Saltar al contenido principal
Español (México)

¿Qué es Cloud RADIUS? Una guía completa de RADIUS como servicio

Esta guía completa explora Cloud RADIUS (RADIUS como servicio), detallando su arquitectura, métodos EAP y estrategias de implementación. Proporciona a los líderes de TI información práctica sobre la migración de servidores locales a un modelo de autenticación basado en la nube escalable, seguro y compatible.

📖 5 min de lectura📝 1,077 palabras🔧 2 ejemplos resueltos3 preguntas de práctica📚 8 definiciones clave

Escucha esta guía

Ver transcripción del podcast
What is Cloud RADIUS? A Comprehensive Guide to RADIUS as a Service. Welcome to the Purple WiFi Intelligence Podcast. I'm your host, and today we're doing a deep-dive briefing on Cloud RADIUS — what it is, how it works under the hood, and critically, how to evaluate whether it's the right move for your organisation this quarter. Whether you're running a hotel group, a retail estate, a stadium, or a public-sector network, this one's for you. Let's set the scene. Introduction and Context. If you've ever had to explain to a board why your network authentication server went down at 2am — and why it took three hours to bring back up — you already understand the core problem Cloud RADIUS solves. Traditional on-premises RADIUS infrastructure is powerful, but it carries significant operational overhead. Hardware to procure, patch cycles to manage, redundancy to architect manually, and a single point of failure sitting in your server room. Cloud RADIUS, or RADIUS as a Service, moves that authentication layer into a managed, highly available cloud environment. The protocol itself — Remote Authentication Dial-In User Service — hasn't changed. It's still the backbone of IEEE 802.1X network access control, still the mechanism your access points use to validate who gets onto your network. But the infrastructure running it is now someone else's problem. And in enterprise IT, that's a significant shift. So let's get into the technical detail. Technical Deep-Dive. RADIUS was originally defined in RFC 2865, published back in 2000, and it's remained remarkably durable. The protocol operates on a client-server model. Your network access device — whether that's a WiFi access point, a VPN concentrator, or a wired switch — acts as the RADIUS client, also called the Network Access Server or NAS. When a user attempts to connect, the NAS forwards an Access-Request packet to the RADIUS server, which validates the credentials against a user directory — typically Active Directory, LDAP, or a cloud identity provider — and returns either an Access-Accept or Access-Reject. That's the core exchange. But the real complexity sits in what happens around it: EAP methods, VLAN assignment, policy enforcement, accounting records, and certificate management. In a traditional on-premises deployment, you're running FreeRADIUS or Microsoft NPS on dedicated hardware, managing your own certificates, configuring your own failover, and maintaining your own user database sync. For a single-site deployment with a competent IT team, that's manageable. For a 50-site retail estate or a hotel group with properties across multiple countries, it becomes a significant operational burden. Cloud RADIUS abstracts all of that. The authentication logic, the certificate infrastructure, the redundancy, and the policy engine are all delivered as a managed service. Your access points point to cloud-hosted RADIUS endpoints — typically a primary and secondary IP address — and the service handles everything behind that. Now, let's talk about the authentication methods, because this is where the technical decisions really matter. The most common EAP method in enterprise WiFi is PEAP — Protected EAP — which tunnels MSCHAPv2 inside a TLS session. It's widely supported, works with Active Directory natively, and is the default for most Windows and Android devices. However, PEAP has known vulnerabilities, particularly around certificate validation. If your client devices aren't configured to verify the server certificate, you're exposed to credential harvesting attacks via rogue access points. EAP-TLS is the gold standard. It uses mutual certificate authentication — both the server and the client present certificates — which eliminates the password attack surface entirely. The trade-off is client certificate deployment, which requires a PKI infrastructure and MDM integration. For managed device fleets, this is absolutely the right choice. For BYOD environments, it's more complex. EAP-TTLS and EAP-FAST are also worth knowing. TTLS is particularly common in environments where you need to support a wide range of client devices, including Linux systems. EAP-FAST was developed by Cisco as an alternative to PEAP that avoids the certificate validation dependency, using Protected Access Credentials instead. A well-architected Cloud RADIUS service supports all of these methods and lets you configure per-SSID policy — so your corporate SSID uses EAP-TLS with certificate validation, your staff SSID uses PEAP with Active Directory, and your guest network uses a captive portal or social login flow entirely separate from the RADIUS stack. Speaking of which — RADIUS and guest WiFi are often conflated, but they serve different purposes. RADIUS is your authentication and authorisation layer for known users and devices. Guest WiFi typically uses a captive portal flow, which is a different mechanism entirely. Purple's platform, for instance, handles guest authentication through a separate identity layer, capturing first-party data and enabling marketing automation, while RADIUS handles the corporate and staff network access control. These are complementary, not competing, systems. Now, let's talk about what "cloud-hosted" actually means in practice. A properly architected Cloud RADIUS service runs across multiple availability zones, with automatic failover. Authentication requests are load-balanced across nodes, and the service maintains sub-100-millisecond response times even under peak load. For a stadium handling 40,000 concurrent connections during an event, that latency and