securitynetwork-plusBeginner24 min read

What Is Remote Authentication Dial-in User Service? Security Definition

Also known as: RADIUS, Remote Authentication Dial-in User Service, AAA protocol, network authentication, CompTIA Network+ RADIUS

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

RADIUS is like a gatekeeper for a network. When you try to log in to a company network from outside, RADIUS checks your username and password, decides what you are allowed to do, and keeps a record of when you connected. It is commonly used for Wi-Fi access, VPN connections, and dial-up internet.

Must Know for Exams

RADIUS appears in multiple CompTIA certification exams, including A+, Network+, and Security+. For the A+ exam, the focus is on basic knowledge: what RADIUS stands for, its role in authentication, and that it is used for remote access. The A+ exam objectives mention RADIUS in the context of network services and security. Learners should know that RADIUS is a protocol that provides centralized authentication, authorization, and accounting for remote users.

In the Network+ exam, RADIUS is covered in more depth. The exam objectives require understanding the difference between RADIUS and other authentication protocols like TACACS+ and Kerberos. Network+ questions often ask about the ports used by RADIUS: 1812 for authentication and 1813 for accounting. The exam may also test the concept of RADIUS as a client-server protocol where the network access device is the client and the server holds the user database. Learners should be able to explain the AAA framework (Authentication, Authorization, Accounting) and how RADIUS implements it.

For the Security+ exam, RADIUS is a core topic under access control and identity management. Security+ questions often present a scenario where a company needs to implement secure remote access or network access control. The correct answer frequently involves using RADIUS with 802.1X and EAP (Extensible Authentication Protocol). Learners must understand how RADIUS can enforce multi-factor authentication and how it integrates with directory services like Active Directory. The exam also tests the difference between RADIUS and TACACS+, emphasizing that RADIUS combines authentication and authorization in one packet, while TACACS+ separates them. Security+ candidates should know that RADIUS encrypts only the password, while TACACS+ encrypts the entire packet.

Across all three exams, common questions include identifying the correct protocol to use for centralized authentication of remote users, selecting the correct ports, and understanding the purpose of accounting. Scenario-based questions might describe a situation where users connect via VPN or Wi-Fi and ask which service should be used to manage credentials centrally. Learners who understand RADIUS as the central gatekeeper for network access will be well prepared.

Simple Meaning

Imagine you work in a large office building with many different rooms. Some rooms are for regular workers, some are for managers, and some are for IT staff. Instead of having a separate key for every single door, the building uses a central security desk. When you want to enter any room, you go to the security desk, show your ID badge, and the security guard checks a master list. If your ID is valid and you have permission to enter that room, the guard unlocks the door. The guard also writes down the time you entered. This is exactly how RADIUS works for computer networks.

RADIUS stands for Remote Authentication Dial-in User Service. It is a protocol that lets a network device, like a Wi-Fi access point or a VPN server, send a user's login information to a central server. That central server is the RADIUS server. The RADIUS server holds a master list of all valid users, their passwords, and what resources they are allowed to use. When a user tries to log in, the RADIUS server checks the credentials against its database. If everything matches, the server sends back a message saying the user is allowed in. It also tells the network device which network settings the user should get, such as a specific IP address or access to certain parts of the network.

Think of RADIUS as a post office sorting center. You drop a letter (your login request) into a mailbox (the network access point). The mailbox sends the letter to the sorting center (the RADIUS server). At the sorting center, the address is checked (your username and password are verified), and the letter is stamped with the correct route (authorization is given). The sorting center then tells the mailbox where to deliver the letter (the user is allowed to connect and gets network access). The sorting center also keeps a log of every letter it processed (accounting records).

RADIUS is not just about checking passwords. It also handles authorization, which decides what you can do once you are in, and accounting, which tracks how long you stay connected and how much data you use. This makes RADIUS a key part of network security for companies, schools, and internet service providers.

Full Technical Definition

RADIUS is a client-server protocol defined in RFC 2865 and RFC 2866. It operates at the application layer of the OSI model, typically using UDP ports 1812 for authentication and authorization, and port 1813 for accounting. Some legacy implementations use ports 1645 and 1646, but these are deprecated. RADIUS provides a central management point for controlling access to network resources, which is essential in environments with many users and multiple network access devices.

In a typical deployment, the RADIUS client is a Network Access Server (NAS) such as a wireless access point, a VPN concentrator, a network switch, or a dial-up server. The NAS receives the user's connection attempt, collects the credentials (usually a username and password, but it can also use certificates or tokens), and forwards them to the RADIUS server as a RADIUS Access-Request packet. This packet includes attributes like the user name, password (encrypted using a shared secret), NAS IP address, and the port type.

