What Is the RADIUS Protocol and How Does It Work?

The RADIUS protocol is a comprehensive, trusted means of managing network access at the enterprise level. With more than 2,200 cyberattacks taking place every day, companies can’t afford weak verification processes, poor access controls, and static policies.

The RADIUS protocol provides a reliable, configurable network access solution that meets modern security standards. Managed applications like cloud-based RADIUS implementations offer a reliable, configurable network access solution that meets modern security standards.

In this article, we’ll provide an in-depth analysis of what RADIUS is, why it was developed, how it works, and what its current and future impact on network access security may be.

What Is the RADIUS Protocol?

The RADIUS protocol, or Remote Authentication Dial-in User Service, is a client-server network security protocol that bundles user authentication, authorization, and accounting into one access control system.

Its user-friendliness, effectiveness, and capacity for expansion makes RADIUS the clear choice for security-conscious organizations such as Internet Service Providers (ISPs), cellular network providers, and corporate and educational networks.

RADIUS serves three fundamental purposes, which are often referred to as AAA:

• Authentication: Matches user credentials to verify identity
• Authorization: Determines user permissions
• Accounting: Tracks user network resource-use

The RADIUS protocol is an essential component of 802.1X, the larger port-based authentication framework for secure network access control. 802.1X     , using RADIUS and other measures, creates a thorough, verifiable authentication system that protects your organization across private connections, shared networks, and public Wi-Fi.

History of RADIUS

RADIUS’ development began decades ago, and consistent updates have kept the protocol secure even against modern-day cyberattacks.

Leading Up to 1991: Inception

Merit Networks receives a grant from the National Science Foundation to develop a protocol that can provide dial-up service to tens of thousands of users, without configuring each user on each dial-up server. Merit awards the contract for developing the RADIUS protocol to Livingston Enterprises, who delivers the first version of the protocol in 1991.

1994: Implementation

The RADIUS protocol debuts after major changes, including modifications for RADIUS to operate as both a client and a server and to make judgments regarding how to route authentication requests depending on various protocol-carried information. The first implementation serves as the primary source for the Merit AAA/RADIUS server. Network Access Server (NAS) vendors begin large-scale adoption.

1997: Standardization

The RADIUS authentication protocol is so beneficial that the Internet Engineering Task Force (IETF) standardizes it as a series of Internet Requests for Comments (RFCs). The first, RFC 2058, is made obsolete that same year by RFC 2138.

2000: Application

RFC 2138 becomes obsolete and is replaced by RFC 2865. Among the most notable changes, RADIUS now supports authentication and authorization between NAS and RADIUS servers.

Today: Securitization

While early RADIUS legacy systems only supported credential-based authentication methods, modern RADIUS supports passwordless authentication with digital certificates. It features stronger encryption and more flexible authentication protocols.

Who Regulates the RADIUS Protocol?

The Internet Engineering Task Force (IETF) regulates the RADIUS protocol with Request for Comments (RFC) documents dating back to 1997. The IETF outlines current standards in RFC 2865, published in 2000.

RADIUS is also part of the Institute of Electrical and Electronics Engineers (IEEE) 802.1X authentication protocol.

Components of RADIUS

RADIUS consists of 3 main components:

• RADIUS Client/RADIUS Supplicant: a lightweight software that validates credentials by sending them to the RADIUS server.
• Network Access Server (NAS): a gateway between the user and the network.
• RADIUS Server: the server that validates credentials, assesses connection details, and conducts time tracking

How Does RADIUS Server Authentication and Authorization Work?

The 802.1X RADIUS authentication mechanism uses a client/server model with four distinct elements:

• Client
• Client device
• Authentication server (RADIUS server)
• Identity provider (IdP)

RADIUS facilitates user authentication by verifying user credentials or certificates with the RADIUS server, which verifies authenticity against the IdP. If the credentials match, 802.1X opens network ports and authorizes access to network resources.

RADIUS can authenticate and authorize simultaneously by validating identity and other authentication information while examining specific permissions.

Organizations may use either traditional credentials or X.509 digital certificates for RADIUS authentication. The process differs slightly for each approach.

Credential Authentication and Authorization

RADIUS servers don’t store credentials; they reference a directory to verify credentials and current authorization attributes. To protect data during referencing, clients and servers use a shared secret, a security key or password they both know but never transmit.

Here’s how the RADIUS packet request process works:

1. User or Device Sends Access Request to Network Access Server (NAS)

The end user or device submits an authentication request to the NAS containing their username and encrypted password.

