RADIUS Authentication: How It Works & Applications

Your Wi-Fi or Virtual Private Network (VPN) wouldn’t exactly be secure if anyone could access them whenever they wanted. This is why authentication protocols are used, including the RADIUS protocol: to safeguard your network and prevent unauthorized access.

RADIUS servers are a crucial component of an 802.1X network, which is the gold standard for network security — a standard we’ve helped many customers reach. RADIUS server authentication provides the certainty you need that only legitimate parties are accessing your resources, but how does this authentication actually work?

In this guide, we’ll take an in-depth look at precisely how RADIUS works to safeguard your network, and why it matters.

What Is RADIUS Authentication?

RADIUS is an acronym that stands for Remote Authentication Dial-In User Service, although it is also often known as an AAA (Authentication, Authorization, and Accounting) server. The latter name provides a nice summary of what RADIUS servers do: granting/denying access to your network, providing varying levels of authorization to users, and keeping a record of all attempts to establish a network connection.

RADIUS is a networking protocol for identity verification, access management, and recording services. It runs between RADIUS clients (network access servers or NAS) and RADIUS servers (a server running the RADIUS protocol).

The easiest way to imagine where RADIUS fits into your network is to picture a bouncer at the door to a club. When someone tries to connect to your Wi-Fi or VPN, the RADIUS confirms that they should have access first by checking their credentials (username and password) or certificate. Then, the RADIUS rejects or accepts the user accordingly.

Functions of the RADIUS Protocol

The three primary functions of the RADIUS protocol are:

1. Authentication: RADIUS servers examine encrypted credentials (username and password) or digital certificates to verify identities. The server checks what the user provides against a separate user database or certificate revocation list (CRL) to confirm or deny authentication.
2. Authorization: Once a RADIUS server authenticates credentials or certificates, it determines what data the user can access and what actions they can take. Organizations typically use role-based access, such as Administrator or Guest designations, to govern these controls.
3. Accounting: RADIUS servers monitor and log all access; this recording process is called accounting. Accounting includes event records such as time of access, specific data accessed, actions performed, and the reason each session ends. Accounting is useful for usage-based billing, resource utilization records, trend analysis, and forecasting data needs.

The Origin of RADIUS Authentication

In the early 1990s, the National Science Foundation issued a grant to Merit Networks to develop a protocol for dial-up service that could configure tens of thousands of users with just one server. 

Merit awarded the protocol development contract to Livingston Enterprises, who delivered the first version of RADIUS in 1991.

After significant changes, the protocol launched to the public in 1994. Then, the Internet Engineering Task Force (IETF) helped standardize RADIUS with the release of RFC 2058, and later RFC 2138, both in 1997.

Issued in 2000, RFC 2865 set standards for RADIUS to support authentication and authorization between NAS and RADIUS servers, to the delight of NAS vendors. Soon, it also became part of the Institute of Electrical and Electronics Engineers (IEEE) 802.1X authentication protocol.

Today, RADIUS supports credential-based authentication and passwordless certificate-based authentication. Modern RADIUS authentication features stronger encryption and improved authentication.

RADIUS Components

What do you need to deploy RADIUS in your own organization? Luckily, the answer is “not too much.” All you’ll need is the following:

• Server space
• A network connection/network access server
• Clients/supplicants

The server space is to establish and configure the RADIUS itself. You’ll also need a way to get users onto the network, which is what the network access server is for. Finally, you’ll require devices and users with supplicants to request network access. A supplicant is a piece of software installed in the network stack. Fortunately, almost all devices we might expect to connect to a wireless network have a supplicant built-in.

Of course, you’ll also need the expertise to set up and maintain a RADIUS server, which can be difficult; this is why it’s often simpler to use a managed RADIUS service such as Cloud RADIUS. Rather than build your own RADIUS server from scratch, Cloud RADIUS provides you a truly plug-and-play experience that integrates seamlessly with any of your existing infrastructure.

How Does RADIUS Authentication Work?

RADIUS Authentication Flow

RADIUS server authentication (sometimes called “RADIUS auth”) can verify users or devices through two different methods: X.509 digital certificates or credentials. The actual RADIUS authentication procedure varies a bit depending on which method is used.

