BLOG

RADIUS Protocol: Authentication, Authorization, Accounting

The RADIUS protocol (Remote Authentication Dial-In User Service) is now one of the pillars of corporate network security, especially in a scenario where the attack surface is expanding exponentially with the advance of hybrid work, the proliferation of IoT devices, and migration to the cloud. Modern security can no longer rely on fixed perimeters. It is essential to know who is accessing the network, from where, and with what permissions, which are central principles of the Zero Trust model.

For more than three decades, RADIUS has been the standard that solves this challenge, acting as the bridge between user (or device) credentials and the organization’s security policies. Without a robust RADIUS server, access management becomes fragmented, inconsistent, and vulnerable.

In this comprehensive guide, we at Tracenet Solutions will explain how the RADIUS Protocol has established itself as the core of Network Access Control (NAC). In addition, we will present best practices for implementing it securely, from AAA centralization to integrations with EAP-TLS and MFA.

What is the RADIUS Protocol? The cornerstone of Network Access Control (NAC)

The RADIUS Protocol is responsible for controlling network access in virtually every environment that requires security and traceability: corporations, hospitals, hotels, and educational institutions.

Since its inception in the early 1990s, RADIUS has evolved from a solution for dial-up connections to become the global standard (RFCs 2865 and 2866) for user authentication, authorization, and accounting (AAA). Today, it is the fundamental foundation for modern security architectures, working in conjunction with the IEEE 802.1X standard and EAP (Extensible Authentication Protocol).

Fundamentals of the RADIUS Protocol: the AAA triad and policy centralization

RADIUS was developed with the goal of centralizing access management, replacing local (and redundant) authentication on each network device with a unified policy on a centralized RADIUS server. This model not only ensures consistency but also offers the scalability required by growing networks. The power of RADIUS lies in the implementation of the AAA (Authentication, Authorization, Accounting) model, which is essential for any Network Access Control (NAC) and Zero Trust strategy.

What is the AAA Model, and how does it work within this protocol?

The AAA model in the RADIUS Protocol is the security framework that manages the network access lifecycle in three distinct stages:

1. Authentication

Definition: confirmation of the identity of the user or device (IoT, machine) through credentials.
RADIUS Mechanism: the RADIUS Server acts as a proxy, integrating with external identity sources such as Active Directory (AD), LDAP, digital certificates, MFA tokens, or internal databases.
Benefit: prevents account duplication and consolidates authentication into a single policy point.

2. Authorization

Definition: the detailed determination of the resources that the authenticated user or device is authorized to access.
RADIUS Mechanism: the server decides on access permissions and communicates them to the network device (NAS) through RADIUS Attributes.
Advanced Focus: Attributes such as Tunnel-Private-Group-ID (for Dynamic VLAN Assignment – DVA) and Vendor-Specific Attributes (VSAs) enable micro-segmentation and the application of granular policies such as bandwidth, access times, and Quality of Service (QoS) rules.

3. Accounting

Definition: detailed logging and monitoring of each access session.
RADIUS Mechanism: Accounting-Request packets (Start, Stop, Interim) log crucial information such as login/logout times, session duration, volume of data transferred, and resources used.
Advanced Focus: this record is vital for auditing, compliance (GDPR, ISO 27001), usage reports, and complete traceability of activities, strengthening governance and anomaly detection.

📝 Differential: The centralized approach of the RADIUS Protocol ensures that network access is granted based on the “least privilege” principle and constantly reevaluated.

RADIUS server architecture, flow, and communication mechanisms

Function	Conteúdo Programático	Example
Supplicant	The user, device, or application requesting access to the network.	A laptop, smartphone, or IoT printer.
NAS (Network Access Server) – RADIUS Client	Network equipment that acts as an access point and intermediary.	A Wi-Fi access point, an 802.1X switch, or a VPN hub.
RADIUS Server (Authenticator)	The system that validates credentials, queries databases, applies AAA policies, and returns the access decision.	FreeRADIUS, Microsoft NPS, Cisco ISE.

