{"id":3599,"date":"2025-11-12T10:49:29","date_gmt":"2025-11-12T15:49:29","guid":{"rendered":"https:\/\/www.tracenetsolutions.com\/?p=3599"},"modified":"2026-05-11T15:22:29","modified_gmt":"2026-05-11T19:22:29","slug":"radius-protocol-authentication-authorization-accounting","status":"publish","type":"post","link":"https:\/\/www.tracenetsolutions.com\/pt\/2025\/11\/12\/radius-protocol-authentication-authorization-accounting\/","title":{"rendered":"RADIUS Protocol: Authentication, Authorization, Accounting"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">The <\/span><b>RADIUS protocol<\/b> <b>(Remote Authentication Dial-In User Service) <\/b><span style=\"font-weight: 400;\">is now one of the pillars of corporate network security, especially in a scenario where the <\/span><b>attack surface is expanding exponentially<\/b><span style=\"font-weight: 400;\"> with the advance of hybrid work, the proliferation of IoT devices, and migration to the cloud. <\/span><span style=\"font-weight: 400;\">Modern security can no longer rely on fixed perimeters. It is essential to know <\/span><b>who is accessing the network, from where, and with what permissions<\/b><span style=\"font-weight: 400;\">, which are central principles of the<\/span><b> Zero Trust <\/b><span style=\"font-weight: 400;\">model.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For more than three decades, <\/span>RADIUS<span style=\"font-weight: 400;\"> has been the standard that solves this challenge, acting as the bridge between user (or device) credentials and the organization&#8217;s security policies. Without a robust <\/span>RADIUS server, access management becomes fragmented, inconsistent, and vulnerable.<\/p>\n<p><span style=\"font-weight: 400;\">In this comprehensive guide, we at <\/span><b>Tracenet Solutions<\/b><span style=\"font-weight: 400;\"> will explain how the <\/span><b>RADIUS Protocol<\/b><span style=\"font-weight: 400;\"> has established itself as the core of <\/span><b>Network Access Control (NAC)<\/b><span style=\"font-weight: 400;\">. In addition, we will present best practices for implementing it securely, <\/span><b>from AAA centralization<\/b><span style=\"font-weight: 400;\"> to <\/span><b>integrations with EAP-TLS and MFA<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h2><b>What is the RADIUS Protocol? The cornerstone of Network Access Control (NAC)<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The RADIUS Protocol is responsible for controlling network access in virtually every environment that requires security and traceability: corporations, hospitals, hotels, and educational institutions. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Since its inception in the early 1990s, RADIUS has evolved from a solution for dial-up connections to become the <\/span><b>global standard (RFCs 2865 and 2866)<\/b><span style=\"font-weight: 400;\"> for user authentication, authorization, and accounting (AAA). <\/span><span style=\"font-weight: 400;\">Today, it is the <\/span><b>fundamental foundation for modern security architectures<\/b><span style=\"font-weight: 400;\">, <\/span><b>working in conjunction with the IEEE 802.1X standard<\/b> <b>and EAP (Extensible Authentication Protocol).<\/b><\/p>\n<h2><b>Fundamentals of the RADIUS Protocol: the AAA triad and policy centralization<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">RADIUS was developed with the goal of <\/span><b>centralizing access management<\/b><span style=\"font-weight: 400;\">, replacing local (and redundant) authentication on each network device with a unified policy on a centralized RADIUS server. This model not only ensures consistency but also offers the scalability required by growing networks. <\/span><span style=\"font-weight: 400;\">The power of RADIUS lies in the implementation of the AAA (Authentication, Authorization, Accounting) model, which is <\/span><b>essential for any Network Access Control (NAC) and Zero Trust strategy.<\/b><\/p>\n<h3><b>What is the AAA Model, and how does it work within this protocol?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The AAA model in the RADIUS Protocol is the security framework that manages the network access lifecycle in three distinct stages:<\/span><\/p>\n<h4><b>1. Authentication<\/b><\/h4>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Definition:<\/b><span style=\"font-weight: 400;\"> confirmation of the identity of the user or device (IoT, machine) through credentials.