Network device onboarding
RADIUS, 802.1X, MAB, guest WiFi, DHCP relay and AAA dead-server detection for the top SME network device vendors. Connecting via the Arbiter Edge RadSec appliance: no per-vendor SDK, no plugin, no inbound firewall rule.
How Arbiter connects to your network
Arbiter is a cloud-hosted, multi-tenant RADIUS service. Your switches and access points never talk to the cloud directly. Instead, they talk to one or more Arbiter Edge appliances on your LAN over standard RADIUS UDP. The Edges tunnel everything to Arbiter cloud over a mutually-authenticated TLS connection (RadSec, RFC 6614, TCP/2083).
Recommended deployment
- Two Edge appliances per site in active/active. Both terminate RADIUS independently. Configure each network device with both Edges as RADIUS servers.
- Same tenant PSK on both Edges. No per-device reconfiguration during failover.
- DHCP helper to both Edges alongside your real DHCP server. The Edge only listens; it never responds, so adding it to the helper list has zero impact on DHCP service.
What you configure on every device
The integration surface is small. Everything else in the per-vendor guides is just the same handful of settings in each platform's native syntax.
| Setting | Value |
|---|---|
| RADIUS server (primary) | Edge appliance #1 LAN IP |
| RADIUS server (secondary) | Edge appliance #2 LAN IP |
| Auth port | 1812/udp |
| Accounting port | 1813/udp |
| CoA port | 3799/udp (some Cisco WLCs use 1700) |
| Shared secret | Tenant PSK from your Arbiter portal |
| DHCP helper / relay | Edge #1 and #2 LAN IPs (plus your real DHCP server) |
| Captive portal URL | https://<shortname>-<portal-id>-guest.arbiter.ie/ |
AAA dead-server detection
The default RADIUS timeout / retry behaviour on most platforms produces 15+ seconds of auth delay before the NAS tries the secondary server. With two Edges per site, the recommended cadence is: declare a server dead after a 30-second window across four consecutive attempts, then hold the dead flag for 3 minutes before retrying.
The canonical pattern on Cisco IOS:
! 1. Declare the server dead after 30s with no reply across 4 attempts
radius-server dead-criteria time 30 tries 4
! 2. Hold the dead flag for 3 minutes before retrying
radius-server deadtime 3| Setting | Recommended |
|---|---|
| Dead-criteria window | 30 seconds |
| Dead-criteria attempts | 4 consecutive failed tries |
| Dead time | 3 minutes |
| Active probe | Enabled where the vendor supports it (e.g. Cisco automate-tester, AOS-CX radius-server tracking) |
Per-vendor syntax for each setting is in the per-vendor pages linked below. Vendors with no formal dead-criteria knob (Omada, MikroTik) document the limitation inline.
Message-Authenticator
Arbiter cloud enforces Message-Authenticator (RFC 3579 §3.2) on every tenant FreeRADIUS client block. This defends against the BlastRADIUS class of attacks (CVE-2024-3596).
Validation checklist
Once a device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes.
Expand the five checks
1. RADIUS reachability
- In the Arbiter tenant portal, open the NAS Devices tab. The newly configured switch or AP should appear within seconds of its first auth attempt.
- The Source IP column should show the NAS LAN IP. If it shows the Edge IP instead, the NAS isn't reaching the Edge directly. Check L2/L3 path and ACLs.
2. Authentication outcome
- Open the Auth Log tab. Each device that tries to authenticate appears with timestamp, MAC, NAS, auth method (MAB or dot1x) and policy outcome.
- An Access-Accept with a Tunnel-Private-Group-Id means VLAN assignment worked end-to-end.
- An Access-Reject with no policy match means the device fell through every policy. Usually a missing default-allow or a deliberate Tier 1 reject.
3. DHCP fingerprinting
- Open the device's drawer in the Devices tab. Within a minute of DHCP traffic, the Vendor, Profile and Hostname fields should populate.
- If they don't, the Edge isn't receiving DHCP. Recheck the ip helper-address list on the VLAN's SVI.
4. CoA delivery
- Trigger a CoA from the portal: select an endpoint then Actions then Disconnect, or change its policy to force a VLAN change.
- The CoA Actions tab shows the dispatch state.
delivered_atpopulated means the frame was written to the tunnel; a NAS ACK appears as a separate audit-log entry. - If the action stays queued, check the NAS's CoA listener (
dynamic-author/dyn-authorization/radius-coa) and the per-NAS CoA port in the Arbiter portal.
5. Dead-server failover
- Stop one Edge appliance (
systemctl stop arbiter-edge). - Trigger an auth from a wired or wireless client.
- In the Auth Log, the request should be served by the surviving Edge (visible via the Source IP of the inbound RadSec tunnel).
- Restart the Edge. After dead-time expires (5 minutes with the recommended config), traffic should rebalance.
Glossary
Expand acronyms and protocol terms
| Term | Meaning |
|---|---|
| 802.1X | IEEE port-based network access control. The supplicant (client) authenticates to the authenticator (switch / AP) which proxies credentials to a RADIUS server. |
| MAB | MAC Authentication Bypass. RADIUS authentication using the device MAC as the username, used for devices that cannot do 802.1X (printers, IoT, some phones). |
| EAP-TLS | Certificate-based 802.1X variant. Both supplicant and server present X.509 certificates. |
| RadSec | RFC 6614. RADIUS over TLS over TCP/2083. mTLS variant used between Arbiter Edge and Arbiter cloud. |
| CoA | Change-of-Authorisation, RFC 5176. Server-initiated message to a NAS to alter or terminate an existing session. |
| NAS | Network Access Server. RADIUS term for the device a client physically connects to (a switch, AP or wireless controller). |
| Message-Authenticator | RFC 3579 / RFC 2869 attribute 80. HMAC-MD5 over the RADIUS packet; defends against CVE-2024-3596 (BlastRADIUS). |
| Edge appliance | Customer-side VM or physical appliance that terminates RADIUS UDP from the LAN and tunnels to Arbiter cloud over RadSec. |
| Tenant PSK | RADIUS shared secret. One per Arbiter tenant. Used between NAS and Edge. |
Don't see your vendor?
We add vendor guides on demand. If you're integrating Arbiter with kit not covered here, email support@arbiter.ie with the platform name and model and we will review it for a write-up.
Spotted something wrong in one of the guides above? Let us know at support@arbiter.ie with the vendor and the line that's off and we will correct it.