LogoLogo
LogoLogo
  • Welcome
  • Details
  • Configuration
    • Getting Started
      • Generic Guide
      • Scenario-based Guides
        • Microsoft Cloud PKI
        • SCEPman PKI
    • Access Point Setup
      • RadSec
        • Aruba
        • FortiNet
        • Juniper Mist
        • Meraki
        • MikroTik
        • Ruckus
        • UniFi
      • RADIUS
        • ExtremeCloud IQ CoPilot
        • Meraki
        • Sophos UTM
        • UniFi
    • Server Certificate Renewal
  • Admin Portal
    • Home
    • Insights
      • Rule Engine
      • Logs
    • Users
    • Settings
      • Server Settings
      • Trusted Certificates
      • Proxy Settings
      • Permissions
      • User Settings
      • Rules
        • General Structure
        • WiFi
        • LAN
        • VPN
      • Log Exporter
        • Teams
        • Log Analytics
        • Generic Webhook
        • Examples
    • My Invited Users
  • Profile Deployment
    • Microsoft Intune
      • Server Trust
      • WiFi Profile
        • Windows
        • iOS/iPadOS & macOS
        • Android
      • Wired Profile
        • Windows
        • macOS
    • Jamf Pro
      • Server Trust
      • WiFi Profile
      • Wired Profile
    • Google Workspace
      • Server Trust
      • WiFi Profile
  • Other
    • Troubleshooting
    • FAQs
      • General
      • Log & Common Errors
      • MAC Authentication
      • Blast-RADIUS Vulnerability
      • OCSP Soft-fail Consequences
      • Security & Privacy
    • REST API
      • External Monitoring
    • Changelog
  • Licensing
    • Azure Marketplace
  • Support & Service Level
  • RADIUSaaS Website
Powered by GitBook
On this page
  • Ports & IP Addresses
  • Overview
  • RadSec / TCP
  • Failover & Redundancy
  • RadSec Settings
  • Maximum TLS Version
  • Verification checks for RadSec certificates
  • RADIUS / UDP
  • Server IP Addresses and Location
  • Shared Secrets
  • Ports
  • Failover & Redundancy
  • Server Certificates
  • Customer-CA
  • Bring your own certificate
  • Upload the new server certificate to RADIUSaaS
  • Certificate activation
  • Download
  • Delete
  • Certificate Expiration

Was this helpful?

  1. Admin Portal
  2. Settings

Server Settings

Server settings are available under https://YOURNAME.radius-as-a-service.com/settings/server

Last updated 2 months ago

Was this helpful?

Ports & IP Addresses

Overview

RADIUSaaS operates a RadSec service to provide secure cloud-based authentication for its users. In addition, for those customers who are unable to utilise RadSec in their network environment, e.g. due to hardware and software limitations, RADIUSaaS provides RADIUS Proxies, that handle the protocol conversion from RADIUS to RadSec.

Both RadSec and RADIUS service offer public IP address that enable your network appliances and services to communicate with our service from anywhere via the internet. These services operate on their unique registered ports.

RadSec / TCP

RadSec DNS

The DNS entry through which the RadSec service can be reached.

Server IP Addresses

This is the public IP address of the RadSec service.

RadSec Ports

This is the registered port for RadSec: 2083

Failover & Redundancy

In cases where customers require higher levels of redundancy, multiple RadSec endpoints can be configured for your instance providing an additional IP addresses. Please note that there is an additional cost for this service.

It is important to note that RADIUSaaS does NOT provide failover between RadSec endpoints. Instead, this failover is typically implemented on your network equipment as shown in below example using Meraki.

It is recommended to configure your failover scenario using IP addresses rather than DNS for better visibility and less reliance on an additional service (DNS).

In this configuration, the two RadSec IP addresses are listed in order of preference. When Meraki is unable to reach one of the IP addresses, it will typically try two more times and moves on to the next one. For more information regarding the failover capability of your Meraki (or other) system, please consult your own resources.

RadSec Settings

The following settings control certain aspects of the RadSec connection to your RADIUSaaS instance.

Maximum TLS Version

This setting controls the maximum TLS version for your RadSec interface. The minimum version is fixed at 1.2, the default maximum is set to 1.3.

TLS 1.3 offers several advantages over 1.2, including the post-handshake authentication mechanism, which allows requesting additional credentials before completing the handshake. This is important for the verification checks for RadSec certificates setting discussed next.

Verification checks for RadSec certificates

This setting determines whether a revocation check should be performed for all RadSec connections. The method for verifying the revocation check differs slightly from that used for client authentication certificates.

For proper RadSec operation, your network devices, such as Access Points, Switches, and VPN Servers, must initially perform a (mutual) TLS handshake to forward Access-Request messages to the RadSec Server. To check the revocation status of a RadSec client certificate during the handshake, the certificate must be sent within the TLS tunnel.

TLS 1.2

In TLS 1.2, there is no method to request the RadSec client certificate during the handshake, so the handshake may complete before RADIUSaaS has fully authorised it, and your network device may perceive the channel being open and forwards requests even if this is not the case on our side. Your network device's RadSec client certificate is not transmitted until a client device authenticates, and we cannot check the revocation status of the certificate until then, which can lead to authentication timeouts or rejections because the client has to restart the authentication completely.

