RADIUS Caching & Failover
Overview
RADIUS caching stores authentication credentials locally on access points or controllers, enabling fast reauthentication and continued operation during RADIUS server outages. This critical feature improves network performance, reduces authentication latency, and provides business continuity during network failures or cloud service disruptions.
IronWifi RADIUS infrastructure supports comprehensive caching strategies with intelligent failover mechanisms, ensuring uninterrupted WiFi access even when cloud connectivity is temporarily lost.
Key Benefits
Performance Optimization
- Reduced authentication time (50-90% faster)
- Lower network latency
- Decreased RADIUS server load
- Improved roaming performance
- Better user experience
High Availability
- Continued operation during RADIUS outages
- Local failover without connectivity loss
- Automatic recovery when service restored
- Zero-downtime authentication
- Business continuity assurance
Scalability
- Handle authentication bursts (event starts, shift changes)
- Reduce peak load on RADIUS servers
- Support remote/branch offices with limited connectivity
- Enable large-scale deployments
- Cost-effective infrastructure
Reliability
- Eliminate single point of failure
- Survive internet outages
- Maintain WiFi during WAN failures
- Support disaster recovery
- Meet uptime SLAs (99.9%+)
How RADIUS Caching Works
Authentication Flow with Caching
Initial Authentication (Cache Miss):
1. Client connects to WiFi
↓
2. AP/Controller forwards credentials to RADIUS
↓
3. RADIUS validates credentials (IronWifi cloud)
↓
4. RADIUS returns Access-Accept + attributes
↓
5. AP/Controller caches authentication result
- Username/MAC address
- Password hash (encrypted)
- Session timeout
- VLAN assignment
- Bandwidth limits
- Cache expiration time
↓
6. Client authenticated and connected
Subsequent Authentication (Cache Hit):
1. Client reconnects (roaming or new session)
↓
2. AP/Controller checks local cache
↓
3. If match found and not expired:
- Authenticate locally (under 100ms)
- Apply cached attributes
- Skip RADIUS query
↓
4. If cache miss or expired:
- Query RADIUS server
- Update cache
- Authenticate normally
RADIUS Server Unavailable:
1. Client attempts authentication
↓
2. AP/Controller queries RADIUS
↓
3. RADIUS unreachable (timeout)
↓
4. Fallback to local cache
↓
5. If cached entry valid:
- Authenticate from cache
- Grant network access
- Continue operation
↓
6. If no cache entry:
- Deny access (secure mode)
- OR allow limited access (permissive mode)
Cache Types
PMK Caching (Opportunistic Key Caching)
Concept:
- Caches Pairwise Master Key (PMK)
- Used for fast reauthentication
- Avoids full EAP handshake
- Specific to 802.1X/WPA-Enterprise
Process:
1. Initial 802.1X authentication
2. PMK derived from authentication
3. PMK cached on AP
4. Client roams to same AP
5. PMK reused for 4-way handshake
6. Skip EAP authentication
7. Fast reconnection (under 100ms)
Benefits:
- Very fast roaming
- Reduced RADIUS load
- Better VoIP/video performance
- Seamless user experience
Limitations:
- PMK cache per AP (not controller-wide)
- Requires client support
- Limited to same SSID
- Typically 10-30 minute expiration
Credential Caching
Concept:
- Caches username/password or certificate
- Enables local authentication
- Survives RADIUS outages
- Controller or AP based
Storage:
- Username
- Password hash (salted, encrypted)
- Or certificate fingerprint
- MAC address
- Authentication timestamp
- RADIUS attributes (VLAN, etc.)