throughput profile is critical. A single on-premises server simply cannot match that elasticity. From a compliance perspective, Cloud RADIUS providers operating in the UK and EU need to be GDPR-compliant in how they handle authentication logs and user data. For retail and hospitality environments that also process payment card data, PCI DSS requirements around network segmentation and access control are directly relevant — RADIUS is part of your control environment, and your QSA will want to see evidence of proper configuration and audit logging. WPA3 is also worth addressing. The transition from WPA2 to WPA3 introduces Simultaneous Authentication of Equals — SAE — for personal networks, and WPA3-Enterprise for corporate environments. WPA3-Enterprise mandates 192-bit security mode for the highest classification, which requires specific EAP methods and cipher suites. A Cloud RADIUS service needs to support these configurations to be future-proof. Implementation Recommendations and Pitfalls. Right, let's get practical. If you're evaluating Cloud RADIUS for deployment this quarter, here's what I'd focus on. First, integration with your identity provider. Your Cloud RADIUS service needs to sync with wherever your users actually live — whether that's Microsoft Entra ID, formerly Azure AD, Google Workspace, Okta, or an on-premises Active Directory via LDAP proxy. The quality of this integration determines your operational overhead. Native SAML or SCIM provisioning is far preferable to manual CSV imports. Second, certificate management. If you're deploying EAP-TLS, you need a clear answer on how client certificates are issued, renewed, and revoked. The best Cloud RADIUS services include an integrated PKI or integrate cleanly with your existing certificate authority. Certificate expiry is one of the most common causes of authentication failures in enterprise WiFi — it's entirely avoidable with proper automation. Third, network device compatibility. Your access points need to support RADIUS authentication — virtually all enterprise-grade APs do — but you need to verify the specific EAP methods and RADIUS attributes your chosen service supports against your AP vendor's implementation. Cisco, Aruba, Juniper Mist, and Ruckus all have their own nuances in how they handle RADIUS attributes and CoA — Change of Authorisation — messages. Fourth, redundancy configuration. Always configure both a primary and secondary RADIUS server IP. The failover timeout on your NAS devices matters — if it's set too high, users will experience a 30-second authentication delay when the primary is unreachable. A 3-to-5-second timeout with immediate failover is the right configuration for most environments. Fifth — and this is the one people miss — accounting. RADIUS accounting records are your audit trail. They tell you who connected, from which device, at what time, and for how long. For compliance purposes, particularly in healthcare and public-sector environments, these records need to be retained and accessible. Make sure your Cloud RADIUS provider gives you access to accounting data, not just authentication logs. Common pitfalls: shared secret complexity. Your RADIUS shared secret — the pre-shared key between your NAS and the RADIUS server — needs to be long and random. Short or guessable shared secrets are a real attack vector. Use at least 32 characters, generated randomly, and rotate them on a schedule. Also watch out for IP whitelisting. Many Cloud RADIUS services require you to whitelist the source IPs of your NAS devices. In a dynamic cloud environment where your AP management platform might use NAT, this can cause unexpected authentication failures. Confirm the NAT behaviour of your network before deployment. Rapid-Fire Q&A. Let me run through a few questions I get asked regularly. Can Cloud RADIUS support multi-tenant environments? Yes — most enterprise Cloud RADIUS services support tenant isolation, so a managed service provider can run separate RADIUS policies for multiple clients from a single platform. What's the typical latency for a Cloud RADIUS authentication? Sub-100 milliseconds for a well-architected service. The 802.1X handshake itself adds some overhead, but for most EAP methods, total authentication time should be under 500 milliseconds end-to-end. Does Cloud RADIUS work with OpenRoaming? Yes. OpenRoaming — the Wireless Broadband Alliance's roaming framework — uses RADIUS federation at its core. A Cloud RADIUS service that supports Hotspot 2.0 and OpenRoaming allows your users to authenticate automatically across participating networks globally. Purple supports OpenRoaming under its Connect licence, acting as an identity provider in the federation. Is Cloud RADIUS suitable for high-security environments? For most enterprise environments, yes. For environments with classified data or specific government security classifications, you may need to evaluate whether a managed cloud service meets your specific accreditation requirements. Summary and Next Steps. To bring this together: Cloud RADIUS is a mature, production-ready approach to network access control that removes the operational burden of on-premises RADIUS infrastructure without compromising on security or capability. For multi-site organisations, the ROI case is straightforward — you eliminate hardware capex, reduce IT overhead, gain built-in redundancy, and get a service that scales with your estate. The key decisions are: which EAP method is right for your device fleet, how you integrate with your existing identity provider, and whether your chosen service gives you the compliance and audit capabilities your organisation requires. If you're running a hotel group, a retail chain, or managing public-sector networks, I'd recommend starting with a proof-of-concept on a single site — get your RADIUS configuration right, validate the integration with your identity provider, and measure authentication latency before rolling out across your estate. For more on WiFi analytics, guest network management, and how Purple's platform integrates with RADIUS-based authentication, visit purple.ai. Thanks for listening.