To mitigate the above behaviour, the verification checks is deactivated when the maximum TLS version is set to 1.2. Please note you can manually reactive it later.

TLS 1.3

TLS 1.3 allows explicitly requesting the RadSec client certificate before completing the handshake. This ensures that if the verification status is 'revoked', the handshake will fail immediately.

This setting is automatically enabled when the maximum TLS version is set to 1.3.

RADIUS / UDP

Server IP Addresses and Location

Geo-location of the RADIUS Proxy/Proxies as well as the respective public IP address(es).

Shared Secrets

The shared secret for the respective RADIUS Proxy. By default, all RADIUS Proxies are initialized with the same shared secret.

Ports

This section displays the standard ports for the RADIUS authentication (1812) and RADIUS accounting (1813) services.

Failover & Redundancy

Proxy Redundancy

RadSec Service Redundancy for Proxies

When using RADIUSaaS with multiple RadSec instances, Proxies are automatically configured to connect to all available RadSec instances. A RADIUSaaS Proxy will prioritize connecting to the nearest regional RadSec Service. If that service is unavailable, it will switch to another available RadSec Service.

Server Certificates

Customer-CA

By default, RADIUSaaS generates a RADIUS Server Certificate signed by a Certificate Authority (CA) that is available on our service solely for this very purpose. We refer to it as the Customer-CA. The Customer-CA is unique for each customer.

To create your Customer-CA, follow these simple steps:

  1. Navigate to Settings > Server Settings

  2. Click Add

  3. Choose Let RaaS create a CA for you

  4. Click on Save

  5. After the creation, you will see a new certificate available under Server Certificates

Bring your own certificate

In case you do not want to use the Customer CA, you can upload up to two of your own certificates.

SCEPman-issued server certificate

Please follow these steps to leverage SCEPman Certificate Master to generate a new server certificate:

  1. Navigate to your SCEPman Certificate Master web portal.

  2. Select Request Certificate on the left

  3. Select New Server Certificate on the top

  4. Set the Download file format to PEM

  5. Select Include Certificate Chain and download the certificate.

  6. Submit the request to download the new server certificate.

Important: Take temporary note of the password since it cannot be recovered from Certificate Master.

Upload the new server certificate to RADIUSaaS

To add your server certificate created in above steps, navigate to RADIUSaaS instance > Settings > Server Settings > Add then

  1. Choose PEM or PKCS#12 encoded Certificate (If you selected PKCS#12 in step 5, this contains both public and private key)

  2. Drag & drop your certificate file or click to browse for it

  3. Enter the password of your Private Key

  4. Click Save

Certificate activation

Ensure to monitor the expiry of your server certificate and renew it in due time to prevent service interruptions.

As certificates expire from time to time or your preference on which certificates you would like to use change, it is important that you can control the certificate that your server is using. The Active column shows you the certificate your server is currently using. To change the certificate your server is using, expand the row of the certificate you would like to choose and click Activate.

Download

To download your Server Certificate, you have two options:

  1. Click Download CA Certificate on the top. This will directly download the trusted root CA of the currently active server certificate.

  2. Click the download icon in the corresponding row.

Option 2 will open a dialog showing the complete certificate path. The root certificate will always be marked in green.

openssl x509 -inform pem -in <DOWNLOADED_FILE> -outform der -out <CONVERTED_FILE>

Delete

To delete a certificate, expand the corresponding row, click Delete and confirm your choice.

Certificate Expiration

Do not let the RADIUS Server Certificate expire. It will break the authentication.

Certificates expire from time to time. Five months before your certificate is going to expire, your dashboard will give you a hint by displaying a warning sign next to it.

If the triangle is diplayed next to the active RADIUS Server Certificate, follow this guide to update it:

This section is available when you have configured at least on . For each proxy, a separate public IP address is available. The public IP addresses in this section support the RADIUS protocol only and thus listen on ports 1812/1813.

These IP addresses only listen on over UDP ports 1812/1813.

Note that a single RADIUSaaS Proxy does not provide redundancy. To ensure redundancy, set up multiple RADIUSaaS Proxies as described .

Enter all Fully Qualified Domain Names (FQDNs) that the certificate shall be valid for separated by commas, semicolons, or line breaks. Generate a server certificate as described and provide any FQDN you want. We recommend adapting the SAN of the default server certificate, e.g. radsec-<your RADIUSaaS instance name>.radius-as-a-service.com.

Please note: By default, SCEPman Certificate Master issues certificates that are valid for 730 days. If you'd like to change this, please refer to SCEPman's .

For both options, the downloaded root certificate is encoded in base64 (PEM). In case your device (e.g. WiFi controller) needs a binary coding (DER), you can convert it using :

RADIUS Proxy
here
documentation
OpenSSL
Server Certificate Renewal
here
RADIUS
Showing RadSec IP and port
Showing two public IP addresses, one for each of the RadSec services.
Showing multiple RadSec servers in order of priority (Meraki).
Showing changing of shared secrets per proxy
Showing the root certificate in green
Screenshot showing certificate expiration