The History of RADIUS Authentication Protocol: IEEE 802.1X

Using an SSID and a shared password was the most frequent technique of connecting users to workplace networks for a long time. However, the prevalence of data breaches due to weak identification and access control, the growth in geographically dispersed users, and the proliferation of technology platforms used by enterprises make sharing passwords and accounts particularly problematic.

The coronavirus pandemic worsened pre-existing remote work trends, raising new cybersecurity concerns. Security Magazine says there are over 2,200 attacks daily. Several systems for authenticating and authorizing users have been developed and used to ensure the security of two-way data flow. 

This article provides an in-depth analysis of RADIUS, encompassing its definition, operational mechanism, historical background, and current and prospective implications in the domain of network security.

What Is RADIUS Protocol?

RADIUS, short for Remote Authentication Dial-in User Service, is a widely used network security protocol based on a client/server model. RADIUS aims to offer a centralized place for user authentication, where users or customers from diverse locations may request network access and services.

The RADIUS system has gained widespread adoption among network service providers owing to its user-friendliness, effectiveness, and capacity for expansion. Consequently, it has emerged as a prevailing industry standard.

The RADIUS protocol is employed by various entities such as Internet Service Providers (ISPs), cellular network providers, and corporate and educational networks, and serves three fundamental purposes.

• Authentication – matches user credentials to verify identity
• Authorization – determines user permissions
• Accounting – tracks user network resource-use

Together, these three elements are known as AAA, and they’re central to RADIUS authentication. The RADIUS authentication protocols are of utmost importance in the 802.1X architecture, where point-to-point protocol and Extensible Authentication Protocol (EAP) are utilized.

The RADIUS server is the pinnacle of network security, and 802.1X is a port-based authentication protocol that permits access to networks via RADIUS. Even if your users log in over public or shared Wi-Fi, the adoption of the RADIUS protocol for authentication will ensure that they cannot access your networks without being securely authenticated first.

History of RADIUS

Although RADIUS was designed during a different era of computing, it’s proven to be versatile and adaptable to meet today’s challenges. Let’s examine a chronology of RADIUS’ evolution during the past decades.

Leading Up to 1991: Inception

Merit Networks receives a grant from the National Science Foundation to develop a protocol that can provide dial-up service to tens of thousands of users — without configuring each user on each dial-up server. Merit awards the contract for developing the RADIUS protocol to Livingston Enterprises, who delivers the first version of the protocol in 1991.

1994: Implementation

RADIUS protocol debuts after major changes, including modifications for RADIUS to operate as both a client and a server and to make judgments regarding how to route authentication requests depending on various protocol-carried information. The first implementation serves as the primary source for the Merit AAA/RADIUS server. Network Access Server (NAS) vendors begin large-scale adoption.

1997: Standardization

The RADIUS protocol is so beneficial that the Internet Engineering Task Force (IETF) standardizes it as a series of Internet Requests for Comments (RFCs). The first is RFC 2058, made obsolete that same year by RFC 2138.

2000: Application

RFC 2138 becomes obsolete, replaced by RFC 2865. Among the most notable changes, RADIUS now supports authentication and authorization between Network Access Servers (NAS) and RADIUS servers.

Today: Securitization

While early RADIUS legacy systems only supported credential-based authentication methods, modern RADIUS supports passwordless authentication with digital certificates. It features stronger encryption and more flexible authentication protocols.

Who Regulates the RADIUS Protocol?

The Internet Engineering Task Force (IETF) regulates RADIUS protocol with Request for Comments (RFC) documents dating back to 1997. The IETF outlines current standards in RFC 2865, published in 2000. 

RADIUS is also part of the Institute of Electrical and Electronics Engineers (IEEE) 802.1X authentication protocol.

Components of RADIUS

RADIUS consists of 3 main components:

• RADIUS Client/RADIUS Supplicant: a lightweight software that validates credentials by sending them to the RADIUS server.
• Network Access Server (NAS): a gateway between the user outside and the network.
• RADIUS Server: the server that validates credentials. It can also conduct time tracking and assess connection details.

How Does RADIUS Server Authentication and Authorization Work?

The 802.1X authentication mechanism utilizes a client/server model that comprises four distinct elements: a client, a client device, an authentication server, and an identity provider. RADIUS facilitates user authentication by allowing them to establish a connection with a RADIUS server through the use of their credentials or certificates. Subsequently, the server verifies the authenticity of these credentials by cross-referencing them with its user database.

802.1X opens network ports and authorizes access to network resources if the credentials match. Authentication and Authorization can occur concurrently: the RADIUS validates the user (authenticate) and examines whatever network policies have been given to the user (authorize).

Organizations utilize X.509 digital certificates or credentials for RADIUS server authentication to validate users or devices instead of using usernames and passwords. Depending on which approach is employed, the actual RADIUS authentication procedure differs slightly.

Credential Authentication and Authorization

Since RADIUS servers don’t store credentials, they have to reference a directory to verify credentials and check current policies. To protect data during this communication process, clients and servers use a shared secret: a security key or password they both know but never transmit.