header_image.png

Resumen Ejecutivo

Para las redes empresariales modernas, la arquitectura tradicional de RADIUS (Remote Authentication Dial-In User Service) local representa un cuello de botella operativo significativo. La gestión de servidores físicos, la aplicación de parches a los sistemas operativos, el manejo de autoridades de certificación y la ingeniería de redundancia multisitio consumen valiosos recursos de TI. Cloud RADIUS (o RADIUS como servicio) aborda esto migrando la capa de autenticación IEEE 802.1X a una infraestructura en la nube gestionada y de alta disponibilidad. Esta guía proporciona una visión técnica completa de Cloud RADIUS para gerentes de TI, arquitectos de red y CTOs que evalúan estrategias de implementación. Al pasar de sistemas de alto costo de capital y mantenimiento manual a un modelo elástico y distribuido globalmente, las organizaciones en Retail , Hospitality y Transport pueden aplicar políticas de acceso robustas, lograr el cumplimiento (como PCI DSS y GDPR) e integrarse sin problemas con proveedores de identidad modernos como Microsoft Entra ID y Google Workspace.

Análisis Técnico Detallado

La Evolución de la Arquitectura RADIUS

RADIUS, definido inicialmente en RFC 2865, opera bajo un modelo cliente-servidor donde los Servidores de Acceso a la Red (NAS) —como puntos de acceso WiFi o concentradores VPN— reenvían las solicitudes de autenticación a un servidor central. Históricamente, esto significaba implementar FreeRADIUS o Microsoft Network Policy Server (NPS) en hardware dedicado. Aunque funcional para implementaciones de un solo sitio, escalar esta arquitectura en entornos distribuidos introduce desafíos significativos de latencia y redundancia.

Cloud RADIUS abstrae la infraestructura subyacente. Las solicitudes de autenticación se enrutan a puntos finales en la nube distribuidos globalmente, asegurando tiempos de respuesta inferiores a 100 ms incluso bajo cargas máximas. Esta elasticidad es crucial para entornos de alta densidad como estadios o centros de conferencias.

architecture_overview.png

Métodos EAP y Postura de Seguridad

La elección del método del Protocolo de Autenticación Extensible (EAP) dicta fundamentalmente su postura de seguridad:

  • PEAP (Protected EAP): Tuneliza MSCHAPv2 dentro de una sesión TLS. Aunque ampliamente compatible y fácil de integrar con Active Directory, PEAP es vulnerable a la recolección de credenciales a través de puntos de acceso no autorizados si los dispositivos cliente no están estrictamente configurados para validar el certificado del servidor.
  • EAP-TLS: El estándar de oro empresarial. Requiere autenticación mutua de certificados: tanto el servidor como el cliente deben presentar certificados válidos. Esto elimina por completo los ataques basados en contraseñas, pero requiere una Infraestructura de Clave Pública (PKI) robusta y la integración de Gestión de Dispositivos Móviles (MDM) para la implementación de certificados.
  • EAP-TTLS y EAP-FAST: Ofrecen alternativas cuando se requiere una amplia compatibilidad con clientes (incluidos sistemas heredados o Linux), o donde las dependencias de validación de certificados deben ser omitidas utilizando Credenciales de Acceso Protegido (PACs).

