Nile RADIUS

nile radius as a service technical overview 1\ why nile radius as a service vs traditional on prem nac (aruba clearpass, cisco ise) traditional radius solutions such as aruba clearpass or cisco ise are powerful but complex platforms that require significant infrastructure, ongoing maintenance, and expertise by contrast, nile radius as a service simplifies this model by delivering authentication and authorization entirely from the cloud key advantages eliminates on prem hardware & vm maintenance no need to deploy, scale, or patch dedicated nac appliances or servers radius as a service is always up to date, fault tolerant, and highly available the aaa functionality provided by the incumbents can suffer from split brain and db replication issues as nodes within a cluster are managed by proprietary logic these issues do not plague nile radius as hardened cloud database services are used to ensure reliability and consistency simplified integration traditional deployments require manually configuring shared secrets, nas ip addresses, radius server ips, or radsec proxies with nile’s tightly integrated design, none of this is required — it just works with nile access service faster rollout new sites can be onboarded without standing up additional infrastructure authentication and authorization services are instantly available everywhere your nile access infrastructure runs cloud scale security all communication between nile infrastructure and radius as a service is carried over encrypted grpc tunnels, avoiding the need to set up radsec or in most cases un encrypted customers don’t need to worry about securing radius traffic with additional measures operational efficiency instead of a team of nac specialists maintaining a complex rules engine, customers can use nile’s simplified policy framework to achieve the same outcomes in fewer steps 2\ how nile radius as a service differs from cloud nac platforms (portnox, securew2, etc ) cloud nac platforms like portnox or securew2 are designed to work across many infrastructure vendors while flexible, this vendor agnostic model introduces complexity — admins still have to configure and maintain the integration points (nas ips, certificates, shared secrets, tunnels) nile’s approach is different built in with nile access service our radius as a service is an add on that only works with nile access service this tight coupling eliminates the integration overhead and risk of misconfiguration no setup between infra & radius with traditional networks, admins must explicitly configure how the infrastructure communicates with radius (shared secrets, nas ips, radsec setup) with nile, this step disappears — the communication channel is already securely established end to end encryption by default even though radius as a service runs in the cloud, all transactions are encrypted inside the existing grpc tunnels nile access uses there is no exposure of radius traffic across the internet this architecture gives customers the benefits of cloud scale and reliability without added complexity 3\ key features step 1 authentication supported method eap tls how it works customers upload their server certificate and private key end user devices and iot systems authenticate using mutual tls, ensuring strong, certificate based identity validation please ensure you have the following before server certificate private key optionally add ca certificate demo mode for rapid testing nile radius as a service provides a demo mode where certificates for both server and clients are auto generated with a single click three client certificates are created, each with unique emails, and can be downloaded directly to devices for testing certificates are valid for 7 days and can be regenerated at any time advantage enables quick proof of concept and validation without requiring certificates from your external ca demo mode and production certificates cannot be active at the same time only one mode may be used step 2 authorization policy based access control policies are created using attributes such as scim group membership intune compliance status certificate attributes (e g , cn, ou) ssid / wired dynamic policy evaluation policies are evaluated at the time of authentication, ensuring real time enforcement of access decisions actions after match accept or reject access assign to specific segments apply palo alto tags for firewall integration this gives admins fine grained control over who gets on the network, and what access they have following is a ladder diagram on how the traffic flows 4\ expanded use cases use case 1 segregating employees and contractors on the same ssid many organizations want to keep the wireless experience simple for end users by providing a single corporate ssid however, behind the scenes, they often need to ensure that different types of users (for example, full time employees vs contractors) have different levels of access to resources with nile radius as a service, this can be achieved seamlessly through policy sets when a user authenticates with eap tls, the system checks multiple attributes ssid name – ensures the user is connecting to the corporate wi fi intune compliance – validates that the device meets company security standards (e g , correct os version, not jailbroken, up to date patches) scim group membership – identifies whether the user belongs to the “employees” group or the “contractors” group if the attributes match the employee policy set , the user is accepted and assigned to the employee segment , which might have full access to internal applications if the attributes match the contractor policy set , the user is assigned to the contractor segment , which might only allow access to email and limited corporate applications outcome both groups connect to the same ssid without confusion, but they are automatically separated into the right network segment with the right access privileges no manual segment assignments or ssid sprawl is needed employee policy set ssid name = “corporate” intune compliance state = compliant scim groups = employees → accept and assign employee segment contractor policy set ssid name = “corporate” intune compliance state = compliant scim groups = contractors → accept and assign contractor segment use case 2 restricting access to active employees only (dynamic scim integration) organizations often need to ensure that only active employees can connect to the network when an employee leaves the company or their account is disabled, access should be revoked immediately to maintain security with nile radius as a service, this is achieved through dynamic scim integration nile connects directly to the organization’s identity provider (idp) using scim as soon as a user is disabled in the idp, the idp notifies the nile cloud nile automatically terminates that user’s active session and revokes network access in real time from an admin’s perspective, the policy is simple if the user is in the employees scim group and is an active user , then allow access because the corporate ssid is already mapped to a single segment, no explicit segment assignment is needed — the scim group membership combined with active user status governs access outcome instant off boarding disabled or inactive users lose connectivity immediately real time security no risk of inactive accounts remaining connected seamless on boarding new hires gain access the moment they are added to the idp group and activated this ensures that network access is always aligned with both group membership and account status , without any delay or manual intervention policy set scim groups = employees and active = true → accept (user is placed in the segment already mapped