Here’s how the RADIUS packet request process works:

1. User or Device Sends Access Request to Network Access Server (NAS)

The end user or device submits an authentication request to the NAS, containing their username and encrypted password.

2. NAS Delivers Access Request to the RADIUS Server

The NAS forwards the authentication packet request to the appropriate RADIUS server.

3. RADIUS Server Analyzes and Responds to Request

The server reads the shared secret and verifies the user’s credentials exist against the user database. Based on its findings, the RADIUS server responds to the NAS with an ACCESS ACCEPT message to authenticate the user, an ACCESS CHALLENGE packet to request more details, or an ACCESS REJECT packet if the credentials could not be verified.

4. (If ACCESS ACCEPT) Client Authorization Grants User Access

Client receives the ACCESS ACCEPT message with shared secret and Filter ID attribute, which grants access to a unique RADIUS group. Each group collects users with the same access controls, typically within the same department and/or authority level.
Once the RADIUS server has both authenticated and authorized them, the user receives the appropriate level of access.

Certificate Authentication and Authorization

Certificate-based authentication for managing user access works like this:

1. Device Sends Access Request With Certificate to NAS

To start the process, the device requesting access sends its certificate to the NAS.

2. NAS Forwards Access Request to RADIUS Server

The NAS receives the access request packet and certificate, pushing it to the RADIUS server.

3. RADIUS Server Analyzes Certificate

The RADIUS server checks the certificate’s expiration conditions. If the certificate hasn’t expired, the server checks the Certificate Revocation List (CRL) to determine if it’s been revoked.

4. (If Certificate Is Valid) Certificate Authorization Grants User Access

If the certificate is expired or revoked, the access request will be denied. If not, the RADIUS server confirms and grants access.

How Does RADIUS Accounting Work?

Accounting is the process of recording and managing user access details. There are 3 steps:

Accounting Start: Once a user gains access to the network, the RADIUS client sends a RADIUS accounting request packet (Accounting Start) to the RADIUS server. This contains the user’s network address, credentials, MAC address, wired or wireless access point, and unique session identifier. When the RADIUS server receives the Start packet, it sends an Accounting Response back to the client.

Session Updates: The client periodically sends additional request packets for new details about the session; the RADIUS server sends responses.

Accounting Stop: Whether a user logs off or has access revoked, when a session ends, the RADIUS client sends one last accounting request packet (Accounting Stop) containing the session duration, data accessed, bytes, starting and interim packets, and reason the session ended. The server stores these details for records and audits.

Thanks to RADIUS accounting, network administrators get a clear picture of individual use and broad trends. They can use this information to maintain security, revoke authorization, bill users based on data usage, and forecast future needs.

Role of RADIUS Server Protocol in Network Security

RADIUS is the de facto standard for dial-up, DSL, wireless, and mobile networks today, and it is the most common implementation used to enable 802.1X access control management.

The key benefits of a RADIUS server’s centralized AAA capabilities are increased security and efficiency. RADIUS servers enable the system and each individual user to maintain their privacy and security.

Because of RADIUS’ flexibility and adaptability, network defenses may be improved further by adopting current security processes such as multi-factor authentication (MFA), TLS, and VPNs to encrypt payloads.

Pros and Cons of RADIUS Authentication

RADIUS Benefits

• Reliable AAA: AAA is a trusted, comprehensive security measure; it’s the primary function of RADIUS. 
• Granular Access Controls: Customizable role-based access lets you keep private data secure.
• Centralized Authentication Management: Between RADIUS servers and user databases, admins have a trustworthy source for authentication. 
• Continuous Trust Verification: If admins revoke authorization, unauthorized users lose access instantly.
• Scalability: RADIUS scales as you grow, adding users and certificates while managing numerous requests.

RADIUS Challenges

• On-Premise Hardware: On-prem Radius typically requires additional hardware, plus installation and maintenance.
• Security Vulnerabilities: Like all security measures, RADIUS isn’t immune to threats. It requires modern hardware and software with regular updates.
• Complicated Network Infrastructure: RADIUS can be difficult to configure and maintain. However, RADIUS service providers can manage configuration details and maintenance.
• Niche Expertise: On-prem servers and/or management require experienced staff. Otherwise, you’ll need a trusted RADIUS provider.
• Reliability: RADIUS uses a connectionless protocol called User Datagram Protocol. It’s faster than connect-based protocols but can be inconsistent. Choose the right authentication type (like EAP-TLS) to improve reliability.

Credential-Based vs. Certificate-Based Authentication

Within RADIUS protocol, you must choose between credential-based and certificate-based authentication. 

Credential-based is traditional; most security systems rely on it, and employees are used to having usernames and passwords. However, it’s easy to share or misplace your credentials; hackers can also use brute-force attacks to infiltrate. 

Certificate-based authentication, or passwordless authentication, is more modern and secure. However, certificate management can be cumbersome, and improper management creates vulnerabilities. Working with a managed service provider solves these issues.