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>RADIUS Mechanism:<\/b><span style=\"font-weight: 400;\"> the <\/span><b>RADIUS Server acts as a proxy<\/b><span style=\"font-weight: 400;\">, integrating with external identity sources such as <\/span><b>Active Directory (AD), LDAP, digital certificates, MFA tokens, or internal databases<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Benefit:<\/b><span style=\"font-weight: 400;\"> prevents account duplication and consolidates authentication into a single policy point.<\/span><\/li>\n<\/ul>\n<h4><b>2. Authorization<\/b><\/h4>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Definition: <\/b><span style=\"font-weight: 400;\">the detailed determination of the resources that the authenticated user or device is authorized to access.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>RADIUS Mechanism:<\/b><span style=\"font-weight: 400;\"> the server decides on access permissions and communicates them to the network device (NAS) through <\/span><b>RADIUS Attributes<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Advanced Focus:<\/b><span style=\"font-weight: 400;\"> Attributes such as <\/span><span style=\"font-weight: 400;\">Tunnel-Private-Group-ID<\/span><span style=\"font-weight: 400;\"> (for <\/span><b>Dynamic VLAN Assignment &#8211; DVA<\/b><span style=\"font-weight: 400;\">) and <\/span><b>Vendor-Specific Attributes (VSAs) <\/b><span style=\"font-weight: 400;\">enable micro-segmentation and the application of granular policies such as bandwidth, access times, and Quality of Service (QoS) rules.<\/span><\/li>\n<\/ul>\n<h3><b>3. Accounting<\/b><\/h3>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Definition:<\/b><span style=\"font-weight: 400;\"> detailed logging and monitoring of each access session.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>RADIUS Mechanism:<\/b> <i><span style=\"font-weight: 400;\">Accounting-Request<\/span><\/i><span style=\"font-weight: 400;\"> packets (Start, Stop, Interim) log crucial information such as login\/logout times, session duration, volume of data transferred, and resources used.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Advanced Focus:<\/b><span style=\"font-weight: 400;\"> this record is vital for<\/span><b> auditing, compliance (GDPR, ISO 27001)<\/b><span style=\"font-weight: 400;\">, <\/span><b>usage reports, and complete traceability of activities<\/b><span style=\"font-weight: 400;\">, strengthening governance and anomaly detection.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">\ud83d\udcdd Differential: The centralized approach of the RADIUS Protocol ensures that network access is granted based on the \u201cleast privilege\u201d principle and constantly reevaluated.<\/span><\/p>\n<h5><b>RADIUS server architecture, flow, and communication mechanisms<\/b><\/h5>\n<table>\n<tbody>\n<tr>\n<td><b>Function<\/b><\/td>\n<td><b>Conte\u00fado Program\u00e1tico<\/b><\/td>\n<td><b>Example<\/b><\/td>\n<\/tr>\n<tr>\n<td><b>Supplicant\u00a0<\/b><\/td>\n<td><span style=\"font-weight: 400;\">The user, device, or application requesting access to the network.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">A laptop, smartphone, or IoT printer.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>NAS (Network Access Server) &#8211; RADIUS Client<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Network equipment that acts as an access point and intermediary.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">A Wi-Fi access point, an 802.1X switch, or a VPN hub.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>RADIUS Server (Authenticator)<\/b><\/td>\n<td><span style=\"font-weight: 400;\">The system that validates credentials, queries databases, applies AAA policies, and returns the access decision.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">FreeRADIUS, Microsoft NPS, Cisco ISE.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3><b>Transport and communication security protocol<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">RADIUS uses the <\/span><b>User Datagram Protocol (UDP)<\/b><span style=\"font-weight: 400;\">, with the following default ports:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Port 1812:<\/b><span style=\"font-weight: 400;\"> Default for <\/span><b>Authentication and Authorization<\/b><span style=\"font-weight: 400;\"> packets.