What is Cloud RADIUS? A Comprehensive Guide to RADIUS as a Service

What is Cloud RADIUS? A Comprehensive Guide to RADIUS as a Service. Welcome to the Purple WiFi Intelligence Podcast. I'm your host, and today we're doing a deep-dive briefing on Cloud RADIUS — what it is, how it works under the hood, and critically, how to evaluate whether it's the right move for your organisation this quarter. Whether you're running a hotel group, a retail estate, a stadium, or a public-sector network, this one's for you. Let's set the scene. Introduction and Context. If you've ever had to explain to a board why your network authentication server went down at 2am — and why it took three hours to bring back up — you already understand the core problem Cloud RADIUS solves. Traditional on-premises RADIUS infrastructure is powerful, but it carries significant operational overhead. Hardware to procure, patch cycles to manage, redundancy to architect manually, and a single point of failure sitting in your server room. Cloud RADIUS, or RADIUS as a Service, moves that authentication layer into a managed, highly available cloud environment. The protocol itself — Remote Authentication Dial-In User Service — hasn't changed. It's still the backbone of IEEE 802.1X network access control, still the mechanism your access points use to validate who gets onto your network. But the infrastructure running it is now someone else's problem. And in enterprise IT, that's a significant shift. So let's get into the technical detail. Technical Deep-Dive. RADIUS was originally defined in RFC 2865, published back in 2000, and it's remained remarkably durable. The protocol operates on a client-server model. Your network access device — whether that's a WiFi access point, a VPN concentrator, or a wired switch — acts as the RADIUS client, also called the Network Access Server or NAS. When a user attempts to connect, the NAS forwards an Access-Request packet to the RADIUS server, which validates the credentials against a user directory — typically Active Directory, LDAP, or a cloud identity provider — and returns either an Access-Accept or Access-Reject. That's the core exchange. But the real complexity sits in what happens around it: EAP methods, VLAN assignment, policy enforcement, accounting records, and certificate management. In a traditional on-premises deployment, you're running FreeRADIUS or Microsoft NPS on dedicated hardware, managing your own certificates, configuring your own failover, and maintaining your own user database sync. For a single-site deployment with a competent IT team, that's manageable. For a 50-site retail estate or a hotel group with properties across multiple countries, it becomes a significant operational burden. Cloud RADIUS abstracts all of that. The authentication logic, the certificate infrastructure, the redundancy, and the policy engine are all delivered as a managed service. Your access points point to cloud-hosted RADIUS endpoints — typically a primary and secondary IP address — and the service handles everything behind that. Now, let's talk about the authentication methods, because this is where the technical decisions really matter. The most common EAP method in enterprise WiFi is PEAP — Protected EAP — which tunnels MSCHAPv2 inside a TLS session. It's widely supported, works with Active Directory natively, and is the default for most Windows and Android devices. However, PEAP has known vulnerabilities, particularly around certificate validation. If your client devices aren't configured to verify the server certificate, you're exposed to credential harvesting attacks via rogue access points. EAP-TLS is the gold standard. It uses mutual certificate authentication — both the server and the client present certificates — which eliminates the password attack surface entirely. The trade-off is client certificate deployment, which requires a PKI infrastructure and MDM integration. For managed device fleets, this is absolutely the right choice. For BYOD environments, it's more complex. EAP-TTLS and EAP-FAST are also worth knowing. TTLS is particularly common in environments where you need to support a wide range of client devices, including Linux systems. EAP-FAST was developed by Cisco as an alternative to PEAP that avoids the certificate validation dependency, using Protected Access Credentials instead. A well-architected Cloud RADIUS service supports all of these methods and lets you configure per-SSID policy — so your corporate SSID uses EAP-TLS with certificate validation, your staff SSID uses PEAP with Active Directory, and your guest network uses a captive portal or social login flow entirely separate from the RADIUS stack. Speaking of which — RADIUS and guest WiFi are often conflated, but they serve different purposes. RADIUS is your authentication and authorisation layer for known users and devices. Guest WiFi typically uses a captive portal flow, which is a different mechanism entirely. Purple's platform, for instance, handles guest authentication through a separate identity layer, capturing first-party data and enabling marketing automation, while RADIUS handles the corporate and staff network access control. These are complementary, not competing, systems. Now, let's talk about what "cloud-hosted" actually means in practice. A properly architected Cloud RADIUS service runs across multiple availability zones, with automatic failover. Authentication requests are load-balanced across nodes, and the service maintains sub-100-millisecond response times even under peak load. For a stadium handling 40,000 concurrent connections during an event, that latency and throughput profile is critical. A single on-premises server simply cannot match that elasticity. From a compliance perspective, Cloud RADIUS providers operating in the UK and EU need to be GDPR-compliant in how they handle authentication logs and user