2. NAS Delivers Access Request to the RADIUS Server

The NAS forwards the authentication packet request to the appropriate RADIUS server.

3. RADIUS Server Analyzes and Responds to Request

The server reads the shared secret and verifies the user’s credentials against the user database. Based on its findings, the RADIUS server responds to the NAS with an ACCESS ACCEPT message to authenticate the user, an ACCESS CHALLENGE packet to request more details, or an ACCESS REJECT packet if the credentials can’t be verified.

4. (If ACCESS ACCEPT) Client Authorization Grants User Access

Once the RADIUS server authenticates and authorizes the user, the client receives the ACCESS ACCEPT response with the shared secret and Filter ID attribute. This grants access to a RADIUS group containing other authorized users with the same permissions (typically same department and/or authority level).

Certificate Authentication and Authorization

Certificate-based authentication for managing user access follows these steps:

1. Device Sends Access Request with Certificate to NAS

To start the process, the device requesting access sends its certificate to the NAS.

2. NAS Forwards Access Request to RADIUS Server

The NAS receives the access request packet and certificate, pushing it to the RADIUS server.

3. RADIUS Server Analyzes Certificate

The RADIUS server checks expiration conditions and a Certificate Revocation List (CRL) to determine if the certificate is expired or revoked.

4. (If Certificate Is Valid) Certificate Authorization Grants User Access

If the certificate is expired or revoked, the access request will be denied. If not, the RADIUS server confirms and grants access.

How Does RADIUS Accounting Work?

Accounting is the process of recording and managing user access details. There are 3 steps:

Accounting Start: Once a user gains access to the network, the RADIUS client sends a RADIUS accounting request packet (Accounting Start) to the RADIUS server. This contains the user’s network address, credentials, MAC address, wired or wireless access point, and unique session identifier. When the RADIUS server receives the Start packet, it sends an Accounting Response back to the client.

Session Updates: The client periodically sends additional request packets for new details about the session; the RADIUS server sends responses.

Accounting Stop: Whether a user logs off or has access revoked, when a session ends, the RADIUS client sends one last accounting request packet (Accounting Stop) containing the session duration, data accessed, bytes, starting and interim packets, and reason the session ended. The server stores these details for records and audits.

Thanks to RADIUS accounting, network administrators get a clear picture of individual use and broad trends. They can use this information to maintain security, revoke authorization, bill users based on data usage, and forecast future needs.

The RADIUS Server Protocol in Network Security

RADIUS is the most common implementation for 802.1X network access control management. It’s also the de facto network security standard for modern dial-up, DSL, wireless, and mobile networks.

RADIUS servers’ centralized AAA capabilities, flexibility, and adaptability maximize privacy and security and increase efficiency. For greater security, organizations can add modern security standards such as multi-factor authentication (MFA), TLS, and VPNs to encrypt payloads.

Pros and Cons of RADIUS Authentication

The Benefits of Using RADIUS Authentication

• Reliable AAA: AAA is a trusted, comprehensive security measure; it’s the primary function of RADIUS.
• Granular Access Controls: Customizable role-based access helps keep private data secure.
• Centralized Authentication Management: Between RADIUS servers and user databases, admins have a trustworthy way to authenticate users and track data.
• Continuous Trust Verification: If admins revoke authorization, unauthorized users lose access instantly.
• Scalability: RADIUS scales as you grow, adding users and certificates while managing numerous requests.

The Challenges of Using RADIUS Authentication

• On-Premises Hardware: On-prem RADIUS typically requires additional hardware, plus installation and maintenance. You can avoid this challenge with cloud-based managed RADIUS.
• Security Vulnerabilities: Like all security measures, RADIUS isn’t immune to threats. It requires modern hardware and software with regular updates.
• Complicated Network Infrastructure: RADIUS can be difficult to configure and maintain. However, RADIUS service providers can manage configuration details and maintenance.
• Niche Expertise: On-prem servers and/or management require experienced staff. Otherwise, you’ll need a trusted RADIUS provider.
• Reliability: RADIUS uses a connectionless protocol called User Datagram Protocol. It’s faster than connection-based protocols but can be inconsistent. Choose the right authentication type (like EAP-TLS) to improve reliability.

Credential-Based vs. Certificate-Based Authentication

Within the RADIUS protocol, you must choose between credential-based and certificate-based authentication.

The traditional option is credential-based authentication. Most security systems rely on it, and employees are accustomed to usernames and passwords. However, credentials are vulnerable to sharing, misplacement, and brute-force attacks.