Transport and communication security protocol

RADIUS uses the User Datagram Protocol (UDP), with the following default ports:

Port 1812: Default for Authentication and Authorization packets.
Port 1813: Default for Accounting packets.

Traditional security between the NAS (Client) and the RADIUS Server is based on a Shared Secret, used for packet signing and user password obfuscation.

So, what is the detailed communication flow of the RADIUS Protocol?

Supplicant Request: The user/device sends their credentials to the NAS.
Forwarding (Access-Request): The NAS encapsulates the request in a RADIUS packet, encrypts the password based on the Shared Secret, and sends it via UDP (port 1812) to the RADIUS Server.
AAA Validation: The RADIUS Server queries its identity databases (AD/LDAP), verifies authentication, and simultaneously applies the defined authorization policies.
Server Response: The RADIUS server sends one of the following packets: Access-Accept, Access-Reject, or Access-Challenge.
Access and Accounting: If accepted, the NAS grants access and sends an Accounting-Start (port 1813). At the end of the session, it sends an Accounting-Stop.

802.1X and EAP: the inseparable basis of modern authentication

RADIUS is the engine behind IEEE 802.1X, the port access control standard used in wired networks and Enterprise Wi-Fi (WPA2/3-Enterprise).

EAP (Extensible Authentication Protocol) is the framework that defines how authentication will be performed within the RADIUS tunnel.

EAP Method	Security Highlight	Security Level
PEAP-MSCHAPv2	Based on user/password with TLS tunneling.	Moderate. Vulnerable if the password is weak.
EAP-TLS	Uses digital certificates (client and server) with mutual authentication. Eliminates the use of passwords.	High/Recommended. Resistant to Man-in-the-Middle attacks.

Recommendation: Migration to EAP-TLS is the primary security strategy, as it facilitates machine authentication in Zero Trust environments.

Dynamic authorization and microsegmentation: the power of RADIUS attributes

Beyond simply saying “Yes” or “No” to access, RADIUS is a segmentation and automation engine.

1. Dynamic VLAN Assignment (DVA)

DVA allows the RADIUS server to automatically place the user or device in the correct VLAN based on their Active Directory profile or group.

Mechanism: the RADIUS server sends the VLAN ID within the Tunnel-Type and Tunnel-Private-Group-ID attributes of the Access-Accept packet.
Benefit: essential for multi-tenant logical isolation in coworking spaces, hotels, and universities.

2. Vendor-Specific Attributes (VSAs)

VSAs allow equipment manufacturers (Cisco, Aruba, Juniper, etc.) to insert proprietary attributes.

Advantage: VSAs allow more advanced security policies (dynamic firewall rules, QoS) to be defined and managed on the central RADIUS server.

RADIUS and contemporary security: MFA, IoT, and Cloud

With the expansion of networks, the role of the RADIUS Server has been extended to support more sophisticated security technologies.

1. Multi-Factor Authentication (MFA) with the RADIUS Protocol

RADIUS adapts to MFA through:

Access-Challenge: The RADIUS flow can request a second authentication factor (token code).
Proxy integration: cloud-based MFA solutions act as a RADIUS Proxy, validating the first factor (password) and mediating the second factor challenge (app push).

2. Authentication of IoT devices and machines (Machine Authentication)

RADIUS, via EAP-TLS, allows:

Strong identity for machines: each device (IoT, printers) receives a unique digital certificate. The RADIUS Server validates this certificate, ensuring that only corporate and known devices have access.
Automatic segmentation: IoT devices can be isolated in a separate VLAN (via DVA), limiting their potential to cause damage in case of compromise.

3. RADIUS in the Cloud (Cloud RADIUS)

Cloud RADIUS or RADIUS as a Service (RaaS) solutions simplify operation:

Scalability and high availability: the authentication infrastructure is managed by a provider.
Cloud identity integration: facilitates integration with cloud-based directories such as Azure Active Directory (AAD).