data. For retail and hospitality environments that also process payment card data, PCI DSS requirements around network segmentation and access control are directly relevant — RADIUS is part of your control environment, and your QSA will want to see evidence of proper configuration and audit logging. WPA3 is also worth addressing. The transition from WPA2 to WPA3 introduces Simultaneous Authentication of Equals — SAE — for personal networks, and WPA3-Enterprise for corporate environments. WPA3-Enterprise mandates 192-bit security mode for the highest classification, which requires specific EAP methods and cipher suites. A Cloud RADIUS service needs to support these configurations to be future-proof. Implementation Recommendations and Pitfalls. Right, let's get practical. If you're evaluating Cloud RADIUS for deployment this quarter, here's what I'd focus on. First, integration with your identity provider. Your Cloud RADIUS service needs to sync with wherever your users actually live — whether that's Microsoft Entra ID, formerly Azure AD, Google Workspace, Okta, or an on-premises Active Directory via LDAP proxy. The quality of this integration determines your operational overhead. Native SAML or SCIM provisioning is far preferable to manual CSV imports. Second, certificate management. If you're deploying EAP-TLS, you need a clear answer on how client certificates are issued, renewed, and revoked. The best Cloud RADIUS services include an integrated PKI or integrate cleanly with your existing certificate authority. Certificate expiry is one of the most common causes of authentication failures in enterprise WiFi — it's entirely avoidable with proper automation. Third, network device compatibility. Your access points need to support RADIUS authentication — virtually all enterprise-grade APs do — but you need to verify the specific EAP methods and RADIUS attributes your chosen service supports against your AP vendor's implementation. Cisco, Aruba, Juniper Mist, and Ruckus all have their own nuances in how they handle RADIUS attributes and CoA — Change of Authorisation — messages. Fourth, redundancy configuration. Always configure both a primary and secondary RADIUS server IP. The failover timeout on your NAS devices matters — if it's set too high, users will experience a 30-second authentication delay when the primary is unreachable. A 3-to-5-second timeout with immediate failover is the right configuration for most environments. Fifth — and this is the one people miss — accounting. RADIUS accounting records are your audit trail. They tell you who connected, from which device, at what time, and for how long. For compliance purposes, particularly in healthcare and public-sector environments, these records need to be retained and accessible. Make sure your Cloud RADIUS provider gives you access to accounting data, not just authentication logs. Common pitfalls: shared secret complexity. Your RADIUS shared secret — the pre-shared key between your NAS and the RADIUS server — needs to be long and random. Short or guessable shared secrets are a real attack vector. Use at least 32 characters, generated randomly, and rotate them on a schedule. Also watch out for IP whitelisting. Many Cloud RADIUS services require you to whitelist the source IPs of your NAS devices. In a dynamic cloud environment where your AP management platform might use NAT, this can cause unexpected authentication failures. Confirm the NAT behaviour of your network before deployment. Rapid-Fire Q&A. Let me run through a few questions I get asked regularly. Can Cloud RADIUS support multi-tenant environments? Yes — most enterprise Cloud RADIUS services support tenant isolation, so a managed service provider can run separate RADIUS policies for multiple clients from a single platform. What's the typical latency for a Cloud RADIUS authentication? Sub-100 milliseconds for a well-architected service. The 802.1X handshake itself adds some overhead, but for most EAP methods, total authentication time should be under 500 milliseconds end-to-end. Does Cloud RADIUS work with OpenRoaming? Yes. OpenRoaming — the Wireless Broadband Alliance's roaming framework — uses RADIUS federation at its core. A Cloud RADIUS service that supports Hotspot 2.0 and OpenRoaming allows your users to authenticate automatically across participating networks globally. Purple supports OpenRoaming under its Connect licence, acting as an identity provider in the federation. Is Cloud RADIUS suitable for high-security environments? For most enterprise environments, yes. For environments with classified data or specific government security classifications, you may need to evaluate whether a managed cloud service meets your specific accreditation requirements. Summary and Next Steps. To bring this together: Cloud RADIUS is a mature, production-ready approach to network access control that removes the operational burden of on-premises RADIUS infrastructure without compromising on security or capability. For multi-site organisations, the ROI case is straightforward — you eliminate hardware capex, reduce IT overhead, gain built-in redundancy, and get a service that scales with your estate. The key decisions are: which EAP method is right for your device fleet, how you integrate with your existing identity provider, and whether your chosen service gives you the compliance and audit capabilities your organisation requires. If you're running a hotel group, a retail chain, or managing public-sector networks, I'd recommend starting with a proof-of-concept on a single site — get your RADIUS configuration right, validate the integration with your identity provider, and measure authentication latency before rolling out across your estate. For more on WiFi analytics, guest network management, and how Purple's platform integrates with RADIUS-based authentication, visit purple.ai. Thanks for listening.