Certificate-based authentication, or passwordless authentication, is more modern and secure. However, certificate management can be cumbersome, and improper management creates vulnerabilities. Working with a managed service provider solves these issues.

	Credential-Based Authentication	Certificate-Based Authentication
User Input Required	Username and password	Digital certificate
Common Protocols	PEAP-MSCHAPv2, EAP-TTLS/PAP	EAP-TLS
Passwordless	No	Yes
Risk of Credential Theft	Higher	Lower
Mutual Authentication	Often partial	Yes
Long-Term Security	Moderate	High
Best For	Legacy environments	Zero-trust and modern enterprise security

On-Prem vs. Cloud RADIUS Server

When choosing between on-premises or cloud-based RADIUS solutions, consider:

1. Implementation: Cloud-based RADIUS uses virtual servers and directories, while on-prem RADIUS servers require local infrastructure.
2. Administration: Cloud-based RADIUS servers can be managed offsite, but on-prem RADIUS typically requires in-house management.
3. Security: Cloud-based RADIUS requires network access management, but with on-prem RADIUS, you must also protect physical servers and equipment.
4. Scalability: Cloud-based RADIUS is highly extensible, while on-prem RADIUS servers may require additional hardware to scale.

Common Use Cases for the RADIUS AAA Protocol

RADIUS is an ideal networking protocol for many business needs, including:

• Network access
• Intranets
• Virtual Private Networks (VPNs)
• Wireless Networks (Wi-Fi)
• Internet Service Providers (ISPs)
• Network accounting

For more detailed use cases, see our article on the advantages of cloud-based RADIUS servers.

On-Premises vs. Cloud RADIUS Server

Cloud-based RADIUS servers integrate with a cloud-based directory service. On-premises RADIUS servers, by contrast, run entirely within your local infrastructure. They provide a viable substitute for on-premises RADIUS servers, delivering a convenient authentication solution with a greatly reduced administrative burden.

Using a managed cloud RADIUS that employs certificate-based authentication mitigates security risks such as phishing and hacking, while enhancing the efficiency and security of the authentication process.

RADIUS Authentication Protocols for Wi-Fi

RADIUS is often used in point-to-point protocol (PPP) connections, where it provides authentication, authorization, and accounting. Basic protocols within PPP include:

• Challenge Handshake Authentication Protocol (CHAP), where servers send challenges to clients for added security above password-based protocols
• Password Authentication Protocol (PAP), where servers receive credentials as plain text (typically less secure than CHAP)
• Extensible Authentication Protocol (EAP), which supports multiple authentication methods including passwordless certificates

Within each protocol category, there are many modern variations:

EAP-TLS

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is a form of certificate-based with mutual authentication, meaning both clients and servers have certificates. Client certificates contain the user’s email address for server-side authentication, and clients receive a certificate with the corresponding key on connection.

PEAP-MSCHAPv2

PEAP-MS-CHAPv2 is a combination of the Protected Extensible Authentication Protocol (PEAP) and the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2).

PEAP-MSCHAPv2 is credential-based. The user submits their credentials and the RADIUS server receives and validates the credentials, authenticating the user before granting access.

EAP-TTLS/     PAP

EAP-TTLS/     PAP stands for Extensible Authentication Protocol (EAP) Tunneled Transport Layer Security (TTLS) Password Authentication Protocol (PAP). It is a credential-based protocol designed for accessible setup with server-side authentication. It’s the standard for WPA2-Enterprise Wi-Fi authentication, but optional client authentication creates vulnerabilities.

Which Authentication Protocol Is Most Secure With RADIUS?

EAP-TLS is the most secure authentication protocol for use with RADIUS. Unlike other EAP protocols, it requires both the server and the client to connect using digital certificates signed by a trusted Certificate Authority (CA).

Here are the benefits of the protocol:

1. Increased security: X.509 digital certificates with strong cryptography offer better security than other protocols.
2. MITM protection: Resistant to man-in-the-middle (MITM) attacks; real-time detection isolates new threats.
3. No password resets: Without credentials, there are no clunky password reset requirements.
4. Mutual authentication: Server- and client-side authentication reduce the risk of unauthorized users.
5. Certificate-based authentication: Digital certificates are more secure than credentials, which can be shared, misplaced, or guessed.
6. Simple user experience: No usernames or passwords to remember and no reset requirements.
7. Fewer steps, faster authentication: EAP-TLS has fewer steps than other protocols (12 vs. 22-25) for more efficient authentication and faster connections.
8. One certificate for multiple applications: Authorize a single certificate for multiple networks, resources, services, or apps, managing policies through your directory.

