The History of the RADIUS Protocol and How It Works

The RADIUS protocol is a comprehensive, trusted means of managing network access at the enterprise level that addresses multiple common vulnerabilities in network security. With cyberattacks growing more sophisticated and the number of data breaches increasing — more than 2,200 cyber attacks are recorded daily — companies can’t afford weak verification processes, poor access controls, and static policies.

The RADIUS protocol, and managed applications like a cloud-based RADIUS implementation, provides a reliable, configurable network access solution that meets modern security standards.

In this article, we’ll deliver an in-depth analysis of what RADIUS is what it is, why it was developed, how it works, and its current and future impact on network access security.

What Is the RADIUS Protocol?

RADIUS, short for Remote Authentication Dial-in User Service, is a client-server network security protocol bundling user authentication, authorization, and accounting into one access control system.

Its user-friendliness, effectiveness, and capacity for expansion makes RADIUS the clear choice for security-conscious organizations such as Internet Service Providers (ISPs), cellular network providers, and corporate and educational networks.

RADIUS serves three fundamental purposes, often referred to as AAA:

• Authentication: matches user credentials to verify identity
• Authorization: determines user permissions
• Accounting: tracks user network resource-use

The RADIUS protocol is an essential component of 802.1X, the larger port-based authentication framework for secure network access control. 802.1x, using RADIUS and other measures, creates a thorough, verifiable authentication system that protects your organization across private connections, shared networks, and public Wi-Fi.

History of RADIUS

RADIUS’ development began decade ago, and consistent updates have kept the protocol secure even against modern-day cyberattacks.

Leading Up to 1991: Inception

Merit Networks receives a grant from the National Science Foundation to develop a protocol that can provide dial-up service to tens of thousands of users — without configuring each user on each dial-up server. Merit awards the contract for developing the RADIUS protocol to Livingston Enterprises, who delivers the first version of the protocol in 1991.

1994: Implementation

The RADIUS protocol debuts after major changes, including modifications for RADIUS to operate as both a client and a server and to make judgments regarding how to route authentication requests depending on various protocol-carried information. The first implementation serves as the primary source for the Merit AAA/RADIUS server. Network Access Server (NAS) vendors begin large-scale adoption.

1997: Standardization

The RADIUS authentication protocol is so beneficial that the Internet Engineering Task Force (IETF) standardizes it as a series of Internet Requests for Comments (RFCs). The first is RFC 2058, made obsolete that same year by RFC 2138.

2000: Application

RFC 2138 becomes obsolete, replaced by RFC 2865. Among the most notable changes, RADIUS now supports authentication and authorization between NAS and RADIUS servers.

Today: Securitization

While early RADIUS legacy systems only supported credential-based authentication methods, modern RADIUS supports passwordless authentication with digital certificates. It features stronger encryption and more flexible authentication protocols.

Who Regulates the RADIUS Protocol?

The Internet Engineering Task Force (IETF) regulates the RADIUS protocol with Request for Comments (RFC) documents dating back to 1997. The IETF outlines current standards in RFC 2865, published in 2000. 

RADIUS is also part of the Institute of Electrical and Electronics Engineers (IEEE) 802.1X authentication protocol.

Components of RADIUS

RADIUS consists of 3 main components:

• RADIUS Client/RADIUS Supplicant: a lightweight software that validates credentials by sending them to the RADIUS server.
• Network Access Server (NAS): a gateway between the user and the network.
• RADIUS Server: the server that validates credentials, assesses connection details, and conducts time tracking 

How Does RADIUS Server Authentication and Authorization Work?

Credential Authentication and Authorization

RADIUS servers don’t store credentials; they reference a directory to verify credentials and current authorization attributes. To protect data during referencing, clients and servers use a shared secret: a security key or password they both know but never transmit.

Here’s how the RADIUS packet request process works:

1. User or Device Sends Access Request to Network Access Server (NAS)

The end user or device submits an authentication request to the NAS containing their username and encrypted password.

2. NAS Delivers Access Request to the RADIUS Server

The NAS forwards the authentication packet request to the appropriate RADIUS server.