- Cache expiration time
Security:
- Encrypted storage
- Hashed passwords (never plaintext)
- Configurable cache lifetime
- Automatic expiration
- Secure deletion on cache clear
Benefits:
- Complete offline authentication
- Full RADIUS server failover
- Maintains network access
- Applies RADIUS attributes locally
Limitations:
- Storage capacity (1,000-10,000 entries)
- Stale data if policies change
- Cache synchronization needed
- Security considerations
802.11r Fast Transition (FT) Cache
Concept:
- Caches authentication state for mobility
- Enables sub-50ms roaming
- Works with PMK caching
- Controller-wide distribution
Implementation:
1. Initial authentication creates PMK
2. PMK distributed to mobility domain
3. R0 Key Holder stores PMK
4. R1 Key Holders cache derived keys
5. Client roams to new AP
6. Uses cached keys for fast handshake
7. No RADIUS query needed
Benefits:
- Seamless roaming (under 50ms)
- No dropped VoIP calls
- Better video conferencing
- Enhanced user mobility
Requirements:
- 802.11r support on AP and client
- Mobility domain configuration
- Controller or distributed architecture
- Modern WiFi infrastructure
Session Caching (RADIUS Accounting)
Concept:
- Caches active session state
- Enables session persistence
- Supports graceful failover
- Accounting continuity
Cached Data:
- Session ID
- Username
- MAC address
- IP address
- Start time
- Bytes in/out
- VLAN assignment
- QoS policies
Purpose:
- Maintain sessions during failover
- Continue accounting offline
- Prevent disconnections
- Buffer accounting data
- Sync when RADIUS available
Typical Duration:
- Active sessions: Until logout
- Idle timeout: 30-60 minutes
- Hard timeout: 8-24 hours
- Accounting updates: Every 5-10 minutes
Configuration
IronWifi RADIUS Configuration
Enable Caching Support
IronWifi Console:
Navigation: Networks → [Your Network] → RADIUS Settings
RADIUS Caching:
├─ Enable RADIUS Caching: ✓
├─ Cache Lifetime: 3600 seconds (1 hour)
├─ Max Cache Entries: 10,000
├─ Cache Encryption: AES-256
└─ Auto-Refresh: Enabled
Failover Behavior:
├─ Offline Authentication: Enabled
├─ Fallback Mode: Cache then Deny
├─ Grace Period: 24 hours
├─ Emergency Access: Disabled (configurable)
└─ Cache Clear on Policy Change: Automatic
Advanced Settings:
├─ PMK Caching: Enabled
├─ PMK Lifetime: 1800 seconds (30 min)
├─ Fast Transition (802.11r): Enabled
├─ Mobility Domain: Auto
└─ Session Timeout: 28800 seconds (8 hours)
RADIUS Attributes Cached:
✓ VLAN Assignment (Tunnel-Private-Group-ID)
✓ Session Timeout
✓ Idle Timeout
✓ Bandwidth Limits (Filter-ID or VSA)
✓ ACL Assignment
✓ User Role/Group
Note: Password hashes stored encrypted
Never cache plaintext passwords
RADIUS Server Redundancy
Multi-Server Configuration:
Primary RADIUS:
- Server: radius1.ironwifi.com
- Port: 1812 (auth), 1813 (accounting)
- Priority: 1
- Timeout: 5 seconds
- Retry: 2
Secondary RADIUS:
- Server: radius2.ironwifi.com
- Port: 1812 (auth), 1813 (accounting)
- Priority: 2
- Timeout: 5 seconds
- Retry: 2
Tertiary (Optional):
- Server: radius3.ironwifi.com
- Priority: 3
Failover Logic:
1. Try primary (5 sec timeout × 2 retries = 10 sec)
2. If no response, try secondary
3. If no response, use local cache
4. If cache miss, deny or allow (policy)
Health Monitoring:
- Server status: Active/Failed
- Automatic failback when recovered
- Response time monitoring
- Alert on failures
Access Point Configuration
Cisco Meraki
Caching Configuration
Dashboard → Wireless → Configure → Access Control
RADIUS Servers:
- Primary: radius1.ironwifi.com:1812
- Secondary: radius2.ironwifi.com:1812
- Failover: Enabled (automatic)
RADIUS Settings:
├─ CoA (Change of Authorization): Enabled
├─ Accounting: Enabled
├─ Interim Interval: 300 seconds
└─ Timeout: 5 seconds
Caching (Automatic):
- PMK Caching: Enabled by default
- OKC (Opportunistic Key Caching): Enabled
- 802.11r Fast Transition: Enable in SSID settings
- Mobility Domain: Auto-configured
Offline Behavior:
- RADIUS Unreachable: Deny access (default)
- Or: Configure guest SSID for emergency access
- Cannot explicitly configure credential caching
