Local RADIUS Proxy Certificate Expired

The RADIUS proxy automatically checks its health API and certificate status every 30 seconds. If your local proxy certificate is close to expiring, the proxy will automatically request a new certificate and update your Entra ID application with the new certificate information. You do not need to do anything for the certificate renewal to happen as long as the proxy is running and has the necessary permissions in Entra ID to perform certificate renewal.

However, if your local proxy is offline for an extended period of time and the certificate expires, the proxy will not be able to authenticate to the EZRADIUS cloud servers until you update the certificate. If this happens, you can:

Re-download the configuration zip file from the Local Server page in EZRADIUS for your registered local proxy
Manually update your Entra ID Application Registration with your new certificate
Run the script.sh file again or update your Docker container with the new certificate information to get it up and running again.

I Am Unable to Authenticate to the Local RADIUS Proxy

If you are having trouble authenticating to the local RADIUS proxy, here are some steps you can take to troubleshoot the issue:

Make sure you’ve added your local Access Point IP Addresses to the allowed IP list in your EZRADIUS policy if you are using Classic RADIUS. You can check your Audit Logs in EZRADIUS to see the source IP address of authentication attempts and make sure those IP addresses are on the allowed list.
If you are using Entra ID username and password authentication, make sure you granted the necessary API permissions to your Entra ID application for the local RADIUS proxy and that you granted admin consent for those permissions.
Make sure you have admin consented the necessary permissions for group checks and Intune device compliance checks if you are using those features.
Check your Entra ID Application Registration to make sure the client certificate has not expired. If it has, see the section above on how to renew the certificate.

My Network Devices Can’t Reach the Local RADIUS Proxy

If your network devices are unable to reach the local RADIUS proxy, here are some steps you can take to troubleshoot the issue:

Make sure the server hosting your local RADIUS proxy doesn’t have a firewall blocking incoming traffic on the necessary ports (UDP 1812 and 1813 for RADIUS, TCP 2083 for RadSec).
```
sudo ufw allow 1812/udp
sudo ufw allow 1813/udp
sudo ufw allow 2083/tcp
sudo ufw reload
```
Make sure your network devices are configured to point to the correct IP address of your local RADIUS proxy for authentication requests.
Check the logs of your local RADIUS proxy container for any error messages that might indicate connectivity issues. You can view the logs using the following command:
```
docker ps # to find your container ID
docker logs <container_id>
```