3. RADIUS Server Analyzes and Responds to Request

The server reads the shared secret and verifies the user’s credentials against the user database. Based on its findings, the RADIUS server responds to the NAS with an ACCESS ACCEPT message to authenticate the user, an ACCESS CHALLENGE packet to request more details, or an ACCESS REJECT packet if the credentials can’t be verified.

4. (If ACCESS ACCEPT) Client Authorization Grants User Access

Once the RADIUS server authenticates and authorizes the user, the client receives the ACCESS ACCEPT response with the shared secret and Filter ID attribute. This grants access to a RADIUS group containing other authorized users with the same permissions (typically same department and/or authority level).

Certificate Authentication and Authorization

Certificate-based authentication for managing user access works like this:

1. Device Sends Access Request With Certificate to NAS

To start the process, the device requesting access sends its certificate to the NAS.

2. NAS Forwards Access Request to RADIUS Server

The NAS receives the access request packet and certificate, pushing it to the RADIUS server.

3. RADIUS Server Analyzes Certificate

The RADIUS server checks expiration conditions and a Certificate Revocation List (CRL) to determine if the certificate is expired or revoked.

4. (If Certificate Is Valid) Certificate Authorization Grants User Access

If the certificate is expired or revoked, the access request will be denied. If not, the RADIUS server confirms and grants access.

How Does RADIUS Accounting Work?

Accounting is the process of recording and managing user access details. There are 3 steps:

Accounting Start: Once a user gains access to the network, the RADIUS client sends a RADIUS accounting request packet (Accounting Start) to the RADIUS server. This contains the user’s network address, credentials, MAC address, wired or wireless access point, and unique session identifier. When the RADIUS server receives the Start packet, it sends an Accounting Response back to the client.

Session Updates: The client periodically sends additional request packets for new details about the session; the RADIUS server sends responses.

Accounting Stop: Whether a user logs off or has access revoked, when a session ends, the RADIUS client sends one last accounting request packet (Accounting Stop) containing the session duration, data accessed, bytes, starting and interim packets, and reason the session ended. The server stores these details for records and audits.

Thanks to RADIUS accounting, network administrators get a clear picture of individual use and broad trends. They can use this information to maintain security, revoke authorization, bill users based on data usage, and forecast future needs.

The RADIUS Server Protocol in Network Security

RADIUS is the most common implementation for 802.1X network access control management. It’s also the de facto network security standard for modern dial-up, DSL, wireless, and mobile networks.

RADIUS servers’ centralized AAA capabilities, flexibility, and adaptability maximize privacy and security and increase efficiency. For greater security, organizations can add modern security standards such as multi-factor authentication (MFA), TLS, and VPNs to encrypt payloads.

Pros and Cons of RADIUS Authentication

RADIUS Benefits

• Reliable AAA: AAA is a trusted, comprehensive security measure; it’s the primary function of RADIUS. 
• Granular Access Controls: Customizable role-based access helps keep private data secure.
• Centralized Authentication Management: Between RADIUS servers and user databases, admins have a trustworthy way to authenticate users and track data. 
• Continuous Trust Verification: If admins revoke authorization, unauthorized users lose access instantly.
• Scalability: RADIUS scales as you grow, adding users and certificates while managing numerous requests.

RADIUS Challenges

• On-Premise Hardware: On-prem RADIUS typically requires additional hardware, plus installation and maintenance. Avoid this challenge with cloud-based managed RADIUS.
• Security Vulnerabilities: Like all security measures, RADIUS isn’t immune to threats. It requires modern hardware and software with regular updates.
• Complicated Network Infrastructure: RADIUS can be difficult to configure and maintain. However, RADIUS service providers can manage configuration details and maintenance.
• Niche Expertise: On-prem servers and/or management require experienced staff. Otherwise, you’ll need a trusted RADIUS provider.
• Reliability: RADIUS uses a connectionless protocol called User Datagram Protocol. It’s faster than connection-based protocols but can be inconsistent. Choose the right authentication type (like EAP-TLS) to improve reliability.

Credential-Based vs. Certificate-Based Authentication

Within the RADIUS protocol, you must choose between credential-based and certificate-based authentication.