(Handled automatically by Meraki)
Cisco Catalyst WLC
RADIUS and Caching
WLC Configuration:
RADIUS Server Configuration:
Security → RADIUS → Authentication:
- Server IP: radius1.ironwifi.com
- Port: 1812
- Shared Secret: [IronWifi secret]
- Timeout: 5 seconds
- Retry: 2
- Add secondary server
WLAN → Advanced:
├─ Session Timeout: 28800 (from RADIUS)
├─ PMK Caching: Enabled
├─ CCKM (Cisco Centralized Key Management): Optional
└─ 802.11r Fast Transition: Enabled
Fast Transition Configuration:
WLAN → Advanced → 802.11r:
├─ Fast Transition: Enabled
├─ Over-the-DS: Enabled
├─ Reassociation Timeout: 20 seconds
└─ Mobility Domain: [4-char hex]
Local Authentication (EAP Fast-Reconnect):
Security → Local EAP:
├─ General: Enabled
├─ Priority Order: RADIUS then Local
├─ EAP Profile Lifetime: 3600 seconds
└─ Allows cached EAP credentials
Failover:
- Automatic failover to secondary RADIUS
- Local EAP provides some offline capability
- PMK cache enables fast reauthentication
Ubiquiti UniFi
RADIUS Caching
UniFi Controller:
Settings → Wireless Networks → [Network]:
RADIUS Profile:
- Auth Server: radius1.ironwifi.com
- Auth Port: 1812
- Accounting: Enabled
- Interim Interval: 300 seconds
Advanced RADIUS:
Settings → Profiles → RADIUS:
├─ Failover: Add secondary server
├─ Timeout: 5 seconds
├─ Retry: 2
└─ COA Port: 3799 (if using CoA)
Performance Optimizations:
Settings → Wireless Networks → [Network] → Advanced:
├─ PMK Caching: Auto (enabled by default)
├─ Fast Roaming (802.11r): Enable
├─ BSS Transition: Enable
└─ Minimum RSSI: Optional
UniFi-Specific:
- UniFi APs cache PMKs automatically
- Controller provides distributed cache
- Fast roaming uses controller coordination
- No explicit credential caching (PMK only)
Offline Behavior:
- If RADIUS unavailable: Deny access
- PMK cache allows existing clients to roam
- New authentications fail without RADIUS
- Configure guest SSID for emergency access
Aruba
Advanced Caching Features
Mobility Controller or Instant:
RADIUS Configuration:
Configuration → Authentication → Servers:
- RADIUS Server: radius1.ironwifi.com
- Auth Port: 1812
- Shared Key: [IronWifi]
- Timeout: 5 seconds
- Retry: 3
- Backup Server: radius2.ironwifi.com
Caching Settings:
Configuration → WLAN → Advanced:
├─ PMK Caching: Enabled
├─ OKC (Opportunistic Key Caching): Enabled
├─ Fast Transition (802.11r): Enabled
├─ Adaptive Radio Management: Enabled
└─ Station Move Detection: Enabled
Local Authentication Database (LAD):
Configuration → Security → Authentication:
├─ Enable LAD: ✓
├─ RADIUS Backup: Enabled
├─ Cached Credentials: 10,000 max
├─ Cache Timeout: 3600 seconds
├─ LAD Priority: RADIUS Primary, LAD Backup
└─ Sync Interval: 300 seconds
How LAD Works:
1. Successful RADIUS auth
2. Credentials cached in LAD
3. If RADIUS fails, use LAD
4. Maintains network access
5. Automatic RADIUS recovery
Distributed Caching:
- PMK cache distributed across controllers
- Mobility domain sharing
- Fast roaming without RADIUS query
- Sub-50ms handoff times
ARM (Adaptive Radio Management):
- Optimizes roaming
- Coordinates with caching
- Improves performance
Ruckus
SmartZone Caching
SmartZone Controller:
RADIUS Configuration:
Configure → AAA Servers → Create:
- Type: RADIUS
- Name: IronWifi-Primary
- IP/FQDN: radius1.ironwifi.com
- Auth Port: 1812
- Secret: [IronWifi]
- Timeout: 5 seconds
- Retry: 2
- Backup: radius2.ironwifi.com
WLAN Configuration:
Configure → WLAN → [Your WLAN] → Advanced:
├─ PMK Caching: Enabled
├─ OKC: Enabled
├─ 802.11r Fast Transition: Enabled
├─ SmartRoam: Enabled (Ruckus proprietary)
└─ Directed Multicast Service: Enabled
Local Authentication:
Configure → System → Local Database:
├─ Enable Local DB: ✓
├─ RADIUS Fallback: Primary
├─ Cache RADIUS Credentials: ✓
├─ Cache Expiry: 3600 seconds
├─ Max Entries: 5,000
└─ Encryption: AES-256
SmartRoam Features:
- Predictive roaming
- Client steering
- Band balancing
- Coordinates with PMK cache
- Very fast handoffs
Offline Mode:
- Automatic failover to local DB
- Cached credentials authenticate
- Maintains existing sessions
- New auth from cache if available