Integración de WPA3 y OpenRoaming

Las implementaciones modernas deben considerar WPA3-Enterprise, que exige el modo de seguridad de 192 bits para las clasificaciones más altas, requiriendo suites de cifrado específicas. Además, Cloud RADIUS facilita la participación en marcos de federación como OpenRoaming. Purple, por ejemplo, actúa como un proveedor de identidad gratuito para OpenRoaming bajo su licencia Connect, permitiendo una autenticación segura y sin interrupciones en las redes globales participantes.

Guía de Implementación

La implementación de Cloud RADIUS requiere un enfoque sistemático para garantizar cero tiempo de inactividad durante la transición.

Paso 1: Integración del Proveedor de Identidad (IdP)

Su instancia de Cloud RADIUS debe sincronizarse con su directorio de usuarios autorizado. Se recomienda encarecidamente el aprovisionamiento nativo SAML o SCIM con Microsoft Entra ID, Google Workspace u Okta, en lugar de proxies LDAP manuales o importaciones CSV. Esto asegura que cuando un empleado es dado de baja en el sistema de RRHH, su acceso a la red sea revocado instantáneamente.

Paso 2: Estrategia de Gestión de Certificados

Si implementa EAP-TLS, defina el ciclo de vida de su certificado. Seleccione un proveedor de Cloud RADIUS que incluya una PKI integrada o que se integre limpiamente con su Autoridad de Certificación (CA) existente. Automatice la emisión y revocación de certificados a través de su plataforma MDM (por ejemplo, Intune o Jamf) para evitar fallos de autenticación debido a certificados caducados.

Paso 3: Configuración de Dispositivos de Red

Configure sus dispositivos NAS (puntos de acceso, switches) para que apunten a las direcciones IP primarias y secundarias de Cloud RADIUS. Asegúrese de que el secreto compartido sea criptográficamente complejo (mínimo 32 caracteres aleatorios). Ajuste la configuración del tiempo de espera de conmutación por error; un tiempo de espera de 3 a 5 segundos es óptimo para evitar retrasos prolongados en la autenticación si el nodo principal no es accesible.

Paso 4: Definición de Políticas

Establezca políticas por SSID. Por ejemplo, exija EAP-TLS para la red corporativa, PEAP para dispositivos IoT heredados y aísle el acceso de invitados. Tenga en cuenta que RADIUS gestiona usuarios conocidos; para visitantes, implemente una solución dedicada de Guest WiFi con un captive portal para capturar datos de primera parte, integrándose con una plataforma de WiFi Analytics . Para más información sobre la interacción con invitados, consulte How To Improve Guest Satisfaction: The Ultimate Playbook .

comparison_chart.png

Mejores Prácticas

  • Implementar Certificado de Servidor EstrictoValidación de certificados: Para implementaciones de PEAP, impulse políticas de grupo o perfiles MDM que obliguen a los clientes a validar el certificado del servidor RADIUS y restrinjan la confianza a CA raíz específicas.
  • Segmentar el tráfico de contabilidad y autenticación: Asegúrese de que los datos de contabilidad de RADIUS se supervisen y retengan activamente. Esta pista de auditoría es fundamental para los informes de cumplimiento (por ejemplo, PCI DSS, HIPAA).
  • Monitorear la latencia de autenticación: La alta latencia a menudo indica un enrutamiento subóptimo o problemas de sincronización de IdP. Utilice herramientas de monitoreo para rastrear el tiempo transcurrido desde el paquete Access-Request hasta el paquete Access-Accept.
  • Optimizar la planificación de señal y canales: La autenticación confiable se basa en una capa física estable. Revise guías como Comprensión de RSSI y la fuerza de la señal para una planificación óptima de canales para asegurarse de que su entorno de RF admita el roaming 802.1X sin interrupciones.