Common Use Cases for RADIUS Protocol

RADIUS is an ideal networking protocol for many business needs, including:

• Network access
• Intranets
• Virtual Private Networks (VPNs)
• Wireless Networks (Wi-Fi)
• Internet Service Providers (ISPs)
• Network accounting

For more detailed use cases, see our article on the advantages of cloud-based RADIUS servers.

On-Prem and Cloud RADIUS Server

The integration of cloud-based RADIUS servers involves the utilization of a cloud-based directory service, whereas on-premises RADIUS servers are implemented within the confines of the local infrastructure. Cloud-based RADIUS servers provide a viable substitute for on-premises RADIUS servers, delivering a convenient authentication solution that is devoid of the related administrative burden.

The utilization of a managed cloud RADIUS that employs certificate-based authentication is an effective approach to data security management, as it effectively mitigates significant security risks such as phishing and hacking, while concurrently enhancing the efficiency and security of the authentication process. It is imperative that we consider enhancing our digital security measures to establish a resilient security framework that can effectively safeguard our enterprise against potential cyber threats, irrespective of its size.

RADIUS Authentication Protocols for Wi-Fi

The basic types of authentication protocols are: 

• Challenge Handshake Authentication Protocol (CHAP), where servers send challenges to clients for added security above password-based protocols
• Password Authentication Protocol (PAP), where servers receive credentials as plain text (typically less secure than CHAP)
• Extensible Authentication Protocol (EAP), which supports multiple authentication methods including passwordless certificates

But within each protocol category, there are many modern variations. Let’s take a look at the different protocols used in credential-based and certificate-based authentication:

PEAP-MSCHAPv2

A combination of the Protected Extensible Authentication Protocol (PEAP) and the Microsoft Challenge Handshake Authentication Protocol version 2 (MCHAPv2). 

The user is required to provide their credentials when using PEAP-MSCHAPv2; these credentials are then transmitted to the RADIUS Server, which validates the credentials and authenticates the user before allowing them network access.

EAP-TTLS-PAP

Stands for Extensible Authentication Protocol (EAP) Tunneled Transport Layer Security (TTLS) Password Authentication Protocol (PAP). 

For many years, EAP-TTLS-PAP has been a system standard for WPA2-Enterprise Wi-Fi authentication. It is a credential-based protocol that was developed to make the setup more accessible by needing only the server to be authorized, with client authentication optional.

EAP-TLS

Stands for Extensible Authentication Protocol (EAP) Transport Layer Security (TLS).

EAP-TLS is purely certificate-based and does not utilize any passwords. RADIUS servers must have CA certificates from which all client certificates are obtained. Each client that wants to connect must be set up with a certificate (and corresponding key) that will be presented at connection time. Client authentication is performed since the client certificate contains the user’s email address, so validating the owner.

Which Authentication Protocol Is Most Secure With RADIUS?

For the EAP-TLS system to work, both the server and the client must use digital certificates to make a link. Because of this, it is generally agreed that, along with RADIUS, it is the most safe system. In order for the digital certificate to be considered valid, it must be signed by a Certificate Authority (CA) that both the client and the server respect.

Let us further examine why EAP-TLS is a winner here.

 

 

Is RADIUS Still Relevant?

The RADIUS protocol is highly relevant today. It’s an Authentication, Authorization, and Accounting solution that offers secure identity verification, continuous trust validation, extensive customization, and flexible scalability. 

RADIUS is ideal for enterprise organizations and any business with a complex network, including wired and wireless access, network devices (including unmanaged and IoT devices), remote users, and more.

It’s been in constant evolution since its inception in the 1990s, regularly updated and regulated by modern governing institutions including the IETF and IEEE.

The Future of RADIUS

Authentication services have plenty to offer in every industry, from healthcare to the military. It is the future of login security and will be essential in minimizing ransomware attacks.

Diameter, a protocol conceived not long after the RADIUS working group was established, was at first meant to be a spruced-up version of RADIUS. This improved protocol is now an IETF Standard RFC (3588); its name, Diameter, means “twice as efficient as RADIUS”.

According to a study, “cloud computing can be worth $68.5 billion by 2025” implying that “cloud is the future”. Businesses using the cloud are finding it easier to process huge volumes of data, facilitate global deployment, adopt dynamic ways of working, and be more innovative.

JoinNow Cloud RADIUS is a 100% passwordless solution, designed to ensure your organization is never susceptible to credential theft of cloud identities. It has built-in redundancy, which means a high-traffic event will not stymie the authentication process.

With the rise in remote work, cloud-based and password-free network solutions are foundational for cyber security.

Cloud RADIUS

Cloud RADIUS is focused on efficiency, since it benefits from a lack of hardware and related expenditures over time.

Furthermore, integrating with Securew2 provides you with additional customization possibilities via our numerous revolutionary features like Azure MFA authentication, Intune auto revocation, Windows Hello for Business login, and many more. Aside from not requiring extensive preparations, Cloud RADIUS is immune to on-site threats like outages and robbers. Since it is stored on the cloud and features built-in redundancy, it can serve your business just fine without being installed at each of its locations. 

Experience managed RADIUS today with a free demo.