RADIUS Caching & Failover

Key Takeaways

RADIUS caching stores authentication results locally on access points or controllers, reducing reauthentication latency by up to 90% and enabling continued WiFi access during RADIUS server outages.
Four cache types serve different purposes: PMK caching (fast roaming within an AP), credential caching (offline authentication), 802.11r Fast Transition caching (sub-50ms roaming across APs), and session caching (accounting continuity).
Cache lifetime should be tuned to the environment: 4-8 hours for corporate, 2-4 hours for education, 1-2 hours for healthcare (HIPAA), and 15-30 minutes for high-security/government networks.
Always configure both primary and backup RADIUS servers alongside caching -- caching is a complement to server redundancy, not a replacement for it.
Enable RADIUS Change of Authorization (CoA) on port 3799 to ensure that password changes and account revocations invalidate cached credentials in real time.

RADIUS caching is a network optimization technique that stores authentication credentials and session data locally on access points or wireless controllers, allowing previously authenticated users to reconnect without querying the remote RADIUS server. This reduces authentication latency by up to 90%, lowers RADIUS server load, and enables continued WiFi access during server outages or internet disruptions.

IronWiFi RADIUS infrastructure supports comprehensive caching strategies with intelligent failover mechanisms, ensuring uninterrupted WiFi access even when cloud connectivity is temporarily lost.

When to Enable RADIUS Caching

Enable RADIUS caching when

High availability is critical -- Any environment where WiFi downtime has a direct business or safety impact (hospitals, manufacturing floors, logistics centers) benefits from cached authentication as a failover mechanism.
Branch offices have unreliable WAN links -- Remote sites with intermittent internet connectivity can maintain WiFi access for previously authenticated users even when the connection to IronWiFi's cloud RADIUS servers is temporarily lost.
Users frequently roam between access points -- Environments with high mobility (warehouses, campuses, hospitals) benefit from PMK caching and 802.11r Fast Transition to achieve sub-50ms roaming without RADIUS round-trips.
Authentication bursts are common -- Event venues, shift-change environments, and educational institutions experience hundreds of simultaneous authentication requests. Caching reduces peak RADIUS server load by 70-90%.
You need to meet 99.9%+ uptime SLAs -- RADIUS caching eliminates the cloud RADIUS server as a single point of failure for returning users.

Be cautious with caching when

Rapid credential revocation is required -- In high-security environments, a cached credential remains valid until the cache expires or a CoA message invalidates it. If your security policy requires immediate revocation, use short cache lifetimes (15-30 minutes) and enable CoA.
User population changes frequently -- Guest WiFi networks with many one-time visitors have low cache hit rates, making caching less effective. For guest/public WiFi, consider disabling credential caching and relying on RADIUS server redundancy instead.
Compliance mandates real-time authentication -- Some regulatory frameworks require every connection to be authenticated against the authoritative source. In these cases, use PMK caching (for roaming performance) but disable full credential caching.

Key Benefits

Performance Optimization

Reduced authentication time (50-90% faster)
Lower network latency
Decreased RADIUS server load
Improved roaming performance
Better user experience

High Availability

Continued operation during RADIUS outages
Local failover without connectivity loss
Automatic recovery when service restored
Zero-downtime authentication
Business continuity assurance

Scalability

Handle authentication bursts (event starts, shift changes)
Reduce peak load on RADIUS servers
Support remote/branch offices with limited connectivity
Enable large-scale deployments
Cost-effective infrastructure

Reliability

Eliminate single point of failure
Survive internet outages
Maintain WiFi during WAN failures
Support disaster recovery
Meet uptime SLAs (99.9%+)

How RADIUS Caching Works

Authentication Flow with Caching

Initial Authentication (Cache Miss):

1. Client connects to WiFi
   ↓
2. AP/Controller forwards credentials to RADIUS
   ↓
3. RADIUS validates credentials (IronWiFi cloud)
   ↓
4. RADIUS returns Access-Accept + attributes
   ↓
5. AP/Controller caches authentication result
   - Username/MAC address
   - Password hash (encrypted)
   - Session timeout
   - VLAN assignment
   - Bandwidth limits
   - Cache expiration time
   ↓
6. Client authenticated and connected

Subsequent Authentication (Cache Hit):

1. Client reconnects (roaming or new session)
   ↓
2. AP/Controller checks local cache
   ↓
3. If match found and not expired:
   - Authenticate locally (under 100ms)
   - Apply cached attributes
   - Skip RADIUS query
   ↓
4. If cache miss or expired:
   - Query RADIUS server
   - Update cache
   - Authenticate normally

RADIUS Server Unavailable:

1. Client attempts authentication
   ↓
2. AP/Controller queries RADIUS
   ↓
3. RADIUS unreachable (timeout)
   ↓
4. Fallback to local cache
   ↓
5. If cached entry valid:
   - Authenticate from cache
   - Grant network access
   - Continue operation
   ↓
6. If no cache entry:
   - Deny access (secure mode)
   - OR allow limited access (permissive mode)