- Graceful RADIUS recovery
Controller vs AP-Based Caching
Controller-Based Architecture
Centralized Caching:
Advantages:
+ Shared cache across all APs
+ Consistent policy enforcement
+ Easier management
+ Better roaming (mobility domain)
+ Scalable to large deployments
Implementation:
- Controller holds master cache
- APs query controller for auth
- PMK distributed to APs
- Fast roaming coordinated
- Single point of cache management
Example Platforms:
- Cisco WLC
- Aruba Mobility Controller
- Ruckus SmartZone
- Mist Cloud Controller
Cache Synchronization:
- Real-time updates
- Controller to AP distribution
- Mobility group sharing
- Geographic redundancy (multi-site)
Recommended For:
- Enterprise deployments (100+ APs)
- Multi-building campuses
- High-density environments
- Complex roaming requirements
AP-Based Architecture
Distributed Caching:
Advantages:
+ Resilient to controller failure
+ Lower latency (local decision)
+ Scales horizontally
+ Simpler architecture
+ Lower cost
Implementation:
- Each AP maintains own cache
- Cloud controller coordinates (optional)
- PMK cache per AP
- Limited roaming optimization
- Autonomous operation
Example Platforms:
- Cisco Meraki
- Ubiquiti UniFi
- Aruba Instant
- Ruckus Unleashed
Cache Distribution:
- Cloud sync (if controller present)
- Peer coordination (limited)
- Independent AP operation
- Eventual consistency
Recommended For:
- Small to medium deployments (under 100 APs)
- Single-building installations
- Distributed/remote sites
- Cost-sensitive deployments
Performance Optimization
Cache Hit Rates
Measuring Cache Effectiveness
Key Metrics:
Cache Hit Rate:
- Formula: (Cache Hits ÷ Total Auth Requests) × 100%
- Good: 70-80%
- Excellent: 80-90%+
- Poor: under 50%
Authentication Time:
- Cache Hit: 50-150ms
- Cache Miss: 500-2,000ms
- Improvement: 80-95% faster
RADIUS Load Reduction:
- Baseline: 100% queries to RADIUS
- With Caching: 10-30% queries
- Load Reduction: 70-90%
User Experience:
- Perceived delay: Minimal (under 200ms)
- Roaming interruption: Under 100ms
- VoIP quality: No dropped calls
- Video: No buffering
Improving Cache Hit Rate
Optimization Strategies:
Increase Cache Lifetime:
- Default: 1 hour (3,600 seconds)
- Extended: 4 hours (14,400 seconds)
- Maximum: 24 hours (86,400 seconds)
- Balance: Security vs performance
Note: Longer cache = stale data risk
Recommended: 2-4 hours for most environments
Increase Cache Size:
- Small: 1,000 entries
- Medium: 5,000 entries
- Large: 10,000 entries
- Enterprise: 50,000+ entries
Size based on user count × 1.5-2x
Pre-populate Cache:
- Prime cache during off-peak
- Bulk import frequent users
- Proactive credential sync
- Reduces cold-start misses
Enable PMK Caching:
- Always enable for 802.1X
- Coordinates with credential cache
- Fastest reauthentication method
- Minimal security trade-off
Optimize Cache Eviction:
- LRU (Least Recently Used)
- TTL (Time To Live) enforcement
- Capacity-based eviction
- Prioritize active users
Network Design Considerations
High-Availability Architecture
Recommended Setup:
Internet
├── Primary WAN Link (Fiber 1 Gbps)
├── Backup WAN Link (Cable 500 Mbps)
└── Failover: Automatic (under 30 seconds)
RADIUS Servers (Cloud):
├── Primary: radius1.ironwifi.com (US-East)
├── Secondary: radius2.ironwifi.com (US-West)
├── Tertiary: radius3.ironwifi.com (EU)
└── Failover: Automatic (5 sec timeout)
Local Infrastructure:
├── Controller: Redundant pair (active-standby)
├── RADIUS Cache: Distributed to all APs
├── Credential Cache: 10,000 entries
└── Offline Mode: Enabled
Benefits:
- Survives internet outage (cache)
- Survives RADIUS outage (failover)
- Survives controller failure (distributed)
- 99.99% authentication availability
Recovery:
- Automatic RADIUS server recovery
- Automatic cache refresh
- No manual intervention
- Seamless to end users
Branch Office Design
Remote Site Challenges:
- Limited bandwidth to HQ/cloud
- Potential WAN instability
- Higher latency to RADIUS servers
- Local IT support limited
Optimized Design:
WAN Link:
- Minimum: 10 Mbps dedicated
