What Is RADIUS? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
What do you want to do?
Quick Definition
RADIUS is like a security guard for your network. When you try to log in to Wi-Fi or a VPN, RADIUS checks your username and password against a central list. If you're approved, it tells the network to let you in and can even track how long you were connected. It keeps everything secure and simple to manage from one place.
Common Commands & Configuration
radius-server host 192.168.1.10 key MySecretKeyConfigures a RADIUS server on a Cisco device with IP address 192.168.1.10 and the shared secret key 'MySecretKey'. This is the foundational command to enable communication between the NAS and the RADIUS server.
Appears in CCNA and Network+ exams to test knowledge of configuring AAA servers. Candidates must remember that the shared key must match on both the NAS and RADIUS server.
aaa new-modelEnables the AAA (Authentication, Authorization, and Accounting) security model on Cisco IOS devices. This command is required before configuring any AAA services.
CMN for CCNA: Without 'aaa new-model', AAA commands will not be accepted. Often the first step in AAA configuration questions.
aaa authentication login default group radius localDefines a default authentication list that first attempts to authenticate using RADIUS, and if the server is unreachable, falls back to local database authentication.
Tests understanding of authentication method lists. 'local' is a fallback; if RADIUS rejects, local is not used. Common in Security+ and CCNA.
debug radius authenticationEnables real-time debugging of RADIUS authentication events on a Cisco device, showing packet details like Access-Request, Access-Accept, or Access-Reject.
Used for troubleshooting. In exams, you may be asked which debug command to use for RADIUS issues. 'debug radius' or 'debug aaa authentication' are alternatives.
radius-server timeout 10Sets the timeout in seconds for waiting for a response from the RADIUS server before retransmitting.
Understand that the default timeout is typically 5 seconds. Setting it higher can prevent premature failures on slow links; setting it lower improves responsiveness. Appears in Network+ detail questions.
show running-config | include radiusDisplays the current RADIUS configuration from the running configuration file on Cisco devices. Useful for verification and troubleshooting.
Command syntax with 'include' is common in CCNA and Network+ exams to filter output. You might be asked to verify RADIUS settings like server IP and key.
test aaa group radius user1 password1 new-codeTests RADIUS authentication for a specific user directly from the Cisco device CLI without requiring an actual connection attempt.
A powerful troubleshooting command that isolates RADIUS server issues. Appears in advanced CCNA and CCNP scenarios. 'new-code' indicates the latest RADIUS implementation.
RADIUS appears directly in 120exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →
Must Know for Exams
RADIUS appears prominently in multiple IT certification exams, and understanding its role, operation, and limitations can directly impact your score. In the CompTIA Security+ exam (SY0-601 and SY0-701), RADIUS is a key concept under Domain 3 (Implementation) and Domain 4 (Operations and Incident Response). You need to know that RADIUS provides centralized AAA for network access, that it uses UDP ports 1812 (auth) and 1813 (accounting), and that it encrypts only the password, not the entire packet. Questions often compare RADIUS with TACACS+ (which encrypts the entire packet and uses TCP). You may also see scenario questions where you must choose the right protocol for a given situation, for example, “Which AAA protocol should be used for network device administration?” The answer is TACACS+, not RADIUS.
In the CompTIA Network+ exam (N10-008), RADIUS appears in Domain 1 (Networking Fundamentals) and Domain 4 (Network Security). You should understand that RADIUS operates at the application layer and provides centralized authentication for users connecting to a network. Exam questions may ask about ports, the difference between authentication, authorization, and accounting, and the role of the NAS (Network Access Server) as the RADIUS client.
For the Cisco CCNA exam (200-301), RADIUS is a fundamental concept in network security and access control. CCNA expects you to know how to configure RADIUS on a Cisco IOS device for AAA services. You should understand the difference between local authentication (configured on the device itself) and server-based authentication (using RADIUS). CCNA questions often involve configuration snippets where you need to identify the correct commands to enable AAA with RADIUS. You should also know that RADIUS uses UDP, and that it is widely used for 802.1X port-based access control.
In the ISC2 CISSP exam, RADIUS appears in Domain 5 (Identity and Access Management) and Domain 4 (Communication and Network Security). CISSP questions are more conceptual and focus on the role of RADIUS in a broader IAM framework. You should understand that RADIUS is a protocol that supports AAA, and that it can be used in conjunction with other technologies like LDAP, Kerberos, and PKI. CISSP questions may ask about the security weaknesses of RADIUS, such as its use of UDP and the fact that only the password is encrypted. You might also see questions about RadSec (RADIUS over TLS) as a more secure alternative.