Cache Types

PMK Caching (Opportunistic Key Caching)

Concept:
- Caches Pairwise Master Key (PMK)
- Used for fast reauthentication
- Avoids full EAP handshake
- Specific to 802.1X/WPA-Enterprise

Process:
1. Initial 802.1X authentication
2. PMK derived from authentication
3. PMK cached on AP
4. Client roams to same AP
5. PMK reused for 4-way handshake
6. Skip EAP authentication
7. Fast reconnection (under 100ms)

Benefits:
- Very fast roaming
- Reduced RADIUS load
- Better VoIP/video performance
- Seamless user experience

Limitations:
- PMK cache per AP (not controller-wide)
- Requires client support
- Limited to same SSID
- Typically 10-30 minute expiration

Credential Caching

Concept:
- Caches username/password or certificate
- Enables local authentication
- Survives RADIUS outages
- Controller or AP based

Storage:
- Username
- Password hash (salted, encrypted)
- Or certificate fingerprint
- MAC address
- Authentication timestamp
- RADIUS attributes (VLAN, etc.)
- Cache expiration time

Security:
- Encrypted storage
- Hashed passwords (never plaintext)
- Configurable cache lifetime
- Automatic expiration
- Secure deletion on cache clear

Benefits:
- Complete offline authentication
- Full RADIUS server failover
- Maintains network access
- Applies RADIUS attributes locally

Limitations:
- Storage capacity (1,000-10,000 entries)
- Stale data if policies change
- Cache synchronization needed
- Security considerations

802.11r Fast Transition (FT) Cache

Concept:
- Caches authentication state for mobility
- Enables sub-50ms roaming
- Works with PMK caching
- Controller-wide distribution

Implementation:
1. Initial authentication creates PMK
2. PMK distributed to mobility domain
3. R0 Key Holder stores PMK
4. R1 Key Holders cache derived keys
5. Client roams to new AP
6. Uses cached keys for fast handshake
7. No RADIUS query needed

Benefits:
- Seamless roaming (under 50ms)
- No dropped VoIP calls
- Better video conferencing
- Enhanced user mobility

Requirements:
- 802.11r support on AP and client
- Mobility domain configuration
- Controller or distributed architecture
- Modern WiFi infrastructure

Session Caching (RADIUS Accounting)

Concept:
- Caches active session state
- Enables session persistence
- Supports graceful failover
- Accounting continuity

Cached Data:
- Session ID
- Username
- MAC address
- IP address
- Start time
- Bytes in/out
- VLAN assignment
- QoS policies

Purpose:
- Maintain sessions during failover
- Continue accounting offline
- Prevent disconnections
- Buffer accounting data
- Sync when RADIUS available

Typical Duration:
- Active sessions: Until logout
- Idle timeout: 30-60 minutes
- Hard timeout: 8-24 hours
- Accounting updates: Every 5-10 minutes

Configuration

IronWiFi RADIUS Configuration

Enable Caching Support

IronWiFi Console:

Navigation: Networks → [Your Network] → RADIUS Settings

RADIUS Caching:
├─ Enable RADIUS Caching: ✓
├─ Cache Lifetime: 3600 seconds (1 hour)
├─ Max Cache Entries: 10,000
├─ Cache Encryption: AES-256
└─ Auto-Refresh: Enabled

Failover Behavior:
├─ Offline Authentication: Enabled
├─ Fallback Mode: Cache then Deny
├─ Grace Period: 24 hours
├─ Emergency Access: Disabled (configurable)
└─ Cache Clear on Policy Change: Automatic

Advanced Settings:
├─ PMK Caching: Enabled
├─ PMK Lifetime: 1800 seconds (30 min)
├─ Fast Transition (802.11r): Enabled
├─ Mobility Domain: Auto
└─ Session Timeout: 28800 seconds (8 hours)

RADIUS Attributes Cached:
✓ VLAN Assignment (Tunnel-Private-Group-ID)
✓ Session Timeout
✓ Idle Timeout
✓ Bandwidth Limits (Filter-ID or VSA)
✓ ACL Assignment
✓ User Role/Group

Note: Password hashes stored encrypted
Never cache plaintext passwords

RADIUS Server Redundancy

Multi-Server Configuration:

Primary RADIUS:
- Server: radius1.ironwifi.com
- Port: {AUTH_PORT} (auth), {ACCT_PORT} (accounting)
- Priority: 1
- Timeout: 5 seconds
- Retry: 2

Secondary RADIUS:
- Server: radius2.ironwifi.com
- Port: {AUTH_PORT} (auth), {ACCT_PORT} (accounting)
- Priority: 2
- Timeout: 5 seconds
- Retry: 2

