Wow, thanks for this! I couldn’t find any information about this online. I don’t think getting a new subscription is an option for us. I read somewhere that we can authorize TCP for RADIUS, right? If that’s not the case, I should consider trying another provider (GCP?) or setting up something on-premise, but that would limit the ability to connect other cities to this RADIUS server. Thanks for the answer! On Wed 18 Sep 2024 at 06:50, George Benjin <george.benjin@gmail.com> wrote:
You need to be very careful running a RADIUS server in Azure if you're using RADIUS/UDP.
Azure has a network security feature on by default that drops fragmented UDP packets that arrive out of order. This negatively impacts RADIUS/UDP traffic.
To give you an example, at least 20% of EAP-TLS auth attempts were failing for us in the cert auth phase due to this issue.
Azure support can turn on the 'enable-udp-fragment-reordering' feature by request after providing packet captures and use case info etc. They will also only turn it on in a brand new subscription that's dedicated to running VMs that require this feature. After we did this, our auth success rate increased to 100%.
Another thing to be wary of is setting 'tls_max_version' to 1.3. Windows 11 supports TLS 1.3 by default for EAP-TLS etc but does not yet support session resumption when using this protocol (see
https://learn.microsoft.com/en-us/windows-server/networking/technologies/ext... ). It's worth dropping the Max version to 1.2. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html