In all these exams, being able to answer scenario-based questions about RADIUS is critical. For example, a question might describe a company that wants to secure its Wi-Fi network and needs to centralize user authentication. You would need to recommend RADIUS with EAP-TLS for certificate-based authentication. Another question might describe a problem where users can connect to Wi-Fi but cannot get an IP address, the root cause could be a misconfigured RADIUS server that fails to return the Framed-IP-Address attribute. Understanding these nuances separates a good exam score from a great one.
Simple Meaning
Think of RADIUS as a receptionist for a big office building. Imagine you arrive at work and need to swipe your badge to get through the front door. That badge reader doesn’t make the decision itself. Instead, it sends your badge number to a central security office where a computer checks if your badge is valid and you’re allowed to enter. That central computer is like a RADIUS server. It knows who is allowed in, what time they can enter, and which floors they can access.
Now, imagine you’re not just entering one building, but multiple buildings that are part of the same company. If each building had its own list of approved badges, it would be a nightmare to update every time an employee leaves or joins. RADIUS solves that by keeping one master list. When you swipe your badge at any door, that door’s reader sends your info to the central RADIUS server, which says yes or no.
In the tech world, RADIUS works the same way. When you try to connect to a Wi-Fi network at a coffee shop or use a VPN to log into your company’s network from home, the access point (like the Wi-Fi router) sends your login details to a RADIUS server. The server checks if you are who you say you are (authentication), decides what you’re allowed to do (authorization), and keeps a log of your session (accounting). That’s why we say RADIUS handles Authentication, Authorization, and Accounting, often called AAA.
RADIUS is not the only protocol for this job, but it’s one of the most common because it’s reliable, works with many different brands of equipment, and has been around since the early 1990s. It uses encryption to protect your password while it’s being sent across the network, but some older versions have known weaknesses, so modern implementations use stronger protections like EAP (Extensible Authentication Protocol). For IT certification exams, you need to understand that RADIUS is a client-server protocol that runs on port 1812 for authentication and authorization, and port 1813 for accounting.
In everyday language, RADIUS is the invisible helper that makes sure only the right people get onto a network, and that their activity is recorded. Without it, network administrators would have to configure every single Wi-Fi router and VPN server individually, which would be inefficient and insecure.
Full Technical Definition
RADIUS stands for Remote Authentication Dial-In User Service. It is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect to a network service. It was originally developed by Livingston Enterprises in 1991 as a protocol for dial-up modem access, but has since become the industry standard for many types of network access, including wireless (Wi-Fi), VPN, Ethernet switches, and network routers.
RADIUS operates at the application layer of the OSI model. It is a client-server protocol. The network access server (NAS), such as a wireless access point, VPN concentrator, or switch, acts as the RADIUS client. The NAS sends authentication requests to the RADIUS server, which then processes the request and returns a response. The RADIUS server typically consults a user database, which could be a flat file, an LDAP directory (like Active Directory), a SQL database, or an external identity provider.
The protocol uses UDP (User Datagram Protocol) as its transport layer protocol. The standard ports are 1812 for authentication and authorization, and 1813 for accounting. RADIUS uses a shared secret (a pre-shared key) between the client and server to encrypt certain fields, such as the password. However, only the password is encrypted; other parts of the packet, like the username, are sent in cleartext. This is a known limitation, and modern RADIUS deployments often address it by tunneling RADIUS over TLS (RadSec) or using EAP (Extensible Authentication Protocol) methods that provide full packet encryption.
The RADIUS packet structure consists of a header (code, identifier, length, authenticator) followed by a variable number of attributes. The code field indicates the type of packet: Access-Request, Access-Accept, Access-Reject, Access-Challenge, Accounting-Request, and Accounting-Response. The identifier field matches request and response packets. The authenticator field provides integrity checking. Attributes carry specific information such as username, password, NAS-IP-Address, Service-Type, Framed-IP-Address, and vendor-specific attributes (VSAs).
RADIUS is defined in RFC 2865 (Authentication and Authorization) and RFC 2866 (Accounting). It has been extended by many other RFCs to support modern authentication methods. One important extension is RFC 3579, which specifies how RADIUS supports EAP. In an EAP over RADIUS scenario, the RADIUS server acts as an EAP server, and the NAS acts as an EAP authenticator. This allows the use of secure authentication methods like EAP-TLS (certificate-based), PEAP, and EAP-MSCHAPv2.