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Port 1813:<\/b><span style=\"font-weight: 400;\"> Default for <\/span><b>Accounting<\/b><span style=\"font-weight: 400;\"> packets.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Traditional security between the NAS (Client) and the RADIUS Server is based on a <\/span><b>Shared Secret,<\/b><span style=\"font-weight: 400;\"> used for packet signing and user password obfuscation.<\/span><\/p>\n<h4><b>So, what is the detailed communication flow of the RADIUS Protocol?<\/b><\/h4>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Supplicant Request: <\/b><span style=\"font-weight: 400;\">The user\/device sends their credentials to the NAS.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Forwarding (Access-Request):<\/b><span style=\"font-weight: 400;\"> The NAS encapsulates the request in a RADIUS packet, encrypts the password based on the Shared Secret, and sends it via UDP (port 1812) to the RADIUS Server.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>AAA Validation:<\/b><span style=\"font-weight: 400;\"> The RADIUS Server queries its identity databases (AD\/LDAP), verifies authentication, and simultaneously applies the defined authorization policies.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Server Response: <\/b><span style=\"font-weight: 400;\">The RADIUS server sends one of the following packets: Access-Accept, Access-Reject, or Access-Challenge.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Access and Accounting:<\/b><span style=\"font-weight: 400;\"> If accepted, the NAS grants access and sends an Accounting-Start (port 1813). At the end of the session, it sends an Accounting-Stop.<\/span><\/li>\n<\/ol>\n<h3><b>802.1X and EAP: the inseparable basis of modern authentication<\/b><\/h3>\n<figure id=\"attachment_3597\" aria-describedby=\"caption-attachment-3597\" style=\"width: 1506px\" class=\"wp-caption alignnone\"><img fetchpriority=\"high\" decoding=\"async\" class=\"wp-image-3597\" src=\"https:\/\/www.tracenetsolutions.com\/wp-content\/uploads\/2025\/11\/image2.png\" alt=\"RADIUS PROTOCOL\" width=\"1506\" height=\"588\" srcset=\"https:\/\/www.tracenetsolutions.com\/wp-content\/uploads\/2025\/11\/image2.png 1173w, https:\/\/www.tracenetsolutions.com\/wp-content\/uploads\/2025\/11\/image2-300x117.png 300w, https:\/\/www.tracenetsolutions.com\/wp-content\/uploads\/2025\/11\/image2-1024x400.png 1024w, https:\/\/www.tracenetsolutions.com\/wp-content\/uploads\/2025\/11\/image2-768x300.png 768w, https:\/\/www.tracenetsolutions.com\/wp-content\/uploads\/2025\/11\/image2-18x7.png 18w\" sizes=\"(max-width: 1506px) 100vw, 1506px\" \/><figcaption id=\"caption-attachment-3597\" class=\"wp-caption-text\">Fonte: <a href=\"https:\/\/www.cloudradius.com\/the-stages-of-802-1x-authentication\/\" target=\"_blank\" rel=\"noopener\">Cloud Radius<\/a><\/figcaption><\/figure>\n<p><span style=\"font-weight: 400;\">RADIUS is the engine behind <\/span><b>IEEE 802.1X<\/b><span style=\"font-weight: 400;\">, the port access control standard used in <\/span><b>wired networks and Enterprise Wi-Fi (WPA2\/3-Enterprise)<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><b>EAP (Extensible Authentication Protocol)<\/b><span style=\"font-weight: 400;\"> is the framework <\/span><b>that defines how authentication will be performed <\/b><span style=\"font-weight: 400;\">within the RADIUS tunnel.<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>EAP Method<\/b><\/td>\n<td><b>Security Highlight<\/b><\/td>\n<td><b>Security Level<\/b><\/td>\n<\/tr>\n<tr>\n<td><b>PEAP-MSCHAPv2<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Based on user\/password with TLS tunneling.<\/span><\/td>\n<td><b>Moderate. <\/b><span style=\"font-weight: 400;\">Vulnerable if the password is weak.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>EAP-TLS<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Uses <\/span><b>digital certificates <\/b><span style=\"font-weight: 400;\">(client and server) with mutual authentication. <\/span><b>Eliminates the use of passwords.<\/b><\/td>\n<td><b>High\/Recommended. <\/b><span style=\"font-weight: 400;\">Resistant to Man-in-the-Middle attacks.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>Recommendation:<\/b><span style=\"font-weight: 400;\"> Migration to <\/span><b>EAP-TLS<\/b><span style=\"font-weight: 400;\"> is the primary security strategy, as it facilitates machine authentication in <\/span><a href=\"https:\/\/www.tracenetsolutions.com\/pt\/2024\/02\/27\/zero-trust-discover-the-future-of-cyber-security\/\" target=\"_blank\" rel=\"noopener\"><b>Zero Trust <\/b><\/a><span style=\"font-weight: 400;\">environments.