How to Deploy Local RADIUS Proxy for Cloud RADIUS

Do I Need Local Proxy To Run EZRADIUS Cloud RADIUS?

No, EZRADIUS cloud RADIUS can function without a local RADIUS proxy, in fact most of our customers do not use one. However, we understand some organizations may require a local proxy for compliance, performance, or redundancy reasons for highly critical workloads that have to work even if the connection to the cloud is lost.

Advantages of Running Cloud RADIUS Proxy

  1. Reduced Latency: By handling authentication requests locally, you can reduce the latency associated with cloud communication, leading to faster authentication times.
  2. Increased Reliability: RADIUS was created using the UDP protocol which might lose some packets when going through the internet, using a local RADIUS proxy can help mitigate this issue by keeping that protocol locally and sending the information to the cloud using more a more traditional TCP connection. Additionally to this extra reliability boost, in the event of a cloud outage or connectivity issue, a local RADIUS proxy can continue to authenticate users, ensuring uninterrupted access to critical services.
  3. Compliance: Some organizations may have compliance requirements that necessitate keeping authentication data on-premises. A local proxy can help meet these requirements while still leveraging cloud services.
  4. Security for Insecure Protocols: WWhile modern RADIUS authentication protocols are secure by default such as EAP-TLS (Certificate based authentication), or EAP-TTLS (Entra ID Password Authentication) some legacy protocols such as MAC Authentication Bypass are not secure to send unencrypted through the web (Radsec protects against this, but some networking gear does not support Radsec), our RADIUS proxy will do all the RADIUS authentication locally in your network and will securely connect to our RADIUS server using https with client certificate authentication.

How EZRADIUS Local RADIUS Proxy Works

EZRADIUS Local RADIUS Proxy acts as an intermediary between your network devices (like VPNs, Wi-Fi access points, and firewalls) and the EZRADIUS Cloud RADIUS servers. It receives authentication requests from your devices, processes them locally, and then forwards them to the cloud for validation. Since this setup has a configurable cache, it ensures that even if there are connectivity issues with the cloud, your local proxy can still handle authentication requests. Highly Available Cloud RADIUS for Azure and Microsoft 365 Highly Available Cloud RADIUS for Azure and Microsoft 365

What Happens if Local RADIUS Proxy is Down

One of the reasons people move to the cloud, is for the higher availability tools like EZRADIUS provide. This is why while Local RADIUS is beneficial, we recommend to not set it up as a single point of failure. If the local RADIUS proxy goes down, your networking gear should point to the EZRADIUS IP address directly to ensure continued authentication capabilities.

How Can I Setup Redundant Cloud RADIUS Proxies?

To set up redundant Cloud RADIUS proxies, you can deploy multiple instances of the EZRADIUS Local RADIUS Proxy in different locations within your network. These instances will be completely independent and since they are backed by the same cloud infrastructure, they can share the same authentication data. This ensures that if one instance goes down, the others can continue to handle authentication requests without interruption. Additionally, you can use load balancers (Note: make sure the load balancers are stick during the authentication to ensure that the backend server doesn’t change mid-authentication) to distribute authentication requests across the available proxy instances, further enhancing reliability and performance.