How-To: Enable RADIUS with Entra ID Authentication in Ruckus Unleashed

RADIUS is a protocol that provides Authentication, Authorization, and Accounting (AAA) for networks. This guide will walk you through the steps to enable RADIUS in Ruckus Unleashed devices.

Ruckus APs can operate in Unleashed mode or in controller-based mode. This guide focuses on Ruckus Unleashed, which is Ruckus’s controller-less WiFi solution for small to medium-sized businesses. For more information on setting up RADIUS with Ruckus in controller-based mode, refer to Ruckus’s official documentation such as the SmartZone docs or Ruckus cloud docs.

Prerequisites for Setting Up RADIUS Authentication With Ruckus Unleashed

  1. You have registered the Keytos Entra ID applications in your tenant
  2. You have an active EZRADIUS plan
  3. You are an Owner or Network Administrator on your plan
  4. You have created a Cloud RADIUS Network Policy with your public IP address registered

Introduction - How RADIUS Authentication Works in Ruckus Unleashed and EZRADIUS

For your Ruckus Unleashed network to authenticate users with Entra ID, you need to enable RADIUS authentication and connect it to a RADIUS service that supports Entra ID. This guide will show you how to enable RADIUS authentication in WPA-Enterprise with Ruckus Unleashed and EZRADIUS.

How RADIUS Authentication Works with Ruckus Unleashed and EZRADIUS

What are the Different Types of Entra ID Authentication for Network?

When using Entra ID for network authentication, you can choose between two types of authentication: EAP-TLS (Certificate Based Authentication), and EAP-TTLS (Password Based Authentication). EAP-TLS is the most secure and convenient method of authentication, as it uses certificates to authenticate users meaning that the user does not have to enter their password or do anything. If you are using an MDM, you can use it to distribute the certificates to the user and setup automatic wifi authentication. EAP-TTLS is a password-based authentication method that allows your users to authenticate with their Entra ID username and password (Note: You might have to do some changes to enable EAP-TTLS with Entra ID).

How to Enable RADIUS Authentication in WPA-Enterprise In Your Ruckus Unleashed Network - Step by Step

To set up RADIUS authentication in your Ruckus Unleashed network, you will need to first configure the RADIUS servers and then configure your SSID to use RADIUS authentication.

How to Configure RADIUS Servers in Ruckus Unleashed

  1. Begin by logging into your Ruckus Unleashed admin interface. You can do this by entering the IP address of your Ruckus Unleashed device into a web browser and logging in with your admin credentials.

  2. Under Services, navigate to Authentication Servers.

    Ruckus Unleashed Authentication Settings

  3. Click on Add to create a new RADIUS server entry.

    Add RADIUS Server in Ruckus Unleashed

  4. Fill in the RADIUS server basics:

    • Name: Enter a name for your RADIUS server (e.g., “EZRADIUS”).
    • Type: Select “RADIUS”.
    • Encryption: Leave TLS unchecked for classic RADIUS, as this guide covers classic RADIUS setup and not RadSec.
    • Auth Method: Select “PAP”.
    • Backup RADIUS: Check the box for Enable Backup RADIUS support, as EZRADIUS provides multiple servers for redundancy.

  5. In your EZRADIUS portal, navigate to Policies and copy the IP address of your RADIUS server which is closest to your location.

    EZRADIUS portal showing RADIUS server IP address

  6. Still in EZRADIUS, scroll down to your Policy and copy the Shared Secret for your IP address.

    EZRADIUS portal showing Shared Secret

  7. Back in your Ruckus Unleashed admin interface, fill in the details for the First Server:

    • IP Address: Paste the RADIUS server IP address you copied from the EZRADIUS portal.
    • Port: Leave as default (1812).
    • Shared Secret: Paste the Shared Secret you copied from the EZRADIUS portal.

