Configure RADIUS load balancing with local RADIUS and Portnox Cloud

Use this task to configure local RADIUS and Portnox Cloud groups for RADIUS load balancing, using Citrix NetScaler as an example.

If you want to load-balance multiple local RADIUS instances, your load balancer must be able to send RADIUS authentication requests to your local RADIUS servers. A common example of this setup uses Citrix NetScaler.

In this configuration, the load balancer checks the availability of local RADIUS instances by sending authentication requests using dedicated test accounts. These requests help the load balancer decide which RADIUS server is working correctly.

  1. Create one or more user accounts in your authentication repository that are used only for RADIUS load-balancing tests.

    These accounts are not used by real users and exist only to test RADIUS connectivity.

  2. Map the test user account or accounts in Portnox Cloud to a dedicated group.

    Assign this group minimal privileges. The group is used only for load-balancing checks.

  3. Configure the Portnox Cloud group used for load balancing to allow VPN access.

    This is required because the test authentication requests sent directly to the RADIUS server are treated as VPN authorization requests. If VPN access is not allowed, you may see alerts such as VPN access not allowed by group settings.

    For example:

  4. Configure your load balancer to send RADIUS authentication requests to local RADIUS servers using the test account credentials.

    The load balancer sends these requests to determine which local RADIUS instance is available.

  5. Verify that the load balancer receives a response from the local RADIUS instance.

    When a response is received, the load balancer treats the local RADIUS server as operational and able to handle real authentication traffic.

After completing these steps, your load balancer can correctly determine which local RADIUS instances are available and distribute authentication requests accordingly.