- QoS: Prioritize RADIUS traffic
- Backup: 4G/5G failover
Local Caching:
- Aggressive caching policy
- Cache Lifetime: 8-12 hours
- Cache Size: 2× max concurrent users
- Offline Mode: Enabled
Branch Controller (Optional):
- Local authentication when possible
- Cache RADIUS responses
- Maintain sessions during WAN failure
- Sync with central management
Failover Behavior:
- WAN Down: Authenticate from cache
- Cache Miss: Deny or allow (policy)
- WAN Restored: Refresh cache automatically
- Report failures to central IT
Monitoring:
- WAN status monitoring
- Cache hit rate tracking
- Authentication failure alerting
- Periodic health checks
Security Considerations
Cache Security
Data Protection
Encrypted Storage:
Cache Encryption:
- Algorithm: AES-256
- Key Storage: Hardware security module or secure enclave
- Key Rotation: Quarterly
- Access Control: Admin only
What's Encrypted:
✓ Password hashes (salted)
✓ RADIUS shared secrets
✓ User credentials
✓ Session keys (PMK)
✓ Personal identifiable information
What's NOT Cached Plaintext:
✗ Never store passwords in clear text
✗ Never store certificate private keys
✗ Never store shared secrets unencrypted
Security Best Practices:
- Enable cache encryption always
- Use strong encryption keys
- Protect key material
- Regular security audits
- Monitor cache access
Cache Poisoning Prevention
Protection Measures:
Authentication Integrity:
- Verify RADIUS response signature
- Validate response attributes
- Check message authenticator
- Prevent replay attacks
- Nonce validation
Cache Entry Validation:
- Timestamp verification
- Source verification (RADIUS IP)
- Integrity checksums
- Secure cache updates only
- No external cache injection
Access Controls:
- Admin authentication required
- Role-based access control
- Audit all cache operations
- Log cache modifications
- Alert on suspicious activity
Regular Maintenance:
- Clear stale entries
- Validate cache consistency
- Check for corruption
- Rebuild if compromised
- Automated health checks
Stale Data Management
Cache Invalidation
When to Clear Cache:
Immediate Invalidation:
- Password change
- User account disabled
- Security incident
- Policy change (VLAN, bandwidth)
- Certificate revocation
Scheduled Invalidation:
- Daily: Clear expired entries
- Weekly: Full cache refresh
- Monthly: Rebuild cache
- After hours: Maintenance window
Event-Driven Invalidation:
- RADIUS CoA (Change of Authorization)
- User logout
- Session timeout
- Admin action
- Security alert
Methods:
Manual Clear:
- Admin console: Clear cache button
- CLI: radius cache clear
- Per-user: radius cache clear username
- Per-AP: radius cache clear ap-name
Automatic CoA:
- RADIUS sends CoA Disconnect
- AP/Controller receives message
- Cache entry removed
- User reauthenticates
- New credentials/policies applied
Scheduled Sync:
- Periodic RADIUS query
- Refresh cached entries
- Update changed attributes
- Remove deleted users
- Background process (low priority)
Audit and Compliance
Cache Auditing:
Logging Requirements:
✓ Cache creation timestamp
✓ Username and MAC address
✓ Source RADIUS server
✓ Cached attributes
✓ Cache hit/miss events
✓ Cache expiration
✓ Manual cache clears
Compliance Considerations:
GDPR:
- Personal data in cache = subject to GDPR
- Cache retention = data retention
- User right to erasure = cache clear
- Encryption required
- Access logs mandatory
HIPAA:
- Audit trail required
- Encrypted storage mandated
- Access controls enforced
- Regular security reviews
PCI-DSS:
- Secure authentication data
- No plaintext passwords
- Encrypted transmission and storage
- Regular security testing
Audit Reports:
- Cache hit/miss statistics
- Authentication failures
- Cache size and utilization
- Policy enforcement
- Compliance metrics
Troubleshooting
Common Issues
Cache Not Working
Symptoms:
- All authentications query RADIUS
- No performance improvement
- Cache hit rate: 0%
Diagnosis:
1. Verify caching enabled:
- Check AP/controller configuration
- Look for cache settings
- Verify not explicitly disabled
2. Check cache size:
- Current entries: 0 (problem!)