RADIUS Credential Authentication Flow

If you’re using credentials, RADIUS can confirm your username and password by referencing your directory (Identity Provider or IdP). The problem is that passwords are vulnerable in the modern cybersecurity landscape; over 60% of people reuse their passwords, and simple social engineering methods like phishing – which allow hackers with little to no technical knowledge to farm passwords – are on the rise.

RADIUS Certificate Authentication Flow

Digital certificates are a much more secure alternative than credentials. RADIUS server authentication with digital certificates is also a different, multi-step process.

Upon receiving the access request packet, your RADIUS server checks that the certificate isn’t expired. If it’s unexpired, the server will then check the Certificate Revocation List (CRL) to ensure that the certificate has not been previously revoked.

Generally, if the certificate isn’t expired or revoked, the client is then granted access with an ACCESS ACCEPT message. However, RADIUS servers that support Identity Lookup such as Cloud RADIUS take an additional step for extra security. During the identity lookup stage of RADIUS server authentication, RADIUS communicates with your directory, using information contained in the certificate to look up the user in your directory.

At this point of RADIUS server authentication, the system can determine a user’s authorization attributes based on their IdP group. For example, if you’re in your organization’s financial department, your organization may have granted you access to different resources and systems than someone in the HR department. This is called role-based access control, a cornerstone of Zero Trust Network Access (ZTNA).

Is RADIUS Server Authentication Encrypted?

How RadSec Works

RADIUS certainly boosts the security of your network, but it’s not a one-stop solution for authentication security. The RADIUS protocol relies on the encryption of the credentials themselves when communicating them over the air. In some scenarios, that’s not sufficient.

That’s where RadSec, also known as RADIUS over TLS, comes in. RadSec is an 802.11x protocol for transporting RADIUS packets through TCP (Transmission Control Protocol) and TLS (Transport Layer Security). In a nutshell, it increases the security of RADIUS even further by encrypting the communication between the RADIUS server and the access point (or switch).

This is especially useful in roaming environments. It means that, no matter where you are, when you authenticate to the RADIUS server, your communication with it will be shielded from the view of malicious third parties. Check out our introduction to RadSec to learn more.

How Does RADIUS Accounting Work?

Accounting is one of the greatest benefits of RADIUS. Here’s how it works.

When a user gains access, the RADIUS client sends a RADIUS accounting request packet (Accounting Start) with the user’s network address, MAC address, credentials or certificate, wired or wireless access point, and a unique identifier specific to that session. 

On receipt, the RADIUS server sends the client an Accounting Response. Then, the RADIUS client requests new session details such as current session duration, which the server delivers.

When sessions end, the RADIUS client delivers a final packet (Accounting Stop) with the overall duration of the session, bytes, what data was accessed, all packets, and why the user’s session ended. The RADIUS server stores these details.

RADIUS accounting gives network administrators context to manage access, maintain security, invoice based on data usage, and predict future network resource needs.

Benefits and Challenges of RADIUS Authentication Services

Using RADIUS authentication comes with many upsides, though there are a few things to keep in mind.

Benefits of RADIUS

RADIUS features reliable Authentication, Authorization, and Accounting services all in one package. You can use multiple authentication methods: credentials or certificates. And with one centralized management system, you can navigate access request messages, reference user databases and CRLs, customize role-based access controls, and revoke access as needed with real-time revocation.

RADIUS also works with 802.1X authentication for superior encryption, and is easy to integrate with your existing infrastructure. You can upgrade scalability with cloud-based RADIUS, letting you add high volumes of users and devices without performance issues.

Challenges of RADIUS

If you opt for legacy RADIUS tools with on-premise hardware, you’ll need to purchase, install, and maintain servers. This can be expensive and complex, requiring skilled in-house staff. What’s more, RADIUS is highly customizable. While that’s a benefit, it also adds complexity during implementation.

Further, if you don’t properly maintain RADIUS cyber security requirements, you expose yourself to the same vulnerabilities contained by less secure methods.

Luckily, you can mitigate some of these risks with the right protocols. Rather than a basic Password Authentication Protocol (PAP), Point-to-Point Protocol (PTP), or simple Challenge-Handshake Authentication Protocol (CHAP), we recommend Extensible Authentication Protocol-Transport Layer Security, or EAP-TLS. 

For all the benefits of RADIUS without the in-house challenges, choose a managed, cloud-based option like CLOUD Radius.