Tertiary (Optional):
- Server: radius3.ironwifi.com
- Priority: 3

Failover Logic:
1. Try primary (5 sec timeout × 2 retries = 10 sec)
2. If no response, try secondary
3. If no response, use local cache
4. If cache miss, deny or allow (policy)

Health Monitoring:
- Server status: Active/Failed
- Automatic failback when recovered
- Response time monitoring
- Alert on failures

Access Point Configuration

Cisco Meraki

Caching Configuration

Dashboard → Wireless → Configure → Access Control

RADIUS Servers:
- Primary: radius1.ironwifi.com:CUSTOM_AUTH_PORT
- Secondary: radius2.ironwifi.com:CUSTOM_AUTH_PORT
- Failover: Enabled (automatic)

RADIUS Settings:
├─ CoA (Change of Authorization): Enabled
├─ Accounting: Enabled
├─ Interim Interval: 300 seconds
└─ Timeout: 5 seconds

Caching (Automatic):
- PMK Caching: Enabled by default
- OKC (Opportunistic Key Caching): Enabled
- 802.11r Fast Transition: Enable in SSID settings
- Mobility Domain: Auto-configured

Offline Behavior:
- RADIUS Unreachable: Deny access (default)
- Or: Configure guest SSID for emergency access
- Cannot explicitly configure credential caching
  (Handled automatically by Meraki)

Cisco Catalyst WLC

RADIUS and Caching

WLC Configuration:

RADIUS Server Configuration:
Security → RADIUS → Authentication:
- Server IP: radius1.ironwifi.com
- Port: Customer Authentication Port
- Shared Secret: [IronWiFi secret]
- Timeout: 5 seconds
- Retry: 2
- Add secondary server

WLAN → Advanced:
├─ Session Timeout: 28800 (from RADIUS)
├─ PMK Caching: Enabled
├─ CCKM (Cisco Centralized Key Management): Optional
└─ 802.11r Fast Transition: Enabled

Fast Transition Configuration:
WLAN → Advanced → 802.11r:
├─ Fast Transition: Enabled
├─ Over-the-DS: Enabled
├─ Reassociation Timeout: 20 seconds
└─ Mobility Domain: [4-char hex]

Local Authentication (EAP Fast-Reconnect):
Security → Local EAP:
├─ General: Enabled
├─ Priority Order: RADIUS then Local
├─ EAP Profile Lifetime: 3600 seconds
└─ Allows cached EAP credentials

Failover:
- Automatic failover to secondary RADIUS
- Local EAP provides some offline capability
- PMK cache enables fast reauthentication

Ubiquiti UniFi

RADIUS Caching

UniFi Controller:

Settings → Wireless Networks → [Network]:

RADIUS Profile:
- Auth Server: radius1.ironwifi.com
- Auth Port: Customer Authentication Port
- Accounting: Enabled
- Interim Interval: 300 seconds

Advanced RADIUS:
Settings → Profiles → RADIUS:
├─ Failover: Add secondary server
├─ Timeout: 5 seconds
├─ Retry: 2
└─ COA Port: 3799 (if using CoA)

Performance Optimizations:
Settings → Wireless Networks → [Network] → Advanced:
├─ PMK Caching: Auto (enabled by default)
├─ Fast Roaming (802.11r): Enable
├─ BSS Transition: Enable
└─ Minimum RSSI: Optional

UniFi-Specific:
- UniFi APs cache PMKs automatically
- Controller provides distributed cache
- Fast roaming uses controller coordination
- No explicit credential caching (PMK only)

Offline Behavior:
- If RADIUS unavailable: Deny access
- PMK cache allows existing clients to roam
- New authentications fail without RADIUS
- Configure guest SSID for emergency access

Aruba

Advanced Caching Features

Mobility Controller or Instant:

RADIUS Configuration:
Configuration → Authentication → Servers:
- RADIUS Server: radius1.ironwifi.com
- Auth Port: Customer Authentication Port
- Shared Key: [IronWiFi]
- Timeout: 5 seconds
- Retry: 3
- Backup Server: radius2.ironwifi.com

Caching Settings:
Configuration → WLAN → Advanced:
├─ PMK Caching: Enabled
├─ OKC (Opportunistic Key Caching): Enabled
├─ Fast Transition (802.11r): Enabled
├─ Adaptive Radio Management: Enabled
└─ Station Move Detection: Enabled

Local Authentication Database (LAD):
Configuration → Security → Authentication:
├─ Enable LAD: ✓
├─ RADIUS Backup: Enabled
├─ Cached Credentials: 10,000 max
├─ Cache Timeout: 3600 seconds
├─ LAD Priority: RADIUS Primary, LAD Backup
└─ Sync Interval: 300 seconds