- Max capacity: Verify not 0
- Available memory: Sufficient?
3. Review logs:
- Look for cache write failures
- Check storage errors
- Verify permissions
4. Test authentication:
- Authenticate once
- Check if cached
- Reauthenticate
- Monitor cache hit
Solutions:
Enable Caching:
- AP/Controller settings
- Enable PMK caching
- Enable credential caching
- Set appropriate lifetime
Increase Cache Size:
- Allocate more entries
- Check memory availability
- Restart service if needed
Fix Permissions:
- Verify write access
- Check file system
- Repair database if corrupted
Verify RADIUS Attributes:
- Session-Timeout must be set
- Allows caching decision
- Check RADIUS logs
High Cache Miss Rate
Symptoms:
- Cache hit rate under 50%
- Poor performance despite caching
- Frequent RADIUS queries
Common Causes:
1. Short cache lifetime:
- Default: Too short (e.g., 300 seconds)
- Users reauthenticate before cache expires
- Increase to 3,600-14,400 seconds
2. Cache size too small:
- Max entries: 1,000
- User base: 5,000
- Oldest entries evicted prematurely
- Increase cache size
3. Frequent policy changes:
- Admin updates trigger cache clear
- CoA messages invalidate cache
- Reduce change frequency
4. User behavior:
- Infrequent visitors
- Many one-time users
- High user turnover
- Expected low hit rate
Solutions:
Optimize Cache Lifetime:
- Increase to 4-8 hours for stable environments
- Balance security vs performance
- Monitor and adjust
Increase Cache Capacity:
- Size = Active users × 2-3
- Account for growth
- Monitor utilization
Reduce Policy Changes:
- Batch updates during off-peak
- Test before production
- Minimize cache invalidation
Segment Users:
- Employees: Long cache (8 hours)
- Guests: Short cache (1 hour)
- Different SSIDs or policies
RADIUS Failover Not Working
Symptoms:
- RADIUS primary down
- All authentications fail
- Not failing over to cache or secondary
Diagnosis:
1. Check RADIUS server configuration:
- Primary server timeout
- Retry count
- Secondary server configured
- Failover enabled
2. Test secondary RADIUS:
- Manually disable primary
- Force authentication
- Check if secondary used
- Verify credentials work
3. Check cache configuration:
- Offline mode enabled?
- Cache has entries?
- Fallback behavior: Cache or deny?
4. Review failover logic:
- Timeout settings (5 sec?)
- Too long = poor user experience
- Too short = false failovers
- Retry count (2-3 recommended)
Solutions:
Configure Proper Timeouts:
- RADIUS timeout: 5 seconds
- Retry: 2 attempts
- Total wait: 10 seconds max
- Then failover
Verify Secondary RADIUS:
- Test connectivity
- Verify shared secret
- Check firewall rules
- Ensure reachability
Enable Offline Mode:
- Allow cache authentication
- Set fallback behavior
- Test RADIUS unavailable scenario
- Document expected behavior
Check Network Path:
- AP to RADIUS connectivity
- Firewall not blocking
- DNS resolution working
- Routing correct
Stale Cache Data
Symptoms:
- User changed password, old still works
- VLAN assignment incorrect
- Bandwidth limits outdated
- Disabled users still authenticate
Causes:
- Cache not invalidated
- CoA not working
- Cache lifetime too long
- Manual clear not performed
Solutions:
Immediate Fix:
- Clear cache manually
- Force user reauthentication
- Verify new credentials/policies
Enable CoA:
RADIUS → Network Device:
- Port: 3799 (default)
- Enable on AP/controller
- Test CoA Disconnect