<\/span><\/p>\n<h3><b>Dynamic authorization and microsegmentation: the power of RADIUS attributes<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Beyond simply saying \u201cYes\u201d or \u201cNo\u201d to access, RADIUS is a segmentation and automation engine.<\/span><\/p>\n<h4><b>1. Dynamic VLAN Assignment (DVA)<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">DVA allows the <\/span><b>RADIUS server to automatically place the user or device in the correct VLAN <\/b><span style=\"font-weight: 400;\">based on their Active Directory profile or group.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Mechanism:<\/b><span style=\"font-weight: 400;\"> the RADIUS server sends the VLAN ID within the <\/span><span style=\"font-weight: 400;\">Tunnel-Type<\/span><span style=\"font-weight: 400;\"> and <\/span><span style=\"font-weight: 400;\">Tunnel-Private-Group-ID<\/span><span style=\"font-weight: 400;\"> attributes of the <\/span><i><span style=\"font-weight: 400;\">Access-Accept<\/span><\/i><span style=\"font-weight: 400;\"> packet.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Benefit:<\/b><span style=\"font-weight: 400;\"> essential for <\/span><b>multi-tenant logical isolation<\/b><span style=\"font-weight: 400;\"> in coworking spaces, hotels, and universities.<\/span><\/li>\n<\/ul>\n<h4><b>2. Vendor-Specific Attributes (VSAs)<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">VSAs allow equipment manufacturers (Cisco, Aruba, Juniper, etc.) to insert proprietary attributes.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Advantage:<\/b><span style=\"font-weight: 400;\"> VSAs allow more advanced security policies (dynamic firewall rules, QoS) to be defined and managed on the central RADIUS server.<\/span><\/li>\n<\/ul>\n<h3><b>RADIUS and contemporary security: MFA, IoT, and Cloud<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">With the expansion of networks, the role of the RADIUS Server has been extended to support more sophisticated security technologies.<\/span><\/p>\n<h4><b>1. Multi-Factor Authentication (MFA) with the RADIUS Protocol<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">RADIUS adapts to MFA through:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Access-Challenge:<\/b><span style=\"font-weight: 400;\"> The RADIUS flow can request a second authentication factor (token code).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Proxy integration:<\/b><span style=\"font-weight: 400;\"> cloud-based MFA solutions act as a RADIUS Proxy, validating the first factor (password) and mediating the second factor challenge (app push).<\/span><\/li>\n<\/ul>\n<h4><b>2. Authentication of IoT devices and machines (Machine Authentication)<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">RADIUS, via EAP-TLS, allows:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Strong identity for machines:<\/b><span style=\"font-weight: 400;\"> each device (IoT, printers) receives a unique digital certificate. The RADIUS Server validates this certificate, ensuring that only corporate and known devices have access.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Automatic segmentation:<\/b><span style=\"font-weight: 400;\"> IoT devices can be isolated in a separate VLAN (via DVA), limiting their potential to cause damage in case of compromise.<\/span><\/li>\n<\/ul>\n<h4><b>3. RADIUS in the Cloud (Cloud RADIUS)<\/b><\/h4>\n<p><b>Cloud RADIUS<\/b><span style=\"font-weight: 400;\"> or <\/span><b>RADIUS as a Service (RaaS)<\/b><span style=\"font-weight: 400;\"> solutions simplify operation:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Scalability and high availability:<\/b><span style=\"font-weight: 400;\"> the authentication infrastructure is managed by a provider.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Cloud identity integration:<\/b><span style=\"font-weight: 400;\"> facilitates integration with <\/span><b>cloud-based directories <\/b><span style=\"font-weight: 400;\">such as <\/span><b>Azure Active Directory (AAD)<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<\/ul>\n<h5><b>Security and historical vulnerabilities: the evolution of protection<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">RADIUS has historical limitations that need to be mitigated, such as the use of MD5 hashing for password obfuscation.