How LAD Works:
1. Successful RADIUS auth
2. Credentials cached in LAD
3. If RADIUS fails, use LAD
4. Maintains network access
5. Automatic RADIUS recovery

Distributed Caching:
- PMK cache distributed across controllers
- Mobility domain sharing
- Fast roaming without RADIUS query
- Sub-50ms handoff times

ARM (Adaptive Radio Management):
- Optimizes roaming
- Coordinates with caching
- Improves performance

Ruckus

SmartZone Caching

SmartZone Controller:

RADIUS Configuration:
Configure → AAA Servers → Create:
- Type: RADIUS
- Name: IronWiFi-Primary
- IP/FQDN: radius1.ironwifi.com
- Auth Port: Customer Authentication Port
- Secret: [IronWiFi]
- Timeout: 5 seconds
- Retry: 2
- Backup: radius2.ironwifi.com

WLAN Configuration:
Configure → WLAN → [Your WLAN] → Advanced:
├─ PMK Caching: Enabled
├─ OKC: Enabled
├─ 802.11r Fast Transition: Enabled
├─ SmartRoam: Enabled (Ruckus proprietary)
└─ Directed Multicast Service: Enabled

Local Authentication:
Configure → System → Local Database:
├─ Enable Local DB: ✓
├─ RADIUS Fallback: Primary
├─ Cache RADIUS Credentials: ✓
├─ Cache Expiry: 3600 seconds
├─ Max Entries: 5,000
└─ Encryption: AES-256

SmartRoam Features:
- Predictive roaming
- Client steering
- Band balancing
- Coordinates with PMK cache
- Very fast handoffs

Offline Mode:
- Automatic failover to local DB
- Cached credentials authenticate
- Maintains existing sessions
- New auth from cache if available
- Graceful RADIUS recovery

Controller vs AP-Based Caching

Controller-Based Architecture

Centralized Caching:

Advantages:
+ Shared cache across all APs
+ Consistent policy enforcement
+ Easier management
+ Better roaming (mobility domain)
+ Scalable to large deployments

Implementation:
- Controller holds master cache
- APs query controller for auth
- PMK distributed to APs
- Fast roaming coordinated
- Single point of cache management

Example Platforms:
- Cisco WLC
- Aruba Mobility Controller
- Ruckus SmartZone
- Mist Cloud Controller

Cache Synchronization:
- Real-time updates
- Controller to AP distribution
- Mobility group sharing
- Geographic redundancy (multi-site)

Recommended For:
- Enterprise deployments (100+ APs)
- Multi-building campuses
- High-density environments
- Complex roaming requirements

AP-Based Architecture

Distributed Caching:

Advantages:
+ Resilient to controller failure
+ Lower latency (local decision)
+ Scales horizontally
+ Simpler architecture
+ Lower cost

Implementation:
- Each AP maintains own cache
- Cloud controller coordinates (optional)
- PMK cache per AP
- Limited roaming optimization
- Autonomous operation

Example Platforms:
- Cisco Meraki
- Ubiquiti UniFi
- Aruba Instant
- Ruckus Unleashed

Cache Distribution:
- Cloud sync (if controller present)
- Peer coordination (limited)
- Independent AP operation
- Eventual consistency

Recommended For:
- Small to medium deployments (under 100 APs)
- Single-building installations
- Distributed/remote sites
- Cost-sensitive deployments

Performance Optimization

Cache Hit Rates

Measuring Cache Effectiveness

Key Metrics:

Cache Hit Rate:
- Formula: (Cache Hits ÷ Total Auth Requests) × 100%
- Good: 70-80%
- Excellent: 80-90%+
- Poor: under 50%

Authentication Time:
- Cache Hit: 50-150ms
- Cache Miss: 500-2,000ms
- Improvement: 80-95% faster

RADIUS Load Reduction:
- Baseline: 100% queries to RADIUS
- With Caching: 10-30% queries
- Load Reduction: 70-90%

User Experience:
- Perceived delay: Minimal (under 200ms)
- Roaming interruption: Under 100ms
- VoIP quality: No dropped calls
- Video: No buffering

Improving Cache Hit Rate

Optimization Strategies:

Increase Cache Lifetime:
- Default: 1 hour (3,600 seconds)
- Extended: 4 hours (14,400 seconds)
- Maximum: 24 hours (86,400 seconds)
- Balance: Security vs performance

Note: Longer cache = stale data risk
Recommended: 2-4 hours for most environments

Increase Cache Size:
- Small: 1,000 entries
- Medium: 5,000 entries
- Large: 10,000 entries
- Enterprise: 50,000+ entries

Size based on user count × 1.5-2x

Pre-populate Cache:
- Prime cache during off-peak
- Bulk import frequent users
- Proactive credential sync
- Reduces cold-start misses

Enable PMK Caching:
- Always enable for 802.1X
- Coordinates with credential cache
- Fastest reauthentication method
- Minimal security trade-off