In real IT implementations, RADIUS is often deployed using FreeRADIUS (open-source), Microsoft Network Policy Server (NPS) on Windows Server, or commercial solutions like Cisco ISE. When configuring RADIUS, administrators must define the NAS clients (by IP address and shared secret), configure user accounts or link to a directory service, and define policies that determine what happens after authentication, for example, which VLAN a user should be placed on, or what IP address should be assigned.
RADIUS accounting allows the collection of session data such as login time, logout time, bytes sent and received, and reason for session termination. This data is used for billing, auditing, and monitoring. In exam contexts, it is important to remember that RADIUS is primarily for network access control, whereas TACACS+ (a similar protocol) is often used for device administration (like logging into routers and switches).
Common vulnerabilities and considerations: RADIUS over UDP does not provide inherent encryption of the full packet, making it susceptible to packet sniffing if not protected. The shared secret can be brute-forced if it is weak. Some implementations are vulnerable to dictionary attacks. For these reasons, security best practices recommend using strong shared secrets, restricting RADIUS traffic to trusted IP addresses, and considering RadSec (RADIUS over TLS) for increased security. RADIUS does not inherently support multi-factor authentication, but it can be combined with EAP methods that support certificates or OTP tokens.
Real-Life Example
Imagine you are at a large music festival with multiple stages and VIP areas. At the entrance, there is a security guard who checks your wristband. But the security guard does not have a list of every person who bought a ticket. Instead, when you arrive, the guard uses a handheld scanner to scan the barcode on your wristband. That scanner sends the barcode number to a central computer in the festival’s main office. The central computer checks the barcode against a database of all valid tickets. If it matches, the computer sends back a message saying “This is a valid ticket, let them in.” It might also include extra information, like “This person has VIP access, so give them a special bracelet.” The guard then lets you enter, and the computer logs the time you entered.
In this analogy, the security guard and scanner are the RADIUS client (the network access server). The central computer is the RADIUS server. The database of tickets is the user database (like Active Directory or a separate identity store). The “VIP access” information is authorization, it determines what you are allowed to do once inside. The logging of your entry time is accounting.
Now, imagine that the festival has many entrances. If each entrance had its own paper list of valid tickets, it would be impossible to update quickly if someone’s ticket was lost or stolen. But with the central computer, any change to the database, like revoking a stolen ticket, takes effect instantly at every entrance. That is exactly why RADIUS is used in businesses: if an employee leaves the company, an administrator can disable their account in one place, and they will immediately lose access to the Wi-Fi, VPN, and any other network service that uses RADIUS.
This system also works for accounting. The festival might want to know how many people entered, at what times, and how long they stayed. RADIUS accounting records exactly that: when a user connects, when they disconnect, and how much data they used. This can be used for billing (if the network is paid), for monitoring network usage, or for security auditing.
One more nuance: in the festival, if you try to enter a backstage area, the guard at that entrance might scan your wristband again. The central computer checks not only if you are allowed into the festival, but also whether you have backstage privileges. That is exactly how RADIUS supports authorization: after authentication, the server can return attributes that tell the network device what the user is allowed to do, for example, which VLAN to place them in, or what speed limit to apply.
Why This Term Matters
RADIUS is a foundational technology in network security and identity management, and understanding it is critical for any IT professional working with enterprise networks. Without RADIUS, network administrators would have to manually configure access control on every single device that users connect to. That would include every Wi-Fi access point, every VPN gateway, every switch port that requires authentication, and every remote access server. Doing that individually is not only time-consuming but also insecure, because it becomes very difficult to enforce consistent policies or respond quickly to security incidents.
RADIUS centralizes authentication and authorization, which means that when a user’s account is disabled in the central directory (like Active Directory), they immediately lose access to all network resources that rely on RADIUS. This is essential for organizations that need to control access for hundreds or thousands of employees, contractors, and guests. It also enables sophisticated policies, such as requiring different authentication methods depending on the user’s role, time of day, or location.
RADIUS also provides accounting, which is vital for compliance, billing, and monitoring. For example, in a university that offers free Wi-Fi to students but charges per gigabyte for guests, RADIUS accounting can track exactly how much data each guest consumes. In healthcare, RADIUS logs can be used to prove who accessed the network and when, which is required for HIPAA compliance.
Another reason RADIUS matters is its ubiquity. It is supported by virtually every major networking vendor, including Cisco, Aruba, Juniper, Ubiquiti, and many others. It integrates with a wide range of authentication backends, from simple text files to enterprise directories and cloud identity providers. Because of its long history and wide adoption, RADIUS skills are highly transferable across different jobs and environments.
