RADIUS (Remote Authentication Dial-In User Service) is a system that manages who can access a network, what they can do, and tracks their activity.

Developed in 1991 by Livingston Enterprises, RADIUS was ratified as an Internet Engineering Task Force (IETF) standard in 1997. Nearly 35 years after its inception, it remains a relevant foundational protocol for network access. Today, it’s widely used in Wi-Fi, VPNs, and enterprise networks.

This article explores how RADIUS works, its architecture, limitations, and benefits for network security management and scalability. We also discuss the future of RADIUS in the face of alternative protocols such as Diameter and TACACS+.

What is the RADIUS Protocol? An Overview

RADIUS is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) for users who connect to and use a network.

Its primary purpose is to manage network access by:

  • Authenticating users and devices to verify their identity.
  • Authorizing what permissions and resources they can access.
  • Accounting for their activity, including data consumed and resources accessed.

Let’s look at an example of RADIUS in practice:

An employee connects to a corporate Wi-Fi network. Their device sends an access request to a network device, which then forwards the credentials to a central RADIUS server. The RADIUS server verifies the user’s credentials. Based on the result, it informs the network device whether access is granted or denied.

It may also return specific authorization settings based on the user’s role/group information as defined in a central directory. For example, employees might get full network access while guests get limited internet-only access (more on this below).

How Does RADIUS Authentication Work?

The RADIUS protocol is based on a client-server model. It manages essential communications between three key components (and often integrated directories):

The User/Device

This is the individual or device trying to connect to the network. The user initiates the connection with an access request by submitting credentials to be verified.

The Client (NAS)

This is the Network Access Server that receives the connection request from the user/device. Common NAS examples are:

  • Wi-Fi access points
  • VPN concentrators
  • Network switches

The NAS forwards the communication to the RADIUS server.

The RADIUS Server

The RADIUS server receives the request from the Client. As the central brain of the system, the server processes the request using a shared secret (password or key) for client authentication.

Then it verifies the forwarded credentials.It mayhold the authentication database to do this, but more typically, it connects to an existing one. This is where Active Directory (AD), Lightweight Directory Access Protocol (LDAP), and similar recordscome into play. AD and LDAP are central databases/ directories that hold the definitive record of a user’s identity and permissions.

Following authentication, the RADIUS server sends its responses to the client. The reply could be:

  • Access Reject = The user is denied access to the requested network resources.
  • Access Challenge = The server requests additional information (such as a one-time code or a fingerprint) before making its final decision.
  • Access Accept = The user is granted access to the network.

Key Functions of RADIUS

RADIUS’s core functions can be summed up as “AAA” – Authentication, Authorization, Accounting:

  • Authentication: Authentication is the necessary first step in determining if a user or device trying to connect to a network is who they claim to be. The RADIUS server verifies the identity of the user or device.
  • Authorization: After a user is authenticated, the server sets what they are allowed to do and access. This may include assigning them:
    • To a specific network segment (VLAN)
    • A user role
    • Specific permissions
  • Accounting: Once a user is on the network, the server logs their usage. This includes tracking how long they were connected and what services they accessed. Accounting data is vital for all or most of the following:
    • Auditing
    • Billing
    • Security management
    • Troubleshooting
    • Compliance

What are the Benefits of RADIUS?

RADIUS offers several compelling benefits for network management and security:

  • Centralized authentication: RADIUS allows you to manage everything from a single location, rather than trying to control user lists on every access point or VPN server. This simplifies administration and reduces errors.
  • Scalability: The protocol is highly scalable, making it ideal for large enterprises and Internet Service Providers (ISPs) needing to authenticate thousands (or even millions) of users. Its architecture allows organizations to separate communication from authentication processes.

    In addition, load balancing and redundancy can be built in by deploying multiple RADIUS servers. This achieves reliability and resilience at scale.
  • Enhanced security: RADIUS supports modern authentication methods like EAP (Extensible Authentication Protocol)/TLS Transport Layer Security. These use digital certificates to reduce password interception and unauthorized access.

    RADIUS can also integrate with systems that provide multi-factor authentication (MFA). MFA reduces hacking risks substantially by requiring an additional verification step (or steps).
  • Flexibility and compatibility: RADIUS works with many systems and protocols, including:
    • PPP (Point-to-Point Protocol)
    • PAP (Password Authentication Protocol)
    • CHAP (Challenge Handshake Authentication Protocol)
    • UNIX login

This makes it adaptable across diverse network environments.

  • Detailed accounting: The usage logs are invaluable for network auditing, identifying suspicious behavior, and meeting compliance requirements. You can track exactly when users connected, what they accessed, and how much bandwidth they used.

RADIUS Protocol Architecture

RADIUS’s core architecture consists of several key components:

  • The client-server system, which includes:
    • The user/device
    • The client or Network Access Server (NAS)
    • The RADIUS server integrated with central user databases (e.g., Active Directory).
  • Transport protocol: Here, it utilizes UDP ports UDP 1812 for authentication and UDP 1813 for accounting. Older implementations may use ports 1645 and 1646 for authentication and accounting, respectively.