Optimize Cache Eviction:
- LRU (Least Recently Used)
- TTL (Time To Live) enforcement
- Capacity-based eviction
- Prioritize active users

Network Design Considerations

High-Availability Architecture

Recommended Setup:

Internet
├── Primary WAN Link (Fiber 1 Gbps)
├── Backup WAN Link (Cable 500 Mbps)
└── Failover: Automatic (under 30 seconds)

RADIUS Servers (Cloud):
├── Primary: radius1.ironwifi.com (US-East)
├── Secondary: radius2.ironwifi.com (US-West)
├── Tertiary: radius3.ironwifi.com (EU)
└── Failover: Automatic (5 sec timeout)

Local Infrastructure:
├── Controller: Redundant pair (active-standby)
├── RADIUS Cache: Distributed to all APs
├── Credential Cache: 10,000 entries
└── Offline Mode: Enabled

Benefits:
- Survives internet outage (cache)
- Survives RADIUS outage (failover)
- Survives controller failure (distributed)
- 99.99% authentication availability

Recovery:
- Automatic RADIUS server recovery
- Automatic cache refresh
- No manual intervention
- Seamless to end users

Branch Office Design

Remote Site Challenges:
- Limited bandwidth to HQ/cloud
- Potential WAN instability
- Higher latency to RADIUS servers
- Local IT support limited

Optimized Design:

WAN Link:
- Minimum: 10 Mbps dedicated
- QoS: Prioritize RADIUS traffic
- Backup: 4G/5G failover

Local Caching:
- Aggressive caching policy
- Cache Lifetime: 8-12 hours
- Cache Size: 2× max concurrent users
- Offline Mode: Enabled

Branch Controller (Optional):
- Local authentication when possible
- Cache RADIUS responses
- Maintain sessions during WAN failure
- Sync with central management

Failover Behavior:
- WAN Down: Authenticate from cache
- Cache Miss: Deny or allow (policy)
- WAN Restored: Refresh cache automatically
- Report failures to central IT

Monitoring:
- WAN status monitoring
- Cache hit rate tracking
- Authentication failure alerting
- Periodic health checks

Security Considerations

Cache Security

Data Protection

Encrypted Storage:

Cache Encryption:
- Algorithm: AES-256
- Key Storage: Hardware security module or secure enclave
- Key Rotation: Quarterly
- Access Control: Admin only

What's Encrypted:
✓ Password hashes (salted)
✓ RADIUS shared secrets
✓ User credentials
✓ Session keys (PMK)
✓ Personal identifiable information

What's NOT Cached Plaintext:
✗ Never store passwords in clear text
✗ Never store certificate private keys
✗ Never store shared secrets unencrypted

Security Best Practices:
- Enable cache encryption always
- Use strong encryption keys
- Protect key material
- Regular security audits
- Monitor cache access

Cache Poisoning Prevention

Protection Measures:

Authentication Integrity:
- Verify RADIUS response signature
- Validate response attributes
- Check message authenticator
- Prevent replay attacks
- Nonce validation

Cache Entry Validation:
- Timestamp verification
- Source verification (RADIUS IP)
- Integrity checksums
- Secure cache updates only
- No external cache injection

Access Controls:
- Admin authentication required
- Role-based access control
- Audit all cache operations
- Log cache modifications
- Alert on suspicious activity

Regular Maintenance:
- Clear stale entries
- Validate cache consistency
- Check for corruption
- Rebuild if compromised
- Automated health checks

Stale Data Management

Cache Invalidation

When to Clear Cache:

Immediate Invalidation:
- Password change
- User account disabled
- Security incident
- Policy change (VLAN, bandwidth)
- Certificate revocation

Scheduled Invalidation:
- Daily: Clear expired entries
- Weekly: Full cache refresh
- Monthly: Rebuild cache
- After hours: Maintenance window

Event-Driven Invalidation:
- RADIUS CoA (Change of Authorization)
- User logout
- Session timeout
- Admin action
- Security alert

Methods:

Manual Clear:
- Admin console: Clear cache button
- CLI: radius cache clear
- Per-user: radius cache clear username
- Per-AP: radius cache clear ap-name

Automatic CoA:
- RADIUS sends CoA Disconnect
- AP/Controller receives message
- Cache entry removed
- User reauthenticates
- New credentials/policies applied

Scheduled Sync:
- Periodic RADIUS query
- Refresh cached entries
- Update changed attributes
- Remove deleted users
- Background process (low priority)

Audit and Compliance

Cache Auditing:

Logging Requirements:
✓ Cache creation timestamp
✓ Username and MAC address
✓ Source RADIUS server
✓ Cached attributes
✓ Cache hit/miss events
✓ Cache expiration
✓ Manual cache clears

Compliance Considerations:

GDPR:
- Personal data in cache = subject to GDPR
- Cache retention = data retention
- User right to erasure = cache clear
- Encryption required
- Access logs mandatory

HIPAA:
- Audit trail required
- Encrypted storage mandated
- Access controls enforced
- Regular security reviews

PCI-DSS:
- Secure authentication data
- No plaintext passwords
- Encrypted transmission and storage
- Regular security testing

Audit Reports:
- Cache hit/miss statistics
- Authentication failures
- Cache size and utilization
- Policy enforcement
- Compliance metrics

Troubleshooting

Common Issues

Cache Not Working

Symptoms:
- All authentications query RADIUS
- No performance improvement
- Cache hit rate: 0%

Diagnosis:

1. Verify caching enabled:
   - Check AP/controller configuration
   - Look for cache settings
   - Verify not explicitly disabled

2. Check cache size:
   - Current entries: 0 (problem!)
   - Max capacity: Verify not 0
   - Available memory: Sufficient?

3. Review logs:
   - Look for cache write failures
   - Check storage errors
   - Verify permissions

4. Test authentication:
   - Authenticate once
   - Check if cached
   - Reauthenticate
   - Monitor cache hit

Solutions:

Enable Caching:
- AP/Controller settings
- Enable PMK caching
- Enable credential caching
- Set appropriate lifetime

Increase Cache Size:
- Allocate more entries
- Check memory availability
- Restart service if needed

Fix Permissions:
- Verify write access
- Check file system
- Repair database if corrupted

Verify RADIUS Attributes:
- Session-Timeout must be set
- Allows caching decision
- Check RADIUS logs

High Cache Miss Rate

Symptoms:
- Cache hit rate under 50%
- Poor performance despite caching
- Frequent RADIUS queries

Common Causes:

1. Short cache lifetime:
   - Default: Too short (e.g., 300 seconds)
   - Users reauthenticate before cache expires
   - Increase to 3,600-14,400 seconds

2. Cache size too small:
   - Max entries: 1,000
   - User base: 5,000
   - Oldest entries evicted prematurely
   - Increase cache size

3. Frequent policy changes:
   - Admin updates trigger cache clear
   - CoA messages invalidate cache
   - Reduce change frequency

4. User behavior:
   - Infrequent visitors
   - Many one-time users
   - High user turnover
   - Expected low hit rate

Solutions:

Optimize Cache Lifetime:
- Increase to 4-8 hours for stable environments
- Balance security vs performance
- Monitor and adjust

Increase Cache Capacity:
- Size = Active users × 2-3
- Account for growth
- Monitor utilization

Reduce Policy Changes:
- Batch updates during off-peak
- Test before production
- Minimize cache invalidation

Segment Users:
- Employees: Long cache (8 hours)
- Guests: Short cache (1 hour)
- Different SSIDs or policies

RADIUS Failover Not Working

Symptoms:
- RADIUS primary down
- All authentications fail
- Not failing over to cache or secondary

Diagnosis:

1. Check RADIUS server configuration:
   - Primary server timeout
   - Retry count
   - Secondary server configured
   - Failover enabled

2. Test secondary RADIUS:
   - Manually disable primary
   - Force authentication
   - Check if secondary used
   - Verify credentials work

3. Check cache configuration:
   - Offline mode enabled?
   - Cache has entries?
   - Fallback behavior: Cache or deny?

4. Review failover logic:
   - Timeout settings (5 sec?)
   - Too long = poor user experience
   - Too short = false failovers
   - Retry count (2-3 recommended)

Solutions:

Configure Proper Timeouts:
- RADIUS timeout: 5 seconds
- Retry: 2 attempts
- Total wait: 10 seconds max
- Then failover

Verify Secondary RADIUS:
- Test connectivity
- Verify shared secret
- Check firewall rules
- Ensure reachability

Enable Offline Mode:
- Allow cache authentication
- Set fallback behavior
- Test RADIUS unavailable scenario
- Document expected behavior

Check Network Path:
- AP to RADIUS connectivity
- Firewall not blocking
- DNS resolution working
- Routing correct

Stale Cache Data

Symptoms:
- User changed password, old still works
- VLAN assignment incorrect
- Bandwidth limits outdated
- Disabled users still authenticate

Causes:
- Cache not invalidated
- CoA not working
- Cache lifetime too long
- Manual clear not performed

Solutions:

Immediate Fix:
- Clear cache manually
- Force user reauthentication
- Verify new credentials/policies

Enable CoA:
RADIUS → Network Device:
- Port: 3799 (default)
- Enable on AP/controller
- Test CoA Disconnect
- Verify cache clears

Implement CoA Workflow:
1. Admin changes password in IronWiFi
2. IronWiFi sends CoA Disconnect
3. AP/controller receives CoA
4. Cache entry invalidated
5. User disconnected
6. User reauthenticates with new password
7. New credentials cached