  8. For the Second Server, repeat the previous step using another geography from the EZRADIUS portal for redundancy.

    Ruckus Unleashed RADIUS Server Details Form

  9. Under Retry Policy, set the following:

    • Retry Timeout: Set to the highest value of 20 seconds to account for the round-trip time to the EZRADIUS servers.
    • Max Number of Retries: Set to 5 to ensure multiple attempts before failing over to the backup server.
    • Max Number of Consecutive Drop Packets: Set to 5 to allow for some packet loss without immediately failing the authentication.
    • Reconnect Primary: Set to 5 minutes to allow the system to attempt to reconnect to the primary server periodically.
    Ruckus Unleashed RADIUS Retry Policy Settings

  10. Click Add to save the RADIUS server configuration.

    Ruckus Unleashed RADIUS Servers List

  11. To set up RADIUS Accounting, click Add again.

    Add RADIUS Accounting Server in Ruckus Unleashed

  12. Repeat the previous steps to add the same RADIUS servers for accounting.

    • Name: Enter a name for your RADIUS accounting server (e.g., “EZRADIUS Accounting”).
    • Type: Select “RADIUS Accounting”.
    • Encryption: Leave TLS unchecked.
    • Backup RADIUS: Check the box for Enable Backup RADIUS Accounting support.
    • Fill in the First Server and Second Server details as before, but use port 1813 for accounting.
    • Set the Request Timeout to 20 seconds.
    • Set the Max Number of Retries to 5.
    • Set the Max Number of Consecutive Drop Packets to 5.
    • Set the Reconnect Primary to 5 minutes.

  13. Click Add to save the RADIUS accounting server configuration.

  14. You should now see both your RADIUS Servers and Accounting Servers listed.

    Ruckus Unleashed dashboard with RADIUS Servers and Accounting Servers configured

How to Configure Your SSID to Use RADIUS Authentication

Now that you have configured the RADIUS servers, you need to set up your SSID to use RADIUS authentication.

  1. Under the Wi-Fi menu, navigate to Wi-Fi Networks List.

    Ruckus Unleashed Wi-Fi Networks

  2. Select your SSID and click Edit.

    Ruckus Unleashed Wi-Fi Networks List with Edit button highlighted

  3. Fill in the following Network Details:

    • Authentication Method: Select 802.1X EAP from the dropdown menu.
    • Encryption Method: Select your desired encryption method (WPA2, WPA3, or WPA2/WPA3 Mixed).
    • Authentication Server: Select the RADIUS server you created earlier from the dropdown menu.
    • Accounting Server: Select the RADIUS accounting server you created earlier from the dropdown menu.
    • Send Interim-Update: Keep this as the default value of 10 minutes.
    Ruckus Unleashed Wi-Fi Network Authentication Settings

  4. Click Apply to save the SSID configuration.

  5. Done! You’ve successfully configured RADIUS authentication in your Ruckus Unleashed network using Entra ID via EZRADIUS.

    Ruckus Unleashed Wi-Fi Networks List showing updated SSID

How to Connect Your Devices to the Fortinet Network

Now that you have set up your Fortinet network with RADIUS authentication, you can connect your devices to your network using Entra ID by either using EAP-TLS (certificates) or EAP-TTLS (Entra Username/Password).

How to Connect Devices to Fortinet Network with Entra ID Authentication

If you are using EAP-TLS certificates, you can use an MDM to distribute the certificates to your devices via SCEP.

Set up MDM to distribute certificates and WiFi profiles →

If you are using EAP-TTLS with passwords you may have to setup your device for EAP-TTLS PAP Authentication to be able to test your network using your Entra ID username and password.

How to Connect Devices to Fortinet Network with Certificate Authentication

If you are using EAP-TTLS with passwords you may have to setup your device for EAP-TTLS PAP Authentication to be able to test your network using your Entra ID username and password. You can also use an MDM to push WiFi profiles to your devices.

Set up MDM to distribute WiFi profiles →

Versions Tested

This guide was tested with the following versions of Ruckus Unleashed firmware:

  • ✅ Unleashed 200.18.7