What is RADIUS and How Does it Work?

Learn about RADIUS (Remote Authentication Dial-In User Service), its purpose in network security, and how it operates to authenticate and authorize users.

The Basics of RADIUS

RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service. Let’s break down what the “three A’s” mean:

  • Authentication: This is the process of verifying the identity of a user or device trying to access the network. RADIUS checks the credentials (like username and password or a certificate) against a database or certificate authority to ensure they are valid.
  • Authorization: Once a user is authenticated, RADIUS determines what resources or services the user is allowed to access. This could include specific network segments, bandwidth limits, or time-of-day restrictions.
  • Accounting: RADIUS keeps track of the user’s activity on the network. This includes logging session start and stop times, data usage, and any other relevant information for billing or auditing purposes.

What is RADIUS Used For?

One of the most popular use cases for RADIUS is in enterprise Wi-Fi networks. If you’ve ever logged into a secure Wi-Fi network at work or school, chances are RADIUS was involved in verifying your credentials and granting you access. Sometimes you may not even need to enter a password, as RADIUS can work with certificates installed on your device for seamless authentication. Ever wonder how your work or school laptop connects automatically to the Wi-Fi without prompting for a password? That’s likely RADIUS at work, using certificate-based authentication.

RADIUS is also widely used in VPNs (Virtual Private Networks), where it helps ensure that only authorized users can access the network remotely. Like WiFi, RADIUS can authenticate users based on username + password, or through certificates.

Does RADIUS Support Wired Networks?

Yes, RADIUS can also be used to secure wired networks. In such cases, RADIUS works in conjunction with network switches that support 802.1X authentication. You can configure your RADIUS policies in the same way as you would for Wi-Fi networks, allowing for consistent access control across both wired and wireless connections. When setting up your network infrastructure, make sure to configure RADIUS for both wired and wireless access points to ensure comprehensive security.

Types of RADIUS

There isn’t a one-size-fits-all approach to RADIUS. There are two common types which differ mainly in how they handle security and transport:

  1. Classic RADIUS: This is the traditional form of RADIUS that uses UDP (User Datagram Protocol) for communication. While it is widely used, Classic RADIUS has some security limitations, such as the lack of encryption for the entire packet, which can expose sensitive information if intercepted.
  2. RadSec: RadSec is a more modern approach that uses TCP (Transmission Control Protocol) and TLS (Transport Layer Security) to provide encrypted communication. This makes it more secure than Classic RADIUS, especially for transmitting sensitive information over untrusted networks. However, not all RADIUS clients support RadSec, so compatibility should be considered. It also can use more resources due to the overhead of encryption on the end devices.

You can learn more about the differences between Classic RADIUS and RadSec in our Classic RADIUS vs RadSec page.

How Do Users Log In Using RADIUS?

When a user attempts to connect to a network that uses RADIUS for authentication, there are two main methods they might use:

Username and Password

In this method, the user provides a username and password when trying to connect to the network. The RADIUS server verifies these credentials against its database. If the credentials are valid, the user is granted access based on the authorization policies set on the RADIUS server.

RADIUS servers often have the ability to create usernames and passwords directly, but in many cases, they integrate with existing identity providers like Entra ID, LDAP, or Active Directory to manage user credentials. This simplifies the amount of usernames and passwords users need to remember, as they can use their existing corporate credentials to access the network. To enable this, the RADIUS server will need to be able to communicate with the identity provider to validate the credentials.

Certificate-Based Authentication

When configured correctly, certificates are the most secure and user-friendly way to authenticate with RADIUS. In this method, the user’s device presents a digital certificate to the RADIUS server during the authentication process. The RADIUS server verifies the certificate against a trusted Certificate Authority (CA). If the certificate is valid and trusted, the user is granted access without needing to enter a username or password. Ever wonder how your work or school laptop connects automatically to the Wi-Fi without prompting for a password? That’s likely RADIUS at work, using certificate-based authentication.

Setting up certificate-based authentication typically involves running your own Private Key Infrastructure (PKI) to issue and manage certificates. This can be an on-premises solution or a cloud-based PKI service. Additionally, you’ll need a way to distribute the certificates to user devices, which is often done using a Mobile Device Management (MDM) solution like Intune.

You can more about setting up PKI infrastructure for RADIUS in our PKI for RADIUS guide, and how to distribute certificates using MDM in our MDM for RADIUS guide.

What’s Under the Hood of RADIUS?

Powering RADIUS are various protocols that dictate how authentication and communication occur. Some of the most common RADIUS protocols include:

  • EAP-TLS (Extensible Authentication Protocol - Transport Layer Security): Widely regarded as the most secure RADIUS authentication method, EAP-TLS uses certificates for mutual authentication between the client and server.
  • PEAP (Protected Extensible Authentication Protocol): PEAP encapsulates EAP within a secure TLS tunnel, typically using a server-side certificate for the tunnel and username/password for client authentication.
  • PAP (Password Authentication Protocol): A simple protocol that transmits usernames and passwords in plaintext. It is not recommended for use over untrusted networks.
  • … and more!

You can dive deeper into these protocols and their use cases in our RADIUS Protocols page.