    UDP (User Datagram Protocol) is a fast, connectionless transport layer protocol that sends data packets (datagrams) without first establishing a connection.
  • Authentication method: RADIUS uses the following protocols to authenticate connections:
    • PAP (Password Authentication Protocol)
    • CHAP (Challenge Handshake Authentication Protocol)
    • MS-CHAP (Microsoft variant)
    • EAP (Extensible Authentication Protocol)
  • Directory integrations:  RADIUS integrates with identity systems such as Active Directory (AD), UNIX or Linux system accounts, and Lightweight Directory Access Protocol (LDAP). This connection allows it to manage user access by checking and validating credentials.

What are the Limitations of RADIUS?

It’s important to acknowledge and understand RADIUS’s limitations.

The three main ones are as follows:

Reliance on UDP

As mentioned, RADIUS uses UDP, known as a “fast but no guarantees” delivery. In contrast, protocols that use TCP (Transmission Control Protocol) must establish a reliable connection through a three-way handshake before data can be transmitted. This is slower, but guarantees delivery.

To address its weakness, RADIUS clients can retransmit requests if no response is received from the server. This goes a long way to ensure more reliable communication, but it isn’t as solid as TCP.

Complex management

RADIUS can be complex to configure and maintain, particularly in large or constantly evolving environments. Network administrators often need to manage multiple policies and must integrate with external directories (Active Directory, LDAP, etc.).

As networks scale, managing updates in line with policy changes and consistent configurations across devices can be challenging. Errors creep in if this administration isn’t buttoned down firmly.

Security concern

A major drawback of RADIUS is its limited encryption. It only encrypts the password field in a packet. Other information, such as usernames, session details, and accounting data, is transmitted in plaintext.

It’s easy to understand the security risk this poses, as attackers with access to the network could intercept and read sensitive information.

Modern extensions like RadSec (RADIUS over TLS) and using IPsec tunnels are often recommended to secure the entire communication.

More recent protocols, such as TACACS+ and Diameter, provide full payload encryption and bring other improvements. Diameter, for example, introduced in the early 2000s, supports the higher performance demands of next-generation IP-based networks.

What is the Future of RADIUS Compared to Diameter, TACACS+ and Other Protocols?

RADIUS’s legacy design doesn’t meet the complete demands of modern networking. As mentioned, a serious shortcoming is that it only encrypts the password portion in a packet; the rest of the payload is exposed.

Unsurprisingly, newer protocols emerged that addressed some of RADIUS’s security gaps.

These are the leading RADIUS alternatives:

  • TACACS+ provides encryption of the entire packet and uses the more reliable TCP to guarantee packet delivery.
  • Diameter is designed to support the higher performance and security demands of modern networks, including mobile-first LTE and 5G environments. It improves on RADIUS by using TCP or SCTP and stronger encryption.

Despite these newer alternatives, RADIUS remains widely used for several reasons. It’s well-understood by network administrators, supported by virtually all network equipment, and deeply integrated into existing wireless and enterprise infrastructures. Many organizations have invested heavily in RADIUS-based systems and aren’t ready to replace them.

Looking ahead, the future of RADIUS will likely involve:

  • Continued coexistence with TACACS+ and Diameter, depending on use cases.
  • Enhancements through extensions (e.g., RadSec for transport over TLS) to improve security in modern deployments.
  • Ongoing relevance in wireless environments, particularly with WPA2-Enterprise and WPA3-Enterprise authentication.

While viable alternatives exist, RADIUS’s widespread deployment and resilience mean it won’t be consigned to a museum any time soon.

How Acrisure Cyber Can Help?
How Acrisure Cyber Can Help?

How Acrisure Cyber Can Help

At Acrisure Cyber Services, we help organizations design, configure, and manage their network security infrastructure. Our full spectrum network management and network security solutions include:

  • Network implementation
  • Performance optimization
  • Security management
  • Network monitoring
  • Vulnerability assessments

For over two decades, we’ve built trusted partnerships with organizations nationwide, helping them manage the complexity around network access, management, and optimization. We can help you implement frameworks like RADIUS that create consistent authentication policies across your entire network infrastructure.

If you’re considering IT infrastructure changes, particularly around cloud migration or network security upgrades

reach out and let’s chat about how we can take your business forward with technology solutions built for tomorrow

FAQs

What Is A RADIUS Server?

A RADIUS server provides centralized authentication, authorization, and accounting (AAA) services for users attempting to access a network. It operates using the User Datagram Protocol (UDP) and typically runs as a background daemon on Windows or UNIX systems.

When a client or network access server (NAS), such as a VPN gateway or wireless access point, sends a connection request, the RADIUS server receives the user’s credentials. It validates them against a database and responds with configuration details that advise access permissions.

How does RADIUS authenticate users?

When a user attempts to connect, the RADIUS client forwards the user’s credentials, usually a username, password, or digital certificate, to the RADIUS server. The server authenticates the client using a shared secret. It then verifies the credentials against its own database or an external directory like LDAP.