The Future of the RADIUS Network Protocol

Today, industries from healthcare to the military rely on RADIUS for secure authentication services. Looking ahead, RADIUS will likely remain the standard for network security into the future, and will also remain an essential defense against cyberattacks.

Goldman Sachs estimates cloud computing sales will reach $2 trillion by 2030. This rapid growth requires continued improvements in large-scale data processing, remote network environments, and global deployment. All of this demands enhanced security, including cloud-based, password-free network solutions like RADIUS servers with EAP-TLS.

How JoinNow Cloud RADIUS Protects Your Organization

JoinNow Cloud RADIUS is a 100% passwordless, cloud-based solution protecting your organization from credential theft. It’s designed for global workforces and adaptable to all network environments and infrastructures.

Cloud RADIUS has no hardware requirements, meaning no server installation, management, or maintenance, and no risk of physical equipment theft. Features like Azure MFA authentication, Intune auto revocation, and Windows Hello for Business login allow for a highly configurable environment without major infrastructure changes.

Our solutions are built for enterprises of any size. Cloud RADIUS from SecureW2 is highly extensible for continued scalability, and built-in redundancy protects authentication during high-traffic events.

Ready to experience the freedom and security of a cloud-based, managed RADIUS solution? Try it out with a no-risk demo to see how solutions from SecureW2 integrate with your systems.

Get answers to common questions about the RADIUS server protocol.

---

Frequently Asked Questions

What's the difference between RADIUS and TACACS+?

Terminal Access Controller Access-Control System Plus (TACACS+) is a device administration protocol developed by Cisco primarily for use with Cisco devices.

It uses Transmission Control Protocol (TCP), which is reliable and requires a connection before sending data packets, but can be slow. TACACS+ encrypts all packets during communications and treats authentication, authorization, and accounting (AAA) as separate processes, and additionally doesn’t support 802.1x network access control.

Remote Authentication Dial-in User Service (RADIUS) is an open standard network access authentication protocol that primarily uses User Datagram Protocol (UDP), which is efficient, but can be unreliable — modern RADIUS also supports TCP.

RADIUS encrypts passwords during communications, combines AAA processes, and supports 802.1X port-based access control.

High-regulation industries prefer TACACS+ for reliability and packet encryption. Companies prioritizing simplicity, configurability, and scalability choose RADIUS.

What's the difference between LDAP and RADIUS?

Lightweight Directory Access Protocol (LDAP)  is a directory access protocol that provides authentication and authorization; it lacks the built-in standardized accounting (usage tracking) framework of RADIUS. LDAP is credential-based, but doesn't secure credentials in transit by default, and it l     acks mutual authentication (no server certificate validation).

Remote Authentication Dial-in User Service (RADIUS) supports both credential- and certificate-based authentication, encrypting users' passwords with shared secrets. RADIUS typically uses UDP, but can support TCP, includes all AAA features (authentication, authorization, and accounting), and supports mutual authentication. RADIUS can be either on-prem or cloud-based.

Compared to LDAP, RADIUS is more robust, configurable, and secure.

Is the RADIUS Protocol TCP or UDP?

RADIUS typically transports with UDP, but RFC 6613 in 2012 updated the protocol to include TCP.

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) both transmit data packets, but there are important differences. TCP is connection-based: it won't send data until it establishes a connection with the recipient, making it more reliable but slower. UDP is not connection-based: it will transmit data even if there's no connection, making it less reliable but more efficient.

Is RADIUS Still Relevant?

The RADIUS network protocol is highly relevant because it's a modern authentication, authorization, and accounting (AAA) solution offering secure identity verification, continuous trust validation, extensive customization, and flexible scalability.

After its debut in the 1990s, RADIUS has been continually updated by governing institutions such as the IETF and IEEE, adding new features (like TCP) that maintain RADIUS’ robust security.

RADIUS is ideal for enterprises and any business with a complex network involving wired and wireless access, network devices (including unmanaged and IoT devices), remote users, and other unique requirements.

What is the difference between RADIUS and 802.1X?

RADIUS and 802.1X work together, but they serve different purposes in network authentication.

IEEE 802.1X is a network access control framework that determines how devices request and gain access to a wired or wireless network. RADIUS is the backend authentication protocol commonly used by 802.1X deployments to verify user or device identities.

In a typical enterprise Wi-Fi environment, 802.1X controls the authentication process between the client device and the network switch or access point, while the RADIUS server validates credentials and returns an access decision.