For IT professionals, understanding RADIUS is also important because it is often a point of failure in network access. If users cannot connect to Wi-Fi or VPN, misconfigured RADIUS is a common root cause. Knowing how to troubleshoot RADIUS, checking shared secrets, verifying connectivity, reading logs, is a practical skill that directly impacts end-user experience. RADIUS is not just a theoretical concept; it is a core tool in the network administrator’s toolkit, and mastering it is essential for anyone responsible for network security.
How It Appears in Exam Questions
RADIUS appears in certification exams in several distinct question patterns. The most common is the direct definition question: “Which protocol provides centralized authentication, authorization, and accounting for network access?” The answer, of course, is RADIUS. But exam writers often try to confuse you with similar terms like TACACS+, Kerberos, or LDAP. You need to distinguish them by knowing the key differences: RADIUS uses UDP (ports 1812/1813), encrypts only the password, and is primarily for network access control. TACACS+ uses TCP (port 49), encrypts the entire packet, and is primarily for device administration.
Another common pattern is the scenario question. For example: “A company wants to implement 802.1X authentication on its wireless network. Which protocol should be used between the access point and the authentication server?” The correct answer is RADIUS because 802.1X uses EAP over RADIUS. An exam might ask: “Which port does the RADIUS server listen on for authentication requests?” Answer: UDP 1812. Or: “What is the main security weakness of RADIUS?” Answer: Only the password is encrypted; other packet fields are sent in cleartext.
Configuration questions are common in CCNA and network-focused exams. You might see a partial configuration like:
aaa new-model aaa authentication login default group radius local radius-server host 10.10.10.5 key secretkey interface GigabitEthernet0/1 authentication port-control auto dot1x pae authenticator
The question might ask: “What is the purpose of the radius-server host command?” Answer: To specify the IP address and shared secret of the RADIUS server. Another question might show a misconfigured RADIUS client where the shared secret does not match the server, you would need to identify that as the cause of authentication failures.
Troubleshooting questions also appear. For instance: “Users report they cannot connect to the corporate Wi-Fi. The access point shows RADIUS timeouts. What is the most likely cause?” Possible answers: wrong shared secret, firewall blocking UDP 1812/1813, incorrect IP address of the RADIUS server, or the RADIUS server itself is down. You need to know the typical causes of RADIUS failures.
Finally, comparison questions are popular: “Which AAA protocol encrypts the entire packet?” Answer: TACACS+. “Which AAA protocol is commonly used for network access?” Answer: RADIUS. “Which protocol uses UDP for transport?” Answer: RADIUS. “Which protocol separates authentication, authorization, and accounting processes?” Answer: TACACS+ (RADIUS combines authentication and authorization in one packet, while accounting is separate). Mastering these comparisons is essential.
Practise RADIUS Questions
Test your understanding with exam-style practice questions.
Example Scenario
A mid-sized company, TechFlow Inc., has 200 employees who need to access the corporate Wi-Fi network using their laptops and smartphones. Currently, the Wi-Fi password is written on a whiteboard in the breakroom and shared with all employees. The network administrator is worried because former employees still know the password and can access the network, and there is no way to track who is connected.
To solve this, the administrator decides to implement 802.1X authentication with a RADIUS server. She installs FreeRADIUS on a Linux server and configures it to talk to the company’s Active Directory, where all employee accounts are stored. She then configures the wireless access points to act as RADIUS clients, pointing them to the FreeRADIUS server.
Now, when an employee named Sarah logs into the Wi-Fi, her laptop sends a connection request to the access point. The access point forwards this request to the RADIUS server using the EAP-PEAP method, which creates a secure tunnel. The RADIUS server asks Sarah for her username and password, which she types. The server sends these credentials to Active Directory for verification. If they match, the RADIUS server sends an Access-Accept packet back to the access point, along with attributes that tell the AP to place Sarah on the corporate VLAN. The AP then lets Sarah connect.
If a former employee, John, tries to connect, his account has been disabled in Active Directory. The RADIUS server receives the request, checks Active Directory, and sends an Access-Reject packet. John’s laptop is denied access, and an event is logged.
The administrator also enables RADIUS accounting. Now she can run reports showing exactly which users connected, when, and how much data they used. This helps with security auditing and capacity planning.