Reduce Cache Lifetime:
- If CoA not available
- Trade performance for freshness
- 1-2 hours for high-security environments
- 4-8 hours for standard environments

Scheduled Cache Refresh:
- Nightly cache clear
- Weekly full rebuild
- Background credential sync
- Proactive updates

Best Practices

Cache Configuration

Optimal Settings by Environment

Enterprise Corporate:

Cache Lifetime: 4-8 hours
Cache Size: Active users × 3
PMK Caching: Enabled
802.11r: Enabled
Offline Mode: Enabled
Failover: Secondary RADIUS + Cache
CoA: Enabled

Rationale:
- Stable user base
- Infrequent password changes
- Predictable usage patterns
- Performance priority

Education Institution:

Cache Lifetime: 2-4 hours
Cache Size: Enrolled students × 2
PMK Caching: Enabled
802.11r: Enabled
Offline Mode: Enabled
Failover: Secondary RADIUS + Cache
CoA: Enabled

Rationale:
- High user density
- Frequent roaming (class changes)
- Periodic policy updates
- Balance security and performance

Healthcare:

Cache Lifetime: 1-2 hours
Cache Size: Staff + patients × 2
PMK Caching: Enabled
802.11r: Enabled (critical for mobile devices)
Offline Mode: Conditional
Failover: Secondary RADIUS + Conditional Cache
CoA: Enabled (critical for revocation)

Rationale:
- HIPAA compliance
- Rapid revocation required
- Real-time patient devices
- Security priority

Guest/Public WiFi:

Cache Lifetime: 30-60 minutes
Cache Size: Concurrent users × 1.5
PMK Caching: Optional
802.11r: Optional
Offline Mode: Disabled
Failover: Secondary RADIUS only (no cache)
CoA: Enabled

Rationale:
- One-time users
- Low cache hit rate expected
- Security over performance
- Minimal infrastructure

High-Security/Government:

Cache Lifetime: 15-30 minutes
Cache Size: Minimum required
PMK Caching: Disabled or minimal
802.11r: Enabled
Offline Mode: Disabled
Failover: Multiple RADIUS (no cache fallback)
CoA: Enabled and mandatory

Rationale:
- Maximum security
- Real-time authentication required
- Rapid credential revocation
- Compliance mandates

Monitoring and Maintenance

Key Performance Indicators

Daily Monitoring:

Cache Hit Rate:
- Target: 70-90%
- Alert if: Under 50%
- Action: Investigate configuration

Authentication Time:
- Cache Hit: Under 150ms
- Cache Miss: Under 2 seconds
- Alert if: Over 3 seconds average
- Action: Check RADIUS performance

RADIUS Server Availability:
- Target: 99.9%+
- Alert if: Server unreachable
- Action: Failover verification

Cache Utilization:
- Current entries ÷ Max capacity
- Target: 60-80%
- Alert if: Over 90% (increase size)
- Alert if: Under 20% (check config)

Weekly Review:

Trend Analysis:
- Cache hit rate trends
- Authentication time trends
- Failure rate patterns
- User growth

Performance Reports:
- Average cache performance
- Peak usage periods
- Bottleneck identification
- Capacity planning

Security Audit:
- Review cache access logs
- Check for anomalies
- Verify encryption
- Compliance check

Monthly Maintenance:

Cache Health:
- Full cache rebuild
- Consistency verification
- Performance benchmarking
- Capacity review

Policy Review:
- Cache lifetime appropriate?
- Cache size sufficient?
- Offline mode correct?
- Failover behavior optimal?

Disaster Recovery Test:
- Simulate RADIUS outage
- Verify cache failover
- Test secondary RADIUS
- Document results

Alerting Configuration

Critical Alerts (Immediate):

RADIUS Servers Down:
- Both primary and secondary unreachable
- Authentication failing
- No cache fallback configured
- Action: Emergency response

Cache Corruption:
- Cache database errors
- Integrity check failures
- Authentication failures
- Action: Clear and rebuild cache

Security Incident:
- Unusual cache access patterns
- Cache poisoning attempt
- Unauthorized modifications
- Action: Security investigation

Warning Alerts (15-30 minutes):

Cache Hit Rate Low:
- Under 50% for 1 hour
- Performance degraded
- Possible configuration issue
- Action: Review settings

RADIUS Latency High:
- Response time over 3 seconds
- Impacting user experience
- Possible network or server issue
- Action: Investigate RADIUS path

Cache Near Capacity:
- Over 90% full
- Risk of premature eviction
- Action: Increase cache size

Informational Alerts (Daily/Weekly):

Cache Statistics:
- Daily hit rate summary
- User authentication counts
- Performance metrics
- Trends and patterns

Capacity Planning:
- User growth trends
- Cache utilization trends
- Infrastructure needs
- Budget planning