- Verify cache clears
Implement CoA Workflow:
1. Admin changes password in IronWifi
2. IronWifi sends CoA Disconnect
3. AP/controller receives CoA
4. Cache entry invalidated
5. User disconnected
6. User reauthenticates with new password
7. New credentials cached
Reduce Cache Lifetime:
- If CoA not available
- Trade performance for freshness
- 1-2 hours for high-security environments
- 4-8 hours for standard environments
Scheduled Cache Refresh:
- Nightly cache clear
- Weekly full rebuild
- Background credential sync
- Proactive updates
Best Practices
Cache Configuration
Optimal Settings by Environment
Enterprise Corporate:
Cache Lifetime: 4-8 hours
Cache Size: Active users × 3
PMK Caching: Enabled
802.11r: Enabled
Offline Mode: Enabled
Failover: Secondary RADIUS + Cache
CoA: Enabled
Rationale:
- Stable user base
- Infrequent password changes
- Predictable usage patterns
- Performance priority
Education Institution:
Cache Lifetime: 2-4 hours
Cache Size: Enrolled students × 2
PMK Caching: Enabled
802.11r: Enabled
Offline Mode: Enabled
Failover: Secondary RADIUS + Cache
CoA: Enabled
Rationale:
- High user density
- Frequent roaming (class changes)
- Periodic policy updates
- Balance security and performance
Healthcare:
Cache Lifetime: 1-2 hours
Cache Size: Staff + patients × 2
PMK Caching: Enabled
802.11r: Enabled (critical for mobile devices)
Offline Mode: Conditional
Failover: Secondary RADIUS + Conditional Cache
CoA: Enabled (critical for revocation)
Rationale:
- HIPAA compliance
- Rapid revocation required
- Real-time patient devices
- Security priority
Guest/Public WiFi:
Cache Lifetime: 30-60 minutes
Cache Size: Concurrent users × 1.5
PMK Caching: Optional
802.11r: Optional
Offline Mode: Disabled
Failover: Secondary RADIUS only (no cache)
CoA: Enabled
Rationale:
- One-time users
- Low cache hit rate expected
- Security over performance
- Minimal infrastructure
High-Security/Government:
Cache Lifetime: 15-30 minutes
Cache Size: Minimum required
PMK Caching: Disabled or minimal
802.11r: Enabled
Offline Mode: Disabled
Failover: Multiple RADIUS (no cache fallback)
CoA: Enabled and mandatory
Rationale:
- Maximum security
- Real-time authentication required
- Rapid credential revocation
- Compliance mandates
Monitoring and Maintenance
Key Performance Indicators
Daily Monitoring:
Cache Hit Rate:
- Target: 70-90%
- Alert if: Under 50%
- Action: Investigate configuration
Authentication Time:
- Cache Hit: Under 150ms
- Cache Miss: Under 2 seconds
- Alert if: Over 3 seconds average
- Action: Check RADIUS performance
RADIUS Server Availability:
- Target: 99.9%+
- Alert if: Server unreachable
- Action: Failover verification
Cache Utilization:
- Current entries ÷ Max capacity
- Target: 60-80%
- Alert if: Over 90% (increase size)
- Alert if: Under 20% (check config)
Weekly Review:
Trend Analysis:
- Cache hit rate trends
- Authentication time trends
- Failure rate patterns
- User growth
Performance Reports:
- Average cache performance
- Peak usage periods
- Bottleneck identification
- Capacity planning
Security Audit:
- Review cache access logs
- Check for anomalies
- Verify encryption
- Compliance check
Monthly Maintenance:
Cache Health:
- Full cache rebuild
- Consistency verification
- Performance benchmarking
- Capacity review
Policy Review:
- Cache lifetime appropriate?
- Cache size sufficient?
- Offline mode correct?
- Failover behavior optimal?