In this scenario, RADIUS solves the problem of shared passwords, provides centralized control, and adds accountability. The exam might ask a similar scenario and expect you to identify that RADIUS is the correct protocol, or to choose the correct ports or configuration steps.
Common Mistakes
Thinking RADIUS encrypts the entire packet.
RADIUS only encrypts the password field, not the entire packet. Other fields like username are sent in cleartext, which is a known security weakness.
Remember: RADIUS encrypts only the password. For full packet encryption, use TACACS+ or RadSec (RADIUS over TLS).
Confusing RADIUS ports: using TCP 1812 instead of UDP 1812.
RADIUS uses UDP (not TCP) as its transport protocol. The standard authentication port is UDP 1812, and accounting is UDP 1813. Some older implementations use UDP 1645 and 1646, but those are deprecated.
Memorize: UDP 1812 for authentication/authorization, UDP 1813 for accounting. TACACS+ uses TCP 49.
Assuming RADIUS is used for device administration (like logging into a router).
RADIUS is primarily for network access control (Wi-Fi, VPN, switch port authentication). For administrative access to network devices, TACACS+ is more commonly used because it separates authentication, authorization, and accounting and encrypts the entire session.
Use RADIUS for user network access, TACACS+ for device administration.
Thinking RADIUS operates at the network layer (Layer 3).
RADIUS operates at the application layer (Layer 7) of the OSI model. It uses UDP at the transport layer (Layer 4) but is itself an application-layer protocol.
Classify RADIUS as an application layer protocol, like HTTP or DNS.
Believing RADIUS can only use PAP for authentication.
RADIUS supports many authentication methods, including PAP, CHAP, MS-CHAP, and EAP methods like EAP-TLS, PEAP, and EAP-MSCHAPv2. In modern deployments, EAP methods are preferred because they are more secure.
Remember that RADIUS is flexible and can support various authentication protocols, especially via EAP.
Exam Trap — Don't Get Fooled
{"trap":"An exam question states: \"A company wants to implement AAA for network device administration. Which protocol should they use?\" Some learners choose RADIUS because they've studied AAA and RADIUS together."
,"why_learners_choose_it":"They see the word AAA and immediately think of RADIUS, since RADIUS is the most commonly taught AAA protocol in many courses.","how_to_avoid_it":"Read the question carefully. The phrase 'network device administration' is the key.
For device administration (like logging into routers and switches), TACACS+ is the standard because it encrypts the entire packet and separates the three A's. RADIUS is best for network access (Wi-Fi, VPN). Always relate the scenario to the protocol's use case."
Commonly Confused With
TACACS+ is an AAA protocol developed by Cisco. The main differences are: TACACS+ uses TCP (port 49) and encrypts the entire packet, while RADIUS uses UDP and only encrypts the password. TACACS+ separates authentication, authorization, and accounting into separate packets, while RADIUS combines authentication and authorization. TACACS+ is primarily used for device administration (logging into network devices), while RADIUS is used for network access control (Wi-Fi, VPN).
If you need to control who can log into a router and what commands they can run, use TACACS+. If you need to control who can connect to the company Wi-Fi, use RADIUS.
Kerberos is an authentication protocol used in Windows Active Directory and many Unix environments. Unlike RADIUS, which is a client-server protocol for network access, Kerberos is a ticket-based system that allows secure authentication over unencrypted networks without sending passwords. Kerberos uses a Key Distribution Center (KDC) and relies on symmetric key cryptography. RADIUS does not issue tickets; it simply checks credentials and returns accept/reject.
When you log into your Windows computer at work, Kerberos authenticates you to the domain. When you connect to the Wi-Fi from that same computer, RADIUS may be used to authenticate you to the wireless network.
LDAP (Lightweight Directory Access Protocol) is used to access and manage directory information, such as user accounts in Active Directory or OpenLDAP. RADIUS can use LDAP to look up user credentials, but they are different protocols. LDAP is not an AAA protocol; it is a directory service protocol. RADIUS is specifically designed for AAA. A typical setup is: RADIUS server queries an LDAP directory to verify passwords.
LDAP is like a phone book that contains user information. RADIUS is the security guard who calls the phone book to check if you are allowed in.
802.1X is a port-based network access control standard that provides authentication for devices connecting to a network. RADIUS is often used as the authentication server within the 802.1X framework. In other words, 802.1X is the overall process, and RADIUS is the protocol used to communicate between the authenticator (switch or access point) and the authentication server. They are not interchangeable.
802.1X is the rules for checking IDs at the door. RADIUS is the radio the guard uses to talk to the central office.
