Skip to content

EasyRadius FAQ

General Questions

What is EasyRadius?

EasyRadius is an Azure-based SaaS RADIUS service that provides EAP-TLS certificate-based authentication for enterprise Wi-Fi and LAN. It is fully cloud-hosted, requires no on-premises infrastructure, and is available as a monthly or yearly subscription through the Azure Marketplace.

What authentication methods does EasyRadius support?

EasyRadius supports EAP-TLS, which uses client certificates for authentication. This provides strong, per-device authentication and eliminates the need for passwords or pre-shared keys.

How does EasyRadius integrate with EasyScep?

EasyScep is Just Software's SaaS Certificate Authority for Microsoft Intune. EasyScep issues client certificates to your managed devices, and EasyRadius validates those certificates when devices connect to your Wi-Fi or LAN. The two products work together out of the box — EasyRadius supports any CA with public CRL/OCSP endpoints, including EasyScep.

How do I subscribe to EasyRadius?

EasyRadius is available on the Azure Marketplace. You can subscribe directly from the Azure Portal. See our On-boarding Guide for step-by-step instructions.

How do I add RADIUS clients?

After completing the on-boarding wizard, log in to the administration portal at https://portal.just-software.com. Under Settings, add a client entry for each network device (access point, switch, or VPN gateway) that will send authentication requests to EasyRadius. Each client requires the public IP address it connects from and a shared secret.

Security Questions

Why doesn't EasyRadius support Entra ID password authentication?

This is a deliberate security decision. Authenticating WiFi users with Entra ID credentials (via EAP-PEAP/MSCHAPv2) introduces significant risks: the credentials pass through RADIUS infrastructure, MSCHAPv2 is vulnerable to offline cracking, WiFi cannot trigger MFA prompts, and users are exposed to evil twin credential harvesting attacks. EAP-TLS with device certificates avoids all of these problems — no user credentials are ever transmitted, mutual authentication prevents rogue access points, and devices prove they are enrolled and managed rather than just that someone knows a password.

See Why EasyRadius Uses Certificate-Based Authentication for the full technical and architectural explanation.

Am I affected by the AirSnitch WiFi vulnerability?

AirSnitch (disclosed February 25, 2026, NDSS Symposium) is a research framework that bypasses WiFi client isolation across virtually all tested access points and devices — including enterprise networks.

EasyRadius customers using EAP-TLS are significantly less exposed than password-based deployments, but not fully immune:

  • Protected: The most dangerous enterprise attack — intercepting RADIUS traffic, brute-forcing the shared secret, and deploying rogue infrastructure to steal credentials — does not work against EAP-TLS. Client devices verify the server's certificate before authenticating, so a rogue RADIUS server cannot impersonate your legitimate infrastructure. There are also no passwords to steal from intercepted EAP-TLS exchanges.

  • Not protected: The underlying client isolation bypass (MitM positioning between connected clients) affects all WiFi networks regardless of authentication method.

See the full AirSnitch impact assessment and mitigation guide for detailed recommendations.

EAP-TLS Authentication Troubleshooting

Windows Devices

Common Issues

  • Certificate not found in personal store
  • Wrong certificate selected for authentication
  • Network adapter configuration problems
  • RADIUS server connectivity issues
  • TPM broken - try storing client certificate in software store

Troubleshooting Steps

  • Certificate Verification:

    • Open certmgr.msc
    • Check Personal store for client certificate
    • Verify certificate chain is valid
    • Confirm certificate has Client Authentication EKU

  • Network Configuration:

    • Check WLAN/LAN profile settings
    • Verify EAP-TLS settings
    • Confirm RADIUS server details
    • Test basic network connectivity

  • Event Viewer:

    • Check System logs
    • Review Network category events
    • Look for EAP/RADIUS errors

iOS/iPadOS Devices

Common Issues

  • Profile installation failures
  • Certificate trust issues
  • Wi-Fi profile misconfiguration
  • Authentication timeouts

Troubleshooting Steps

  1. Profile Verification:

    • Check Settings > General > Profiles
    • Verify certificate installation
    • Confirm profile is trusted
    • Review Wi-Fi configuration

  2. Network Settings:

    • Remove and re-add network profile
    • Verify EAP-TLS settings
    • Check server certificate validation
    • Test with different networks

  3. Diagnostics:

    • Check Settings > Wi-Fi logs
    • Review profile installation logs
    • Test with Apple Configurator

Android Devices

Common Issues

  • Certificate storage location problems
  • Network security type selection
  • CA certificate trust issues
  • EAP configuration errors

Troubleshooting Steps

  1. Certificate Management:

    • Check Settings > Security > Certificates
    • Verify certificate installation location
    • Confirm certificate permissions
    • Test with system/user certificates

  2. Wi-Fi Settings:

    • Use WPA2/WPA3-Enterprise
    • Select EAP-TLS method
    • Choose correct client certificate
    • Verify server validation

  3. Advanced Diagnostics:

    • Enable Developer Options
    • Check Wi-Fi verbose logging
    • Review system logs
    • Test with different Android versions

Network Equipment Configuration

Common Issues

  • Wrong RADIUS server IP/port
  • Incorrect shared secret
  • Missing RADIUS attributes
  • Certificate validation failures

Troubleshooting Steps

  1. RADIUS Configuration:

    • Verify server IP and port (default: 1812)
    • Check shared secret matches
    • Confirm NAS identifier
    • Test with RADIUS test tools

  2. Certificate Settings:

  3. Review root CA trust
  4. Check certificate revocation
  5. Verify OCSP/CRL access

  6. Test with different certificates

  7. Network Settings:

    • Check VLAN configuration
    • Verify authentication timeout
    • Review logging settings
    • Test basic connectivity

General Tips

  1. Always verify:

    • Certificate validity dates
    • Certificate key usage flags
    • Network connectivity
    • RADIUS server status

  2. Common solutions:

    • Reinstall client certificate
    • Reset network settings
    • Clear cached credentials
    • Update device OS

  3. Getting Support:

    • Collect relevant logs
    • Document exact error messages
    • Note device details
    • Contact support@just-software.com