Based on this investigation, the server tells the client that access is granted or denied. It may also request additional input (e.g., a one-time code or biometric) before making a final decision.

What is a shared secret in RADIUS?

A shared secret in RADIUS is a preconfigured key known only to the RADIUS client and the RADIUS server. It acts as both an encryption key and a trust mechanism. The shared secret is used to encrypt the password field in RADIUS packets. It also verifies the integrity of messages between the client and server.

What is RADIUS used for in networking?

RADIUS is used to centralize authentication, authorization, and accounting for users connecting to a network. Common uses include controlling access to Wi-Fi networks, VPN connections, and remote dial-up services.

It integrates with directory services like Active Directory or LDAP to verify user identities and enforce access policies. RADIUS also tracks user activity for security auditing, billing, and compliance reporting purposes.

What ports does RADIUS use?

The default ports used by RADIUS are:

  • UDP 1812 for authentication
  • UDP 1813 for accounting
  • Some legacy systems and configurations may still use the older ports UDP 1645 (authentication) and UDP 1646 (accounting).

The key point here is to ensure that RADIUS clients and servers are configured to use the same ports and that firewalls are set to allow traffic on these ports.  

What is the difference between RADIUS and TACACS+?

The fundamental differences between RADIUS and TACACS+ are:

  • Encryption: RADIUS only encrypts the password within the authentication packet. In contrast, TACACS+ encrypts the entire packet payload. This makes it a much more secure protocol for transmitting sensitive information.
  • Protocol: RADIUS uses the unreliable but fast UDP (User Datagram Protocol) for communication. TACACS+ uses the more reliable TCP (Transmission Control Protocol), which establishes a three-way handshake connection to guarantee packet delivery. RADIUS mitigates UDP’s shortcomings somewhat because clients can retransmit requests to help ensure communication is completed.
  • Separation of AAA: RADIUS bundles the three AAA functions in a single process. TACACS+ separates them. This means you can use a different server for authentication, authorization, and accounting. This offers the potential advantage of greater flexibility and more precise control over network access.
  • Vendor dependency: RADIUS is an open standard that is supported by numerous network devices from different vendors. TACACS+ is a proprietary protocol developed by Cisco. While it’s widely supported across Cisco’s product line, it’s not as universally compatible with non-Cisco devices.

Is RADIUS still used today?

Yes, RADIUS is still widely deployed today. Numerous organizations use RADIUS for centralized identity management, Wi-Fi security, and VPN access.Its resilience and wide integrations mean that RADIUS will likely remain a part of network user authentication for the foreseeable future.

Does RADIUS support multi-factor authentication?

Yes, RADIUS can support multi-factor authentication (MFA), typically through integration with an external authentication server.

When a user enters their credentials (e.g., a password), the RADIUS server can be configured to forward the request to a separate MFA server. This server handles the second factor (e.g., biometric scan or one-time code) before sending acceptance or rejection back to the RADIUS server.

This setup allows organizations to add an extra layer of security without replacing RADIUS.

How does RADIUS work with Active Directory?

RADIUS integrates with Active Directory (AD) so that when a user attempts to access a network (e.g., Wi-Fi or VPN), the RADIUS server can query the credentials with Active Directory.

If the credentials match AD’s records, the RADIUS server grants access. It may also return specific authorization settings based on the user’s role/group information contained in AD.

Besides Active Directory, RADIUS can authenticate users against other central directories or databases, such as LDAP, Cloud identity providers, and UNIX or Linux system accounts.

Can RADIUS be used for cloud and Wi-Fi authentication?

Yes, RADIUS can be used for both cloud-based and Wi-Fi authentication.It is popularly used for authenticating Wi-Fi users, while cloud deployments usually involve a managed service that hosts the RADIUS server and handles integration with cloud identity providers. A cloud identity provider (IdP) is a service that manages and verifies user identities in the cloud.

Contact us to get started

Find out how Acrisure Cyber Services can turbocharge your technology.

New York City Technology HQ

55 W 39th St. Floor 12
New York, NY 10018

Email: [email protected]

Phone: 212-299-7654

Let’s Talk

Boston Cybersecurity HQ

200 Clarendon St. Floor 51 Boston, MA 02116

Email: [email protected]

Phone: 877-650-1751

Let’s Talk

Acrisure Corporate Headquarters

100 Ottawa Ave SW Grand Rapids, MI 49503

Email: [email protected]

Phone: 212-299-7654

Let’s Talk

Technology Support Field Offices

Indianapolis

8888 Keystone Crossing, Suite 1300 Indianapolis, IN 46240

Email: [email protected]

Phone: 317-705-0333

Let’s Talk

Chicago

541 N. Fairbanks Ct., Suite 2200 Chicago, IL 60611

Email: [email protected]

Phone: 773-862-0658

Let’s Talk

Denver

1400 16th Street Denver, CO 80202

Email: [email protected]

Phone: 317-705-0333

Let’s Talk