Step-by-Step Breakdown
User initiates connection
A user attempts to connect to a network service, such as a Wi-Fi network, VPN, or a switch port. The user's device sends a connection request to the Network Access Server (NAS), which is the RADIUS client.
NAS forwards authentication request to RADIUS server
The NAS creates an Access-Request packet. This packet includes the username, encrypted password, NAS-IP-Address, and other attributes. The NAS sends this packet to the RADIUS server using UDP port 1812.
RADIUS server processes the request
The RADIUS server receives the packet and verifies it came from a known NAS client (by checking the source IP and shared secret). It then looks up the user in its configured identity store (e.g., Active Directory, LDAP, internal database) and verifies the credentials.
RADIUS server sends response
Based on the outcome, the server sends one of three responses: Access-Accept (user authenticated and authorized), Access-Reject (authentication failed), or Access-Challenge (requires additional information, such as a second factor). The response may include authorization attributes like VLAN assignment, IP address, or session timeout.
NAS acts on the response
The NAS receives the response and applies the decision. If Access-Accept, the user is granted network access and the NAS enforces any authorization attributes (e.g., placing the user on the correct VLAN). If Access-Reject, the connection is denied. If Access-Challenge, the NAS requests further credentials from the user.
Accounting starts and ends
Once the user is connected, the NAS sends an Accounting-Request (Start) packet to the RADIUS server on UDP port 1813. The server logs the start of the session and sends an Accounting-Response. When the user disconnects, the NAS sends an Accounting-Request (Stop) packet with session details (duration, bytes transferred, etc.), and the server logs it.
Practical Mini-Lesson
In real-world IT, implementing RADIUS requires both theoretical knowledge and hands-on configuration. As a professional, you will likely be involved in setting up RADIUS for Wi-Fi, VPN, or wired 802.1X. Let’s walk through a typical deployment using FreeRADIUS on Linux, which is a popular open-source RADIUS server.
First, you need to understand the components: The RADIUS server (FreeRADIUS) runs on a server, typically in the data center. The NAS devices (like wireless access points, VPN gateways, or switches) are configured as RADIUS clients. The user database can be a local file, but in most enterprises, it’s an LDAP directory like Active Directory. You’ll configure FreeRADIUS to authenticate against Active Directory using either LDAP or the more secure Kerberos-based authentication.
Configuration involves editing several files. The main configuration file is /etc/freeradius/3.0/radiusd.conf (or similar depending on version). You define the IP addresses and shared secrets of your NAS devices in the clients.conf file. For example:
client 10.10.10.10 { secret = strongsharedsecret shortname = access-point-1 }
Next, you set up the authentication backend. If using Active Directory, you might use the ntlm_auth helper or directly integrate with LDAP. For example, in mods-available/ldap, you’ll specify the LDAP server, base DN, and bind credentials. Then you link it in the authorize section of the sites-enabled/default file.
You also need to define authorization policies. For instance, you might want to place all employees on VLAN 100 and guests on VLAN 200. In FreeRADIUS, you can set this using unlang (the policy language) or by returning attributes. Example:
update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = "100" }
Accounting is typically enabled by default. You can log accounting data to a database (MySQL or PostgreSQL) for reporting. Many organizations use tools like Daloradius or a custom web interface to view RADIUS logs.
Common pitfalls in real deployments: forgetting to open UDP ports 1812 and 1813 on the firewall, mismatched shared secrets, incorrect NTP (time synchronization is critical for RADIUS), and not configuring the NAS to be a RADIUS client. Also, many access points require you to configure both the RADIUS IP and the shared secret, and they may only support one RADIUS server. It’s common to deploy two RADIUS servers for redundancy.
Troubleshooting is a daily task. If users cannot authenticate, you check the RADIUS logs (usually /var/log/radius/radius.log) for clues like "Packet from unknown client" (wrong IP) or "Invalid shared secret" (wrong key). You can also run the radtest utility to manually test authentication:
radtest username password radius-server 0 auth-port 1812 secret
This sends a test request and shows the response. If it returns Access-Accept, the server is working. If Access-Reject, the credentials are wrong or the user account is disabled.
practical RADIUS management involves server setup, client configuration, policy definition, troubleshooting connectivity and authentication issues, and ensuring high availability. These skills are directly tested in CCNA and Security+ labs, and they are essential for any network administrator.