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The <\/span><b>Blast-RADIUS vulnerability (CVE-2024-3596)<\/b><span style=\"font-weight: 400;\"> exposed a flaw that allows packet manipulation to transform <\/span><i><span style=\"font-weight: 400;\">Access-Reject<\/span><\/i><span style=\"font-weight: 400;\"> into <\/span><i><span style=\"font-weight: 400;\">Access-Accept<\/span><\/i><span style=\"font-weight: 400;\">. Mitigations are mandatory:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Use the Message-Authenticator Attribute (RFC 3579):<\/b><span style=\"font-weight: 400;\"> adds an Integrity Check Value (ICV) that ensures the integrity of the entire RADIUS packet.<\/span><b> It is an essential defense.<\/b><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Migrate to EAP-TLS: <\/b><span style=\"font-weight: 400;\">eliminate the use of passwords.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Strong Shared Secrets:<\/b><span style=\"font-weight: 400;\"> adopt complex Shared Secrets with more than 20 characters.<\/span><\/li>\n<\/ul>\n<h3><b>Advanced Diagnostics and Troubleshooting (Ports and Attributes)<\/b><\/h3>\n<table>\n<tbody>\n<tr>\n<td><b>Common Sign<\/b><\/td>\n<td><b>Possible Cause\/Diagnosis<\/b><\/td>\n<td><b>Resolution by Tracenet Solutions<\/b><\/td>\n<\/tr>\n<tr>\n<td><b>No response from the server.<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Firewall blocking UDP ports 1812\/1813.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Check firewall logs and the traffic route between the NAS and the RADIUS server.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Unexpected &#8220;Access-Reject&#8221;\u00a0<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Incorrect Shared Secret or NAS not registered.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Revalidate and reconfigure the <\/span><b>Shared Secret<\/b><span style=\"font-weight: 400;\">.<\/span><\/td>\n<\/tr>\n<tr>\n<td><b>Authenticated, but falls into the wrong VLAN<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Authorization Attributes (DVA) are not being sent.<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Validate the <\/span><b>Vendor-Specific Attributes (VSAs)<\/b><span style=\"font-weight: 400;\"> on the RADIUS Server and verify NAS compatibility.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4><b>RFC 3576: The Power of Disconnect Messages (CoA\/PoD)<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">RFC 3576 defines the use of out-of-band control messages that allow the RADIUS server to manage active sessions:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Change of Authorization (CoA):<\/b><span style=\"font-weight: 400;\"> allows you to change a user&#8217;s permissions during the session (e.g., change the VLAN).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Packet of Disconnect (PoD):<\/b><span style=\"font-weight: 400;\"> allows the server to terminate a user&#8217;s session immediately (used for instant access revocation).<\/span><\/li>\n<\/ul>\n<h3><b>Practical applications of RADIUS in corporate projects<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">In addition to its technical function, RADIUS is widely used as a <\/span><b>central component in modern access control projects<\/b><span style=\"font-weight: 400;\">. Two of the most common applications are in <\/span><b>NAC (Network Access Control with 802.1X)<\/b><span style=\"font-weight: 400;\"> and <\/span><b>Captive Portal (Wi-Fi with authentication).<\/b><\/p>\n<h4><b>1. NAC (Network Access Control with 802.1X) projects<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">RADIUS is the brain of NAC. 802.1X defines how the device requests access to the network, while RADIUS validates credentials and enforces identity-based authorization policies.<\/span><\/p>\n<p><b>In a typical architecture:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The device requests access via 802.1X.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The NAS forwards to the RADIUS server.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">RADIUS authenticates to AD\/LDAP and decides the access level.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The VLAN and permissions are applied dynamically.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">In addition, micro-segmentation via <\/span><b>DVA<\/b><span style=\"font-weight: 400;\"> and <\/span><b>VSAs<\/b><span style=\"font-weight: 400;\"> makes NAC more intelligent, enabling adaptive policies and automatically isolating users on their respective VLANs.