The traditional option is credential-based authentication. Most security systems rely on it, and employees are accustomed to usernames and passwords. However, credentials are vulnerable to sharing, misplacement, and brute-force attacks.

Certificate-based authentication, or passwordless authentication, is more modern and secure. However, certificate management can be cumbersome, and improper management creates vulnerabilities. Working with a managed service provider solves these issues.

On-Prem vs. Cloud RADIUS Server

When choosing between on-premise or cloud-based RADIUS solutions, consider:

1. Implementation: Cloud-based RADIUS uses virtual servers and directories, while on-prem RADIUS servers require local infrastructure.
2. Administration: Cloud-based RADIUS servers can be managed offsite, but on-prem RADIUS typically requires in-house management.
3. Security: Cloud-based RADIUS requires network access management, but with on-prem RADIUS, you must also protect physical servers and equipment.
4. Scalability: Cloud-based RADIUS is highly extensible, while on-prem RADIUS servers may require additional hardware to scale.

Common Use Cases for the RADIUS AAA Protocol

RADIUS is an ideal networking protocol for many business needs, including:

• Network access
• Intranets
• Virtual Private Networks (VPNs)
• Wireless Networks (Wi-Fi)
• Internet Service Providers (ISPs)
• Network accounting

For more detailed use cases, see our article on the advantages of cloud-based RADIUS servers.

On-Prem and Cloud RADIUS Server

The integration of cloud-based RADIUS servers involves the utilization of a cloud-based directory service, whereas on-premises RADIUS servers are implemented within the confines of the local infrastructure. Cloud-based RADIUS servers provide a viable substitute for on-premises RADIUS servers, delivering a convenient authentication solution that is devoid of the related administrative burden.

The utilization of a managed cloud RADIUS that employs certificate-based authentication is an effective approach to data security management, as it effectively mitigates significant security risks such as phishing and hacking, while concurrently enhancing the efficiency and security of the authentication process. It is imperative that we consider enhancing our digital security measures to establish a resilient security framework that can effectively safeguard our enterprise against potential cyber threats, irrespective of its size.

RADIUS Authentication Protocols for Wi-Fi

RADIUS is often used in point-to-point protocol (PPP) connections, where it provides authentication, authorization, and accounting. Basic protocols within PPP include:

• Challenge Handshake Authentication Protocol (CHAP), where servers send challenges to clients for added security above password-based protocols
• Password Authentication Protocol (PAP), where servers receive credentials as plain text (typically less secure than CHAP)
• Extensible Authentication Protocol (EAP), which supports multiple authentication methods including passwordless certificates

But within each protocol category, there are many modern variations:

PEAP-MSCHAPv2

A combination of the Protected Extensible Authentication Protocol (PEAP) and the Microsoft Challenge Handshake Authentication Protocol version 2 (MCHAPv2). 

PEAP-MSCHAPv2 is credential-based. The user submits their credentials, and the RADIUS server receives and validates the credentials, authenticating the user before granting access.

EAP-TTLS-PAP

Stands for Extensible Authentication Protocol (EAP) Tunneled Transport Layer Security (TTLS) Password Authentication Protocol (PAP). 

EAP-TTLS-PAP is a credential-based protocol designed for accessible setup with server-side authentication. It’s the standard for WPA2-Enterprise Wi-Fi authentication, but optional client authentication creates vulnerabilities.

Which Authentication Protocol Is Most Secure With RADIUS?

EAP-TLS is the only certificate-based protocol, and both the server and the client must connect with digital certificates signed by a respected Certificate Authority (CA), making it the most secure option for use with RADIUS.

Breaking down the benefits further:

 

1. Increased security: X.509 digital certificates with strong cryptography offer better security than other protocols.
2. MITM protection: Resistant to man-in-the-middle (MITM) attacks; real-time detection isolates new threats.
3. No password resets: Without credentials, there are no clunky password reset requirements.
4. Mutual authentication: Server- and client-side authentication reduce the risk of unauthorized users.
5. Certificate-based authentication: Digital certificates are more secure than credentials, which can be shared, misplaced, or guessed.
6. Simple user experience: No usernames or passwords to remember and no reset requirements.
7. Fewer steps, faster authentication: EAP-TLS has fewer steps than other protocols (12 vs. 22-25) for more efficient authentication and faster connections.
8. One certificate for multiple applications: Authorize a single certificate for multiple networks, resources, services, or apps, managing policies through your directory.

