What are the Protocols Used by RADIUS?

RADIUS operates with various protocols depending on your implementation. Learn about the common protocols used by RADIUS for authentication and communication.

Going Under the Hood of RADIUS

Lifting up the hood on RADIUS reveals a variety of protocols that facilitate its core functions of authentication, authorization, and accounting. When setting up a RADIUS server, they can be mixed and matched based on your organization’s security requirements and infrastructure capabilities. Below, we explore some of the most common RADIUS protocols and their typical use cases.

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security)

EAP-TLS is widely regarded as the most secure RADIUS authentication method. It uses client-side certificates or smart cards to authenticate users, providing strong security without relying on passwords. In EAP-TLS, both the client and server present certificates to each other, ensuring mutual authentication.

You may choose EAP-TLS when security is a top priority, such as in environments where sensitive data is transmitted or where regulatory compliance requires strong authentication methods.

Check out our quick explainer video to learn about EAP-TLS WiFi authentication.

When setting up EAP-TLS, you’ll need to manage a Public Key Infrastructure (PKI) to issue and revoke client certificates. This will require setting up a Certificate Authority (CA) which will issue certificates, and a Mobile Device Management (MDM) solution such as Intune to distribute the certificates to client devices. To learn how to set up PKI infrastructure for RADIUS, check out our PKI for RADIUS guide.

Once the certificates are distributed, users can authenticate seamlessly using their certificates when connecting to the network.

EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport Layer Security)

EAP-TTLS is similar to EAP-TLS but allows for more flexibility in client authentication methods. It establishes a secure TLS tunnel using a server-side certificate, and within that tunnel, the client can authenticate using various methods, such as username/password or even client certificates.

EAP-TTLS is often used when organizations want to maintain strong security with a TLS tunnel but prefer to use simpler client authentication methods like usernames and passwords. This is very common when doing Entra ID or Active Directory integration.

RADIUS with Entra ID

If you’re looking to do Entra ID authentication with RADIUS, EAP-TTLS with PAP is the only supported method.

When implementing EAP-TTLS, you’ll need to ensure that your RADIUS server has a valid server certificate. Clients must also be configured to trust the server’s certificate. You can distribute the server certificate to all client devices either manually or automatically through a Mobile Device Management (MDM) solution such as Intune. Learn more about distributing certificates in our MDM for RADIUS guide.

PEAP (Protected Extensible Authentication Protocol)

PEAP (Protected EAP) encapsulates EAP within a secure TLS tunnel. It typically uses a server-side certificate to establish the TLS tunnel, and then the client authenticates using a username and password. PEAP is popular because it provides a good balance between security and ease of use.

Organizations tend to use PEAP when they want to avoid the complexity of managing client certificates while still benefiting from the security of a TLS tunnel.

When implementing PEAP, you will need to ensure that your RADIUS server has a valid server certificate and that clients are configured to trust the server’s certificate. You will need to distribute the server certificate to all client devices either manually or automatically through a Mobile Device Management (MDM) solution such as Intune. Learn more about distributing certificates in our MDM for RADIUS guide.

Once the server is distributed, users can authenticate using their usernames and passwords within the secure tunnel established by PEAP.

PAP (Password Authentication Protocol)

PAP is a simple authentication protocol that transmits usernames and passwords via MD5 hashing (or via plaintext if in an EAP-TTLS tunnel). Due to its lack of security, PAP is generally not recommended for use over untrusted networks. However, it may be used in conjunction with other secure protocols, such as within a secure EAP-TTLS or VPN tunnel.

In practice, PAP is often used in legacy systems or in environments where security is not a primary concern.

EAP-MD5 (Extensible Authentication Protocol - Message Digest 5)

EAP-MD5 is a challenge-response authentication protocol that uses the MD5 hashing algorithm to send It is used for simple authentication scenarios but is considered weak by modern security standards due to vulnerabilities in the MD5 algorithm.

Organizations may use EAP-MD5 in legacy systems or in environments where security requirements are minimal.

MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2)

MS-CHAPv2 is a proprietary authentication protocol previously developed by Microsoft. It provides mutual authentication and is commonly used in VPNs and dial-up connections. While it offers better security than PAP, it has known vulnerabilities and is not recommended for high-security environments.

MS-CHAPv2 Deprecation

MS-CHAPv2 is now being blocked by Windows 11 Credential Guard due to its security vulnerabilities. It is recommended to transition to more secure protocols outlined above.

Organizations often use MS-CHAPv2 in Microsoft-centric environments, particularly when compatibility with older systems is necessary.

Summary of Common RADIUS Protocols

Protocol	Description	Use Cases	Username & Password Login	Client Certificate Login
EAP-TLS (most secure)	Uses client-side certificates for mutual authentication.	High-security environments, enterprises	❌	✅
EAP-TTLS	Encapsulates legacy RADIUS methods in an encrypted EAP-TTLS tunnel with the server certificate.	Secure networks needing flexibility	✅	❌* (works in practice, but not supported in practice)
PEAP	Encapsulates EAP within a TLS tunnel using server-side certificates.	Balance of security and ease of use	✅	❌
PAP	Transmits usernames and passwords using MD5 hashing.	Legacy systems, secure VPN tunnels	✅	❌
EAP-MD5	Challenge-response authentication using MD5 hashing.	Legacy systems, minimal security needs	✅	❌
MS-CHAPv2	Proprietary Microsoft protocol with mutual authentication.	Microsoft-centric environments, VPNs	✅	❌

How Do I Choose the Right RADIUS Protocol?

When selecting a RADIUS protocol, consider the following factors:

Security Requirements: Assess the sensitivity of the data being protected and choose a protocol that meets your security needs.
Compliance Requirements: Ensure that the chosen protocol aligns with any regulatory or compliance standards applicable to your organization.
Ease of Management: Consider the complexity of managing certificates versus usernames and passwords. Certificate management requires additional PKI infrastructure which you may need to set up.
User Experience: It’s important that your end users have a smooth authentication experience. Protocols like EAP-TLS can provide seamless access without passwords, while others may require more user interaction.
Compatibility: Ensure that the chosen protocol is supported by your RADIUS clients and infrastructure.
Performance: Evaluate the performance impact of the protocol, especially in high-traffic environments.

What Protocols Do Most Organizations Use?

Scenario	Commonly Used Protocol(s)
Passwordless, Certificate-Based Authentication	EAP-TLS
Entra ID Login	EAP-TTLS with PAP
IoT Devices	EAP-TLS if combined with device certificates; otherwise EAP-TTLS with PAP
MAC Authentication Bypass	EAP-MD5 or EAP-PAP