Advanced Topics

Dynamic Cache Optimization

Adaptive Cache Sizing

Concept:
Automatically adjust cache parameters based on usage patterns

Implementation:

Machine Learning Approach:
1. Monitor authentication patterns
2. Identify frequent vs infrequent users
3. Predict cache requirements
4. Dynamically adjust:
   - Cache lifetime per user/group
   - Cache priority/weight
   - Eviction strategy
   - Cache size allocation

Example Algorithm:
IF user_auth_frequency > 10/day THEN
  cache_lifetime = 8 hours
  priority = HIGH
ELSE IF user_auth_frequency > 2/day THEN
  cache_lifetime = 4 hours
  priority = MEDIUM
ELSE
  cache_lifetime = 1 hour
  priority = LOW

Benefits:
- Optimizes cache efficiency
- Reduces stale data
- Improves hit rate
- Better resource utilization

Challenges:
- Complex implementation
- Requires analytics platform
- May need vendor support
- Not available on all platforms

Multi-Site Cache Synchronization

Distributed Cache Architecture

Challenge:
- Multiple sites with local caching
- User roams between sites
- Need consistent authentication

Solution 1: Centralized Cache

Architecture:
- Central controller/cloud
- All sites query central cache
- Shared authentication state
- Consistent policies

Pros:
+ Single source of truth
+ Easy policy management
+ Consistent user experience

Cons:
- Requires reliable WAN
- Central point of failure
- Network dependency

Solution 2: Federated Cache

Architecture:
- Each site has local cache
- Cache sync between sites
- Eventual consistency
- Conflict resolution

Synchronization:
- Real-time: High-bandwidth mesh
- Periodic: Batch updates hourly/daily
- Event-driven: On auth or change

Pros:
+ Site autonomy
+ Resilient to WAN failures
+ Scales horizontally

Cons:
- Complexity
- Potential inconsistency
- Synchronization overhead

Recommended Approach:
- Sites with good WAN: Centralized
- Remote/unreliable WAN: Federated
- Hybrid: Local cache + central fallback

Certificate Caching for EAP-TLS

Certificate Validation Caching

Challenge:
- EAP-TLS validates certificates each authentication
- CRL/OCSP queries add latency
- Certificate chain validation expensive

Caching Strategy:

Cache Certificate Validation Results:
- Certificate fingerprint (hash)
- Validation status (valid/revoked/expired)
- Timestamp
- Cache lifetime: 15-60 minutes

OCSP Response Caching:
- Cache OCSP responses
- Lifetime: Per OCSP response validity
- Reduces OCSP queries
- Improves performance

CRL Caching:
- Download CRL once
- Cache for CRL validity period (hours)
- Periodic refresh
- Use for multiple validations

Benefits:
- Faster EAP-TLS authentication
- Reduced load on CA/OCSP servers
- Lower network traffic
- Better user experience

Security Considerations:
- Shorter cache = more secure (fresh status)
- Longer cache = better performance
- Balance based on environment
- Recommended: 15-30 minutes

Support and Resources

IronWiFi Support

Contact Information

Email: support@ironwifi.com
Portal: console.ironwifi.com/support
Documentation: www.ironwifi.com/help-center
Emergency: Available for Enterprise accounts

Caching Support

Configuration assistance
Performance tuning
Failover testing
Troubleshooting
Best practices consultation

Service Monitor - Performance monitoring
Troubleshooting Guide - General troubleshooting
PKI Infrastructure - Certificate management
Certificate Revocation - Revocation and CoA

Vendor Resources

AP/Controller Documentation

Cisco WLC Configuration Guide - RADIUS and caching
Aruba Mobility Controller Guide - LAD configuration
Ruckus SmartZone Guide - Local authentication
Ubiquiti UniFi Documentation - RADIUS settings

Need Help with RADIUS Caching?

Contact IronWiFi support for assistance with cache configuration, performance optimization, or high-availability design for your deployment.

Was this page helpful?

When to Enable RADIUS Caching​

Enable RADIUS caching when​

Be cautious with caching when​

Key Benefits​

How RADIUS Caching Works​

Authentication Flow with Caching​

Cache Types​

Configuration​

IronWiFi RADIUS Configuration​

Access Point Configuration​

Cisco Meraki​

Cisco Catalyst WLC​

Ubiquiti UniFi​

Aruba​

Ruckus​

Controller vs AP-Based Caching​

Performance Optimization​

Cache Hit Rates​

Network Design Considerations​

Security Considerations​

Cache Security​

Stale Data Management​

Troubleshooting​

Common Issues​

Best Practices​

Cache Configuration​

Monitoring and Maintenance​

Advanced Topics​

Dynamic Cache Optimization​

Multi-Site Cache Synchronization​

Certificate Caching for EAP-TLS​

Support and Resources​

IronWiFi Support​

Related Documentation​

Vendor Resources​

Related Topics​