to the corporate ssid) use case 3 iot device segmentation using certificates iot devices such as ip cameras, printers, medical equipment, or barcode scanners often support 802 1x but do not have an end user identity tied to them these devices need to be on boardedin a way that ensures they are properly segmented from user devices with nile radius as a service, admins can leverage certificate attributes for classification for example iot devices can be issued certificates where the commonname field contains a category string like “camera” or “scanner ” a policy set can be defined if certificate cn contains “camera,” place the device in the camera segment similar policies can be created for printers, sensors, or other device categories outcome iot devices automatically end up in the appropriate segment with the right access controls and eliminates ssid sprawl for instance cameras can only reach the video management server printers can only talk to the print server medical devices can only access the approved application servers this prevents iot devices from having broad access to the corporate network, reducing the attack surface and meeting compliance requirements example policy set certificate commonname contains “camera” → accept and assign camera segment use case 4 gradual migration from an existing nac solution many enterprises already use a legacy nac solution (such as clearpass or ise) and want to migrate to nile radius as a service without disrupting ongoing operations nile makes this possible by allowing customers to run both systems in parallel during the transition wireless for new sites, map ssids to nile radius these sites will immediately start using nile radius as a service existing sites can continue using their legacy radius solution until you are ready to migrate them wired for wired 802 1x, nile provides a “wired dot1x” checkbox if this is enabled, your existing nac solution continues to handle wired authentication if not enabled, nile radius takes over this ensures that wired authentication flows can be migrated in a controlled manner outcome customers can migrate at their own pace they can bring new sites online with nile radius from day one, while gradually transitioning older sites this avoids a risky “big bang” migration and lets admins test and refine policies before rolling out widely use case 5 enforcing policies with palo alto firewalls using tags some organizations centralize all of their access and security enforcement on palo alto firewalls , where policies are built around tags nile radius as a service seamlessly integrates with palo alto firewalls a policy set can be created where the match criteria reference scim groups based on the scim group membership, nile radius attaches the corresponding palo alto tag during authorization the firewall receives the tag exactly as expected, so no changes are needed to existing firewall policies example policy set scim groups = sales and active = true → accept and assign palo alto tag = ent sales outcome zero firewall changes – existing palo alto policies continue to work without modification consistent enforcement – tags set in nile radius match the firewall’s security model streamlined policy management – identity and network access decisions happen in nile, while enforcement continues in palo alto using familiar tags this ensures a smooth hand off between authentication/authorization in nile and enforcement in the firewall, without disrupting established security practices 5\ high level workflow to setup an ssid with nile radius upload certificates navigate to network setup → authentication → nile radius upload server certificate and private key, then save create segments define network segments and map them to nile radius and dhcp configure ssid create ssid(s) and map them to one or more segments for wired 802 1x, segment mapping is sufficient (no ssid needed) (optional but recommended) create policies define policy sets based on ssid, intune, scim (e g , employees and active = true ), or certificate attributes assign actions (accept → segment assignment, reject, timeout, palo alto tags) faq q does the nile radius service run in the cloud or on prem? a the nile radius service runs entirely in the cloud q are the transactions between the on prem components and the cloud encrypted? a yes all communication is encrypted using secure grpc tunnels established between the nile service block and the nile cloud q what ports need to be opened? a only outbound tcp 443 is required q is radius accounting supported? a yes nile uses radius accounting to update key session parameters (such as ip addresses) in the cloud q is the nile radius monitored? a yes nile radius is monitored every minute from every site, reporting availability and transaction latency q what happens when the internet goes down? a existing authenticated sessions remain active devices continue roaming seamlessly due to locally cached pmk new or re authentication attempts will not work until connectivity is restored q can we see detailed logs of all transactions? a yes detailed logs are available on both the device details page and the radius monitoring page q what eap types are supported? a nile currently supports eap‑tls (certificate based auth) additional eap methods will be supported in the future q does nile support end user on boarding? a nile does not operate a pki, on boarding workflows—such as certificate enrollment, distribution, and renewal—must be performed through your existing mdms q how does demo mode (demo certificates) work? a demo mode auto‑generates a server certificate and three unique client certificates for quick eap‑tls testing—no external ca required certificates are valid for 7 days and can be regenerated only demo mode or production certificates can be active at one time q does nile radius support scim? a yes nile integrates with scim‑enabled idps such as azure ad and okta scim provides real‑time user and group updates to enforce dynamic access policies q how quickly does nile react when a user is disabled in the identity provider? a scim updates are immediate when a user is disabled, nile instantly revokes access and terminates active sessions q what mdm and/or edr solutions does nile support? a today, nile integrates natively with microsoft intune for device compliance and posture checks support for additional mdm and edr platforms will be added in future releases q can nile send role‑based or group‑based tags to palo alto firewalls? a yes nile can send palo alto tags leveraging the palo alto xml api based on scim groups, allowing firewalls to apply existing policies without modification q does nile support wired 802 1x? a yes you can build dedicated policy sets for wired devices such as printers, voip phones, and iot equipment q does nile radius support guest and temporary access like clearpass and ise? a guest access is provided natively through nile access service and is independent of the radius service q do we need to configure radius ips, shared secrets, radsec, or port settings? a no as a full‑stack solution, nile eliminates all traditional radius infrastructure configuration the service block automatically establishes a secure connection to the cloud radius service q is the radius service redundant? a yes nile radius runs in a resilient cloud architecture with automatic fail over q how scalable is the service? a nile radius scales automatically to support large authentication bursts across multiple sites q does nile support devices that do not use 802 1x? a methods such as mac‑based authentication and upsk are supported for iot and legacy devices natively through nile access service and is independent of the radius service