Security and historical vulnerabilities: the evolution of protection

RADIUS has historical limitations that need to be mitigated, such as the use of MD5 hashing for password obfuscation.

The Blast-RADIUS vulnerability (CVE-2024-3596) exposed a flaw that allows packet manipulation to transform Access-Reject into Access-Accept. Mitigations are mandatory:

Use the Message-Authenticator Attribute (RFC 3579): adds an Integrity Check Value (ICV) that ensures the integrity of the entire RADIUS packet. It is an essential defense.
Migrate to EAP-TLS: eliminate the use of passwords.
Strong Shared Secrets: adopt complex Shared Secrets with more than 20 characters.

Advanced Diagnostics and Troubleshooting (Ports and Attributes)

Common Sign	Possible Cause/Diagnosis	Resolution by Tracenet Solutions
No response from the server.	Firewall blocking UDP ports 1812/1813.	Check firewall logs and the traffic route between the NAS and the RADIUS server.
Unexpected “Access-Reject”	Incorrect Shared Secret or NAS not registered.	Revalidate and reconfigure the Shared Secret.
Authenticated, but falls into the wrong VLAN	Authorization Attributes (DVA) are not being sent.	Validate the Vendor-Specific Attributes (VSAs) on the RADIUS Server and verify NAS compatibility.

RFC 3576: The Power of Disconnect Messages (CoA/PoD)

RFC 3576 defines the use of out-of-band control messages that allow the RADIUS server to manage active sessions:

Change of Authorization (CoA): allows you to change a user’s permissions during the session (e.g., change the VLAN).
Packet of Disconnect (PoD): allows the server to terminate a user’s session immediately (used for instant access revocation).

Practical applications of RADIUS in corporate projects

In addition to its technical function, RADIUS is widely used as a central component in modern access control projects. Two of the most common applications are in NAC (Network Access Control with 802.1X) and Captive Portal (Wi-Fi with authentication).

1. NAC (Network Access Control with 802.1X) projects

RADIUS is the brain of NAC. 802.1X defines how the device requests access to the network, while RADIUS validates credentials and enforces identity-based authorization policies.

In a typical architecture:

The device requests access via 802.1X.
The NAS forwards to the RADIUS server.
RADIUS authenticates to AD/LDAP and decides the access level.
The VLAN and permissions are applied dynamically.

In addition, micro-segmentation via DVA and VSAs makes NAC more intelligent, enabling adaptive policies and automatically isolating users on their respective VLANs.

2. Captive Portal Projects (Wi-Fi with authentication)

In corporate Wi-Fi networks, Captive Portal acts as the visual login layer. When the user enters their credentials, the portal sends the data to the RADIUS Server, which authenticates and authorizes access.

This model provides:

Centralized control and auditing of logins;
Enhanced security before internet access;
Integration with AD/LDAP;
Customization of the user experience with the company’s identity.

RADIUS as the core of security and compliance

The RADIUS protocol is the core of centralized access control, ensuring integrity, scalability, and visibility into who accesses the network and how they do so.

For a modern, secure implementation aligned with Zero Trust best practices, we recommend prioritizing:

EAP-TLS: for mutual authentication and elimination of password vulnerability.
Dynamic Authorization (DVA/VSAs): for automated microsegmentation of users and devices.
Message-Authenticator (RFC 3579): to ensure the integrity of all packets.
Centralized Integration: unify policies and logs with Active Directory and SIEM systems.

With proper configuration and updated layers of protection, RADIUS remains the gold standard for enterprise access control and a centerpiece of contemporary Network Access Control (NAC) and Zero Trust strategies.

Would you like to schedule a consultation with Tracenet Solutions to assess the security of your current RADIUS server and plan a migration to EAP-TLS and Zero Trust? Contact one of our consultants!