Disaster Recovery Test:
- Simulate RADIUS outage
- Verify cache failover
- Test secondary RADIUS
- Document results
Alerting Configuration
Critical Alerts (Immediate):
RADIUS Servers Down:
- Both primary and secondary unreachable
- Authentication failing
- No cache fallback configured
- Action: Emergency response
Cache Corruption:
- Cache database errors
- Integrity check failures
- Authentication failures
- Action: Clear and rebuild cache
Security Incident:
- Unusual cache access patterns
- Cache poisoning attempt
- Unauthorized modifications
- Action: Security investigation
Warning Alerts (15-30 minutes):
Cache Hit Rate Low:
- Under 50% for 1 hour
- Performance degraded
- Possible configuration issue
- Action: Review settings
RADIUS Latency High:
- Response time over 3 seconds
- Impacting user experience
- Possible network or server issue
- Action: Investigate RADIUS path
Cache Near Capacity:
- Over 90% full
- Risk of premature eviction
- Action: Increase cache size
Informational Alerts (Daily/Weekly):
Cache Statistics:
- Daily hit rate summary
- User authentication counts
- Performance metrics
- Trends and patterns
Capacity Planning:
- User growth trends
- Cache utilization trends
- Infrastructure needs
- Budget planning
Advanced Topics
Dynamic Cache Optimization
Adaptive Cache Sizing
Concept:
Automatically adjust cache parameters based on usage patterns
Implementation:
Machine Learning Approach:
1. Monitor authentication patterns
2. Identify frequent vs infrequent users
3. Predict cache requirements
4. Dynamically adjust:
- Cache lifetime per user/group
- Cache priority/weight
- Eviction strategy
- Cache size allocation
Example Algorithm:
IF user_auth_frequency > 10/day THEN
cache_lifetime = 8 hours
priority = HIGH
ELSE IF user_auth_frequency > 2/day THEN
cache_lifetime = 4 hours
priority = MEDIUM
ELSE
cache_lifetime = 1 hour
priority = LOW
Benefits:
- Optimizes cache efficiency
- Reduces stale data
- Improves hit rate
- Better resource utilization
Challenges:
- Complex implementation
- Requires analytics platform
- May need vendor support
- Not available on all platforms
Multi-Site Cache Synchronization
Distributed Cache Architecture
Challenge:
- Multiple sites with local caching
- User roams between sites
- Need consistent authentication
Solution 1: Centralized Cache
Architecture:
- Central controller/cloud
- All sites query central cache
- Shared authentication state
- Consistent policies
Pros:
+ Single source of truth
+ Easy policy management
+ Consistent user experience
Cons:
- Requires reliable WAN
- Central point of failure
- Network dependency
Solution 2: Federated Cache
Architecture:
- Each site has local cache
- Cache sync between sites
- Eventual consistency
- Conflict resolution
Synchronization:
- Real-time: High-bandwidth mesh
- Periodic: Batch updates hourly/daily
- Event-driven: On auth or change
Pros:
+ Site autonomy
+ Resilient to WAN failures
+ Scales horizontally
Cons:
- Complexity
- Potential inconsistency
- Synchronization overhead
Recommended Approach:
- Sites with good WAN: Centralized
- Remote/unreliable WAN: Federated
- Hybrid: Local cache + central fallback
Certificate Caching for EAP-TLS
Certificate Validation Caching
Challenge:
- EAP-TLS validates certificates each authentication
- CRL/OCSP queries add latency
- Certificate chain validation expensive
Caching Strategy:
Cache Certificate Validation Results:
- Certificate fingerprint (hash)
- Validation status (valid/revoked/expired)
- Timestamp
- Cache lifetime: 15-60 minutes
OCSP Response Caching:
- Cache OCSP responses
- Lifetime: Per OCSP response validity
- Reduces OCSP queries
- Improves performance
CRL Caching:
- Download CRL once
- Cache for CRL validity period (hours)
- Periodic refresh
- Use for multiple validations
Benefits:
- Faster EAP-TLS authentication
- Reduced load on CA/OCSP servers
- Lower network traffic
- Better user experience
Security Considerations:
- Shorter cache = more secure (fresh status)
- Longer cache = better performance
- Balance based on environment
- Recommended: 15-30 minutes
Support and Resources
IronWifi Support
Contact Information
- Email: support@ironwifi.com
- Portal: console.ironwifi.com/support
- Documentation: www.ironwifi.com/help-center
- Emergency: Available for Enterprise accounts
Caching Support
- Configuration assistance
- Performance tuning
- Failover testing
- Troubleshooting
- Best practices consultation
Related Documentation
- Service Monitor - Performance monitoring
- Troubleshooting Guide - General troubleshooting
- PKI Infrastructure - Certificate management
- Certificate Revocation - Revocation and CoA
Vendor Resources
AP/Controller Documentation
- Cisco WLC Configuration Guide - RADIUS and caching
- Aruba Mobility Controller Guide - LAD configuration
- Ruckus SmartZone Guide - Local authentication
- Ubiquiti UniFi Documentation - RADIUS settings
Need Help with RADIUS Caching?
Contact IronWifi support for assistance with cache configuration, performance optimization, or high-availability design for your deployment.