Solución de problemas y mitigación de riesgos

Incluso con servicios gestionados, las configuraciones incorrectas pueden causar fallas de acceso. Los modos de falla comunes incluyen:

  • Vencimiento del certificado: La causa número uno de fallas de EAP-TLS. Mitigación: Implemente alertas automatizadas 30 días antes del vencimiento del certificado de CA o del servidor.
  • Discrepancia de secreto compartido: A menudo ocurre al agregar nuevos puntos de acceso. Mitigación: Estandarice las plantillas de configuración en su sistema de gestión de red.
  • Problemas de NAT y listas blancas de IP: Los proveedores de Cloud RADIUS suelen requerir la inclusión en listas blancas de IP de NAS. Si sus sucursales utilizan IP dinámicas o configuraciones NAT complejas, las solicitudes de autenticación pueden ser descartadas. Mitigación: Utilice IP de egreso estáticas o implemente un proxy RADIUS local si es necesario.
  • Fallas de sincronización de IdP: Si el directorio en la nube no se sincroniza con el AD local, los nuevos usuarios no pueden autenticarse. Mitigación: Monitoree activamente el estado del conector SCIM/LDAP.

ROI e impacto empresarial

La transición a Cloud RADIUS ofrece un valor empresarial medible:

  1. Reducción del Capex de infraestructura: Elimina la necesidad de comprar, instalar y alimentar servidores RADIUS físicos en cada sitio principal.
  2. Menor sobrecarga operativa: Los equipos de TI ya no dedican horas a parchear vulnerabilidades del sistema operativo o a gestionar manualmente la conmutación por error del servidor. Las actualizaciones gestionadas por el proveedor garantizan el cumplimiento continuo.
  3. Postura de seguridad mejorada: La transición a EAP-TLS a través de PKI en la nube mitiga el riesgo de robo de credenciales, reduciendo directamente el costo potencial de una violación de datos.
  4. Agilidad y escalabilidad: Al abrir una nueva sucursal minorista u hotel, la autenticación de red se puede aprovisionar en minutos en lugar de semanas. Para estrategias de implementación prácticas, consulte Configuración de WiFi para empresas: Un manual de 2026 .

Al centralizar el control de acceso, las organizaciones no solo aseguran sus perímetros, sino que también liberan talento de ingeniería sénior para que se concentre en iniciativas estratégicas en lugar de mantener la infraestructura heredada.

Definiciones clave

Cloud RADIUS

A managed service that hosts the Remote Authentication Dial-In User Service protocol in a highly available cloud environment, eliminating the need for on-premises authentication servers.

Evaluated by IT teams seeking to reduce hardware capex and operational overhead while maintaining secure 802.1X network access.

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security)

A highly secure authentication method requiring both the client and the server to present digital certificates to prove their identity.

The recommended standard for enterprise networks to prevent password-based attacks, requiring PKI and MDM for deployment.

NAS (Network Access Server)

The device—such as a WiFi access point, switch, or VPN concentrator—that acts as the RADIUS client, forwarding user credentials to the RADIUS server.

Network engineers must configure the NAS with the correct RADIUS server IPs and shared secrets to enable 802.1X authentication.

Shared Secret

A cryptographic text string known only to the NAS and the RADIUS server, used to encrypt RADIUS packets and verify the sender's authenticity.

A weak shared secret is a major security vulnerability; enterprise deployments should use long, randomly generated strings.

SCIM (System for Cross-domain Identity Management)

An open standard that automates the exchange of user identity information between IT systems or cloud applications.

Used to automatically provision and de-provision users in the Cloud RADIUS directory when changes are made in the primary HR or IT identity system.

OpenRoaming

A federation framework developed by the Wireless Broadband Alliance that allows users to automatically and securely connect to participating WiFi networks globally.

Cloud RADIUS providers that support OpenRoaming (like Purple) allow venues to offer seamless, secure connectivity to visitors without captive portals.

Accounting Logs

Records generated by the RADIUS server detailing user connection events, including start time, end time, data transferred, and IP address assigned.

Critical for security audits, troubleshooting, and demonstrating compliance with frameworks like PCI DSS and GDPR.

Change of Authorization (CoA)

A RADIUS feature that allows the server to dynamically modify a user's active session, such as changing their VLAN or disconnecting them, without requiring a reconnection.