<\/span><\/p>\n<h4><b>2. Captive Portal Projects (Wi-Fi with authentication)<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">In corporate Wi-Fi networks, Captive Portal acts as the visual login layer. When the user enters their credentials, the portal sends the data to the RADIUS Server, which authenticates and authorizes access.<\/span><\/p>\n<p><b>This model provides:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Centralized control and auditing of logins;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Enhanced security before internet access;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Integration with AD\/LDAP;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Customization of the user experience with the company&#8217;s identity.<\/span><\/li>\n<\/ul>\n<h5><b>RADIUS as the core of security and compliance<\/b><\/h5>\n<p><span style=\"font-weight: 400;\">The RADIUS protocol is the core of <\/span><b>centralized access control<\/b><span style=\"font-weight: 400;\">, ensuring integrity, scalability, and visibility into who accesses the network and how they do so.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For a modern, secure implementation aligned with Zero Trust best practices, we recommend prioritizing:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>EAP-TLS:<\/b><span style=\"font-weight: 400;\"> for mutual authentication and elimination of password vulnerability.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Dynamic Authorization (DVA\/VSAs):<\/b><span style=\"font-weight: 400;\"> for automated microsegmentation of users and devices.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Message-Authenticator (RFC 3579): <\/b><span style=\"font-weight: 400;\">to ensure the integrity of all packets.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Centralized Integration:<\/b><span style=\"font-weight: 400;\"> unify policies and logs with Active Directory and SIEM systems.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">With proper configuration and updated layers of protection, RADIUS remains the gold standard for enterprise access control and a centerpiece of contemporary <\/span><b>Network Access Control (NAC) and Zero Trust strategies.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Would you like to schedule a consultation with Tracenet Solutions to assess the security of your current RADIUS server and plan a migration to EAP-TLS and Zero Trust? <\/span><b>Contact one of our consultants!<\/b><\/p>","protected":false},"excerpt":{"rendered":"<p>The RADIUS protocol (Remote Authentication Dial-In User Service) is now one of the pillars of corporate network security, especially in a scenario where the attack surface is expanding exponentially with the advance of hybrid work, the proliferation of IoT devices, and migration to the cloud. Modern security can no longer rely on fixed perimeters. It [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":3604,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,45],"tags":[],"class_list":["post-3599","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-english","category-tecnology-eg"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tracenetsolutions.com\/pt\/wp-json\/wp\/v2\/posts\/3599","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tracenetsolutions.com\/pt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tracenetsolutions.com\/pt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tracenetsolutions.com\/pt\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tracenetsolutions.com\/pt\/wp-json\/wp\/v2\/comments?post=3599"}],"version-history":[{"count":2,"href":"https:\/\/www.tracenetsolutions.com\/pt\/wp-json\/wp\/v2\/posts\/3599\/revisions"}],"predecessor-version":[{"id":3906,"href":"https:\/\/www.tracenetsolutions.com\/pt\/wp-json\/wp\/v2\/posts\/3599\/revisions\/3906"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tracenetsolutions.com\/pt\/wp-json\/wp\/v2\/media\/3604"}],"wp:attachment":[{"href":"https:\/\/www.tracenetsolutions.com\/pt\/wp-json\/wp\/v2\/media?parent=3599"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tracenetsolutions.com\/pt\/wp-json\/wp\/v2\/categories?post=3599"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tracenetsolutions.com\/pt\/wp-json\/wp\/v2\/tags?post=3599"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}