RADIUS Authentication and Accounting Process Flow
RADIUS, which stands for Remote Authentication Dial-In User Service, is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service. It is widely used in enterprise environments for managing access to network devices, VPNs, wireless networks, and other critical services. Understanding the RADIUS authentication flow is essential for IT security professionals, especially for those preparing for exams like the CISSP, Security+, CCNA, and Network+.
When a user attempts to connect to a network resource, such as a wireless access point or a VPN concentrator, the network access server (NAS) acts as the RADIUS client. The NAS sends an Access-Request packet to the RADIUS server, which contains the user's credentials (typically a username and password) along with other attributes like the NAS identifier and port information. The password is encrypted using a shared secret key, ensuring confidentiality over the network. The RADIUS server then checks these credentials against its user database, which could be an internal directory, LDAP, or Active Directory.
If the credentials are valid, the RADIUS server responds with an Access-Accept packet, which may include attributes such as an assigned IP address, session timeout, or specific authorization parameters like allowed VLANs or filter rules. If the credentials are invalid or the user is not authorized, the server sends an Access-Reject packet, and the NAS denies access. The server can send an Access-Challenge packet for additional verification, such as prompting for a one-time password or multi-factor authentication code. This challenge-response mechanism is used in Extensible Authentication Protocol (EAP) frameworks to support secure authentication methods like EAP-TLS or PEAP.
Accounting is another critical aspect of RADIUS. After the user is authenticated, the NAS sends Accounting-Start packets to the RADIUS server, logging when the session begins. As the session progresses, interim accounting updates may be sent to track data usage or time. When the user disconnects, an Accounting-Stop packet is sent, recording the end time and total resources consumed. This accounting data is vital for billing, auditing, security monitoring, and compliance. In exam contexts, candidates should remember that RADIUS uses UDP ports 1812 for authentication and 1813 for accounting, although older implementations used ports 1645 and 1646. The protocol is often compared to TACACS+, which uses TCP and separates authentication, authorization, and accounting into separate processes.
One common misconception tested in exams is that RADIUS encrypts only the password in the Access-Request packet, while the rest of the packet (including the username) is sent in clear text. This is a security limitation that must be addressed by using IPsec or VPN tunnels between the NAS and RADIUS server. RADIUS is a client-server protocol that uses a shared secret for security, and it is connectionless, relying on UDP for transport. This design makes RADIUS more scalable but less reliable than TCP-based alternatives. For example, in a CCNA or Network+ exam, you might be asked to identify which protocol is used for AAA in a Cisco environment, and the answer often distinguishes RADIUS from TACACS+ based on port numbers, encryption methods, and support for command authorization. Understanding these differences is fundamental for network and security professionals.
RADIUS Configuration and Troubleshooting Best Practices
Configuring RADIUS correctly is a critical skill for network administrators and security engineers. Misconfigurations can lead to authentication failures, security vulnerabilities, or network outages. On Cisco devices, for example, RADIUS configuration involves several steps starting with the global configuration mode. The administrator must specify the RADIUS server IP address, the shared secret key, and the authentication and accounting ports. A typical command on a Cisco router or switch would be 'radius-server host 192.168.1.10 key MySecretKey' followed by 'radius-server key MySecretKey' to set the global key. You can configure the server for authentication using 'aaa new-model' to enable AAA services, then define an authentication list with 'aaa authentication login default group radius local'. This tells the device to use RADIUS first and fall back to local authentication if the RADIUS server is unreachable.
For accounting, commands such as 'aaa accounting exec default start-stop group radius' are used to log all executive sessions (like SSH or console access) to the RADIUS server. Similarly, 'aaa accounting network default start-stop group radius' logs network-related connections such as PPP or VPN sessions. In a wireless environment, RADIUS is often integrated with a Wireless LAN Controller (WLC). The WLC is configured as a RADIUS client, and the RADIUS server (like Cisco ISE or FreeRADIUS) handles user authentication. The configuration involves specifying the shared secret, IP address, and optionally, the timeout and retransmission settings.
Troubleshooting RADIUS issues often begins with verifying connectivity between the NAS and the RADIUS server. The NAS must be able to reach the server's IP address and the correct UDP ports (1812 for authentication, 1813 for accounting). Firewalls or Access Control Lists (ACLs) can block these ports, so using tools like 'telnet' or 'nc' to test port availability is futile since RADIUS uses UDP, which is connectionless. Instead, administrators use debug commands available on many networking devices. On Cisco IOS, the command 'debug radius authentication' shows the details of each authentication attempt, including the Access-Request and Access-Accept or Access-Reject packets. Similarly, 'debug radius accounting' displays accounting packet exchanges. These debugs help identify issues such as mismatched shared secrets, incorrect user credentials, or attribute problems.