The Future of the RADIUS Network Protocol

Industries from healthcare to the military rely on RADIUS for secure authentication services. RADIUS is the current, and in all likelihood, future, standard for network security and will remain an essential defense against cyberattacks.

Goldman Sachs estimates cloud computing sales will reach $2 trillion by 2030. This rapid growth requires continued improvements in large-scale data processing, remote network environments, and global deployment. All of this demands enhanced security — including cloud-based, password-free network solutions like RADIUS servers with EAP-TLS.

How JoinNow Cloud RADIUS Protects Your Organization

JoinNow Cloud RADIUS is a 100% passwordless, cloud-based solution protecting your organization from credential theft. It’s designed for global workforces and adaptable to all network environments and infrastructures.

Cloud RADIUS has no hardware requirements, meaning no server installation, management, or maintenance — and no risk of physical equipment theft. Features like Azure MFA authentication, Intune auto revocation, and Windows Hello for Business login allow for a highly configurable environment without major infrastructure changes. 

Our solutions are built for enterprises of any size. Cloud RADIUS from SecureW2 is highly extensible for continued scalability, and built-in redundancy protects authentication during high-traffic events. 

Ready to experience the freedom and security of a cloud-based, managed RADIUS solution? Try it out with a no-risk demo to see how solutions from SecureW2 integrate with your systems.

Get answers to common questions about the RADIUS server protocol.

---

Frequently Asked Questions

What's the difference between RADIUS and TACACS+?

Terminal Access Controller Access-Control System Plus (TACACS+) is a device administration protocol developed by Cisco primarily for use with Cisco devices.

It uses Transmission Control Protocol (TCP), which is reliable and requires a connection before sending data packets, but can be slow. TACACS+ encrypts all packets during communications and treats authentication, authorization, and accounting (AAA) as separate processes, and additionally doesn’t support 802.1x network access control.

Remote Authentication Dial-in User Service (RADIUS) is an open standard network access authentication protocol that primarily uses User Datagram Protocol (UDP), which is efficient, but can be unreliable — modern RADIUS also supports TCP.

RADIUS encrypts passwords during communications, combines AAA processes, and supports 802.1X port-based access control.

High-regulation industries prefer TACACS+ for reliability and packet encryption. Companies prioritizing simplicity, configurability, and scalability choose RADIUS.

What's the difference between LDAP and RADIUS?

Lightweight Directory Access Protocol (LDAP) is a directory access protocol that provides authentication and authorization; it lacks the built-in standardized accounting (usage tracking) framework of RADIUS. LDAP is credential-based, but doesn't secure credentials Lacks mutual authentication (no server certificate validation).

Remote Authentication Dial-in User Service (RADIUS) supports both credential- and certificate-based authentication, encrypting users' passwords with shared secrets. RADIUS typically uses UDP, but can support TCP, includes all AAA features (authentication, authorization, and accounting), and supports mutual authentication. RADIUS can be either on-prem or cloud-based.

Compared to LDAP, RADIUS is more robust, configurable, and secure.

Is the RADIUS Protocol TCP or UDP?

RADIUS typically transports with UDP, but RFC 6613 "https://tools.ietf.org/html/rfc6613" in 2012 updated the protocol to include TCP.

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) both transmit data packets, but there are important differences. TCP is connection-based: it won't send data until it establishes a connection with the recipient, making it more reliable but slower. UDP is not connection-based: it will transmit data even if there's no connection, making it less reliable but more efficient.

Is RADIUS Still Relevant?

The RADIUS network protocol is highly relevant because it's a modern authentication, authorization, and accounting (AAA) solution offering secure identity verification, continuous trust validation, extensive customization, and flexible scalability.

After its debut in the 1990s, RADIUS has been continually updated by governing institutions such as the IETF and IEEE, adding new features (like TCP) that maintain RADIUS’ robust security.

RADIUS is ideal for enterprises and any business with a complex network involving wired and wireless access, network devices (including unmanaged and IoT devices), remote users, and other unique requirements.