Used by network administrators to instantly quarantine a compromised device or apply new policy restrictions mid-session.

Ejemplos resueltos

A 200-room hotel currently uses on-premises Microsoft NPS for staff WiFi authentication via PEAP. They are experiencing authentication timeouts during peak check-in hours and want to migrate to Cloud RADIUS with EAP-TLS for better security and reliability. How should the IT Director architect this migration?

  1. Deploy a Cloud RADIUS tenant and integrate it with the hotel's Microsoft Entra ID via SCIM for automated user lifecycle management. 2. Configure the Cloud RADIUS integrated PKI to issue client certificates. 3. Use the existing MDM (e.g., Intune) to push the Root CA, client certificates, and a new WiFi profile configured for EAP-TLS to all staff devices. 4. Configure the hotel's access points to point to the primary and secondary Cloud RADIUS IPs, using a new, complex 32-character shared secret. 5. Run both the old NPS and new Cloud RADIUS in parallel on different SSIDs for a two-week transition period before decommissioning the on-premise servers.
Comentario del examinador: This approach minimizes risk by running parallel SSIDs during the transition. Moving to EAP-TLS eliminates the credential harvesting risks associated with PEAP, and leveraging MDM for certificate deployment ensures zero friction for the end users. The SCIM integration guarantees that when staff leave, their access is instantly revoked.

A national retail chain with 500 locations needs to ensure PCI DSS compliance for its point-of-sale (POS) terminals, which connect via WiFi. They are moving to Cloud RADIUS. What specific configurations are required to meet compliance?

  1. Implement strict network segmentation: POS terminals must authenticate to a dedicated, hidden SSID mapped to an isolated VLAN. 2. Enforce EAP-TLS authentication for all POS devices to ensure mutual authentication and prevent rogue devices from joining the POS network. 3. Configure the Cloud RADIUS service to retain all accounting logs (Access-Accept, Access-Reject, connection duration) for a minimum of one year, as mandated by PCI DSS. 4. Ensure the RADIUS shared secrets between the branch APs and the Cloud RADIUS service are rotated every 90 days using an automated script.
Comentario del examinador: This solution directly addresses PCI DSS requirements for logical segmentation, strong access control, and auditability. Relying on MAC address filtering is insufficient for compliance; EAP-TLS provides the necessary cryptographic proof of device identity. Retaining accounting logs in the cloud simplifies the audit process for the QSA.

Preguntas de práctica

Q1. Your organisation is migrating from an on-premises Active Directory to Google Workspace. You currently use PEAP-MSCHAPv2 for WiFi authentication. Why is this a problem, and what is the recommended solution?

Sugerencia: Consider how PEAP validates credentials against the directory protocol.

Ver respuesta modelo

PEAP-MSCHAPv2 relies on the NT hash of a user's password, which Google Workspace does not store or expose natively. The recommended solution is to migrate to EAP-TLS using a Cloud RADIUS provider that features an integrated PKI. The Cloud RADIUS service can sync user identities from Google Workspace via SAML/SCIM, and authenticate devices using client certificates rather than passwords.

Q2. A branch office reports that users are experiencing 30-second delays when connecting to the WiFi network, followed by a successful connection. The primary Cloud RADIUS IP in that region is currently undergoing maintenance. What configuration error is causing this delay?

Sugerencia: Look at the communication between the NAS and the RADIUS servers.

Ver respuesta modelo

The NAS (Access Point or Switch) has the RADIUS server timeout configured too high (e.g., 30 seconds). It is waiting for the primary server to respond before failing over to the secondary server. The timeout should be reduced to 3-5 seconds to ensure rapid failover without impacting the user experience.

Q3. You are deploying Cloud RADIUS for a hospital. The security team mandates that only corporate-owned devices can connect to the internal network, even if an employee knows a valid username and password. How do you enforce this?

Sugerencia: Which EAP method verifies the device's identity, not just the user's knowledge?

Ver respuesta modelo

Deploy EAP-TLS. Configure the hospital's MDM solution to push a unique client certificate only to enrolled, corporate-owned devices. Configure the Cloud RADIUS policy to reject any authentication request that does not present a valid certificate signed by the trusted internal PKI, effectively blocking BYOD or rogue devices regardless of password knowledge.