Another common troubleshooting step is checking the RADIUS server logs. For FreeRADIUS, for instance, the 'radiusd -X' command runs the server in debug mode and outputs detailed messages about packet processing. Logs can indicate whether the user exists in the database, if the password is valid, or if the server is receiving requests from an unauthorized NAS. The RADIUS server must be configured with the correct client entries, including the NAS IP address and shared secret. In enterprise deployments, RADIUS proxy configurations are also used to forward requests to other RADIUS servers or external identity sources like LDAP.
For exams like Security+ and CISSP, candidates should know that RADIUS is an open standard (RFC 2865 and 2866) and is often used for 802.1X port-based authentication in wired and wireless environments. Troubleshooting also involves checking that the supplicant (client device) is configured to use EAP methods that the RADIUS server supports. Certificate-based authentication (EAP-TLS) requires valid certificates on both the server and client, while PEAP uses a server-side certificate. The most common reason for authentication failure is a mismatch in the shared secret, time synchronization issues (especially for certificates), or firewall rules blocking UDP traffic. In exam scenarios, you might be given a configuration excerpt and asked to identify a misconfiguration, such as using the wrong port number (e.g., 1645 instead of 1812) or missing the 'aaa new-model' command. Mastering these configuration and troubleshooting details is essential for passing vendor-neutral and vendor-specific certifications.
Memory Tip
Remember RADIUS as the 'door guard' for Wi-Fi and VPN. Think of the ports: 1812 (authenticate) and 1813 (account). It uses UDP, not TCP. Only the password is secret, the rest is clear. For device admin, think TACACS+ instead.
Learn This Topic Fully
This glossary page explains what RADIUS means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →SY0-701CompTIA Security+ →200-301Cisco CCNA →N10-009CompTIA Network+ →220-1102CompTIA A+ Core 2 →XK0-006CompTIA Linux+ →SC-900SC-900 →SOA-C02SOA-C02 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
Quick Knowledge Check
1.Which transport layer protocol and port numbers are used by RADIUS for authentication and accounting?
2.In a RADIUS authentication flow, what type of packet does the RADIUS server send to request additional verification from the client (e.g., a one-time password)?
3.Which of the following is a key difference between RADIUS and TACACS+?
4.A network administrator configures a Cisco switch with 'aaa authentication login default group radius' but forgets to add a fallback method. The RADIUS server becomes unreachable. What will happen to new SSH login attempts?
5.Which Extensible Authentication Protocol (EAP) method requires both a server-side and client-side certificate for authentication?
6.A technician runs 'debug radius authentication' on a Cisco router and sees 'Access-Reject' packets. What does this indicate?
Frequently Asked Questions
What is the difference between RADIUS and TACACS+?
RADIUS uses UDP (ports 1812/1813) and encrypts only the password, while TACACS+ uses TCP (port 49) and encrypts the entire packet. RADIUS is best for network access control (Wi-Fi, VPN), while TACACS+ is designed for device administration.
Which ports does RADIUS use?
RADIUS uses UDP port 1812 for authentication and authorization, and UDP port 1813 for accounting. Some older systems use 1645 and 1646, but these are deprecated.
Is RADIUS secure?
RADIUS has security limitations: it only encrypts the password, uses UDP (which is connectionless and prone to spoofing), and does not ensure integrity of the entire packet. Modern deployments enhance security by using EAP methods within RADIUS or by implementing RadSec (RADIUS over TLS).
What is a RADIUS client?
A RADIUS client is a network device, such as a wireless access point, VPN concentrator, or switch, that sends authentication requests to a RADIUS server. The RADIUS client is often called a Network Access Server (NAS).
Can RADIUS support multi-factor authentication?
Yes, RADIUS can support multi-factor authentication through EAP methods that incorporate certificates, tokens, or one-time passwords. For example, EAP-TLS uses certificates, and PEAP-MSCHAPv2 can be combined with a second factor.
What is the difference between RADIUS and LDAP?
RADIUS is an AAA protocol for network access control. LDAP is a directory access protocol used to query user databases. A RADIUS server often uses LDAP to look up user credentials, but they are different layers of the authentication process.
How do I troubleshoot a RADIUS authentication failure?
Check the RADIUS server logs for errors. Verify the shared secret matches between the client and server. Confirm that the RADIUS server IP and ports (UDP 1812/1813) are reachable from the NAS. Test with a simple tool like radtest.