How To Set up RADIUS Server Authentication

In the past, opting to use RADIUS server authentication meant that you had to build your own on-premise server. This can be inconvenient for a number of reasons:

• It requires expertise and experience with the RADIUS protocol.
• If you didn’t have the expertise, you may need to hire additional personnel.
• You need both equipment (physical servers) and space for that equipment.
• Setting up the server takes time initially, and maintaining it costs time perpetually

Some organizations still use on-premise RADIUS servers, but nowadays, there are also other options. Thanks to managed RADIUS services like Cloud RADIUS, the process is much simpler and more cost-effective.

Of course, the process of setting up a wireless RADIUS server varies based on your Wi-Fi provider, but the general process with Cloud RADIUS from SecureW2 is outlined below:

1. Create a RADIUS profile in your wireless controller.
2. Navigate to AAA management, then AAA configuration in the SecureW2 Management Portal.
3. Note the Primary IP Address, Port, and Shared Secret.
4. Input this information into the RADIUS profile you created.
5. Save the new RADIUS profile.

You can learn more about configuring RADIUS with an AP in one of our integration guides.

RADIUS Authentication FAQs

How Does RADIUS Differ From Other Authentication Protocols?

The biggest differences between RADIUS and other authentication protocols such as LDAP and TACACS+ are: 

• RADIUS provides full Authentication, Authorization, and Accounting (AAA) support, which is why RADIUS servers are sometimes called AAA servers. Neither LDAP nor TACACS+ includes accounting.
• RADIUS is a network access authentication protocol; other authentication protocols may manage devices or directories.
• RADIUS supports certificate-based authentication; LDAP doesn’t.
• RADIUS supports on-premise or cloud systems; LDAP is usually on-prem only.
• RADIUS supports 802.1X port-based access control; TACACS+ doesn’t.
• RADIUS uses User Datagram Protocol (UDP) as its Transport Layer Protocol, which is efficient but transmits packets regardless of whether there’s an established connection. Many other protocols use Transmission Control Protocol (TCP) instead, which is slower but more reliable since it requires a connection.

What Is the Difference Between RADIUS and TACACS+?

RADIUS is an open-standard network access authentication protocol that includes authentication, authorization, and accounting (AAA) all in one. Its Transport Layer Protocol is the efficient User Datagram Protocol (UDP). RADIUS supports 802.1X and encrypts passwords.

Terminal Access Controller Access-Control System Plus (TACACS+) is a proprietary device administration protocol mostly used for Cisco network devices, such as routers and switches. It divides AAA into distinct processes. TACACS+ uses Transmission Control Protocol (TCP) and doesn’t support 802.1X. However, TACACS+ encrypts all packets during communication.

What Is the Difference Between RADIUS and LDAP?

RADIUS regulates network access across multiple connection types, including Wi-Fi and VPN. It offers on-premise or cloud-based AAA support with either user credentials or digital certificates. RADIUS uses User Datagram Protocol (UDP), which transmits data packets regardless of connection status — efficient, but not always reliable.

Lightweight Directory Access Protocol (LDAP) is usually on-prem only and lacks accounting support. LDAP also doesn’t support certificate-based authentication.

What Is the Difference Between SAML and RADIUS?

RADIUS is a protocol for network authentication, authorization, and accounting services. Network administrators deploy RADIUS on servers to manage access requests, communicate with directories including IdPs such as Active Directory, and store access records.

Security Assertion Markup Language (SAML) is an assertion-based authentication protocol that connects servers (including RADIUS servers) to IdPs for identity verification requested by a service provider (SP). Since RADIUS servers don’t contain user databases, SAML is a crucial component of the RADIUS authentication process.

Is RADIUS Authentication Still Used?

Yes, RADIUS authentication is very commonly used today. Regulated by standards created by the IETF and IEEE, RADIUS offers secure access with centralized authentication management and accounting processes. It’s highly customizable and scalable, making it a top choice for growing businesses and large-scale enterprises alike.

Cloud RADIUS: RADIUS Server Authentication, Simplified

It’s vital that you ensure only authorized users can access your network, and a RADIUS server is inarguably the best solution. In addition to preventing unauthorized access, RADIUS makes it possible for you to use the information already contained in your IdP for role-based access control and other policy enforcement options.

If you’re worried that RADIUS sounds complicated to set up, we have good news for you. It’s not hard to improve your network security with RADIUS server authentication thanks to solutions from SecureW2 like Cloud RADIUS. Schedule a personalized demo to see how simple RADIUS security can be.