The RADIUS server receives the Access-Request and checks the credentials against its user database. This database can be a local file, an LDAP directory like Active Directory, a SQL database, or another authentication backend. If the credentials are valid, the server checks the authorization policies to determine what network access the user should receive. This might include a specific IP address, a VLAN assignment, a filter to limit traffic, or a session timeout. The server then sends back an Access-Accept packet containing the authorization attributes. If the credentials are invalid or the user is not allowed, the server sends an Access-Reject packet. In some cases, the server may send an Access-Challenge packet, which prompts the user for additional information, such as a one-time passcode from a token.

Accounting is handled separately. After authentication, the NAS sends an Accounting-Request (Start) packet to the RADIUS server, which logs the beginning of the session. The server responds with an Accounting-Response. When the user disconnects, the NAS sends an Accounting-Request (Stop) packet with details like session duration, bytes sent and received, and the reason for disconnection. This data is used for billing, auditing, and capacity planning.

RADIUS uses a shared secret to encrypt passwords and to authenticate the communication between the client and server. The shared secret is a plain text string configured on both the NAS and the RADIUS server. The password is encrypted using a one-way hash based on the shared secret and a random vector. Other attributes in the packet, such as the user name, are sent in cleartext unless using RADIUS over TLS (RadSec) or IPsec for additional security. RADIUS is widely supported and interoperable across different vendors, making it a standard choice for enterprise authentication.

Real-Life Example

Think of a large public library that has multiple sections: a quiet reading room, a computer lab, a children's area, a reference section, and a special collection of rare books. The library has a single front desk where all visitors must check in. When you arrive, you show your library card to the librarian at the front desk. The librarian scans your card and checks a central computer system. That central system holds information about every library member, including whether their membership is current, what sections they are allowed to enter, and whether they have any overdue books.

If your card is valid and you have permission, the librarian gives you a colored wristband that matches the sections you are allowed to visit. A blue wristband might let you into the reading room and the computer lab. A red wristband might also let you into the rare books section. The librarian also notes the time you entered. When you leave, you return the wristband, and the librarian records the time you exited and how long you stayed.

This library system maps directly to RADIUS. The librarian is the RADIUS server. The front desk is the NAS (network access server). Your library card and PIN are your username and password. The central computer system is the user database. The colored wristband represents the authorization attributes, such as which VLAN or subnet you can access. The librarian writing down the entry and exit times is the accounting function. If you tried to enter the rare books section without a red wristband, the librarian would block you, just as a RADIUS server would reject a user attempting to access a restricted resource. The library does not need a separate guard for each section. One central desk manages all access. This is exactly why companies use RADIUS: one central server manages authentication for all network devices.

Why This Term Matters

RADIUS matters because it provides a single, centralized point of control for network access in any organization that has more than a handful of users. Without RADIUS, each network device like a Wi-Fi access point or a VPN server would need to store its own list of usernames and passwords. This creates a security nightmare. If an employee leaves the company, the network administrator would have to remove that person's credentials from every single device. With RADIUS, the administrator removes the user from the central database once, and the change takes effect everywhere immediately.

In practical IT work, RADIUS is the backbone of enterprise Wi-Fi security using WPA2-Enterprise or WPA3-Enterprise. Instead of having a single shared Wi-Fi password that everyone uses, each employee gets their own unique credentials. This improves security because if a laptop is stolen, only that one user's credentials need to be revoked. It also allows for detailed auditing. The IT team can see exactly which user connected to which access point at what time.

For VPN access, RADIUS is equally important. Remote workers connect to the company network using a VPN client. The VPN server forwards their credentials to a RADIUS server, which checks against Active Directory or another identity store. The RADIUS server can enforce multi-factor authentication by sending an Access-Challenge that prompts for a one-time code. This adds a critical layer of security for remote access.

Network switches and routers also use RADIUS for administrative access. Instead of having local usernames on each device, the network administrator logs in using their domain credentials, which are verified by the RADIUS server. The RADIUS server can also assign privilege levels, so junior administrators can only view configurations while senior administrators can make changes.

RADIUS is also used in 802.1X network access control, which is a standard for port-based authentication on wired and wireless networks. When a device plugs into a switch port, the switch blocks all traffic until the device authenticates through a RADIUS server. This prevents unauthorized devices from connecting to the network. Cloud service providers and managed service providers also use RADIUS to authenticate customers accessing management portals or VPNs.

How It Appears in Exam Questions

Exam questions about RADIUS appear in several distinct patterns. The most common is the definition or concept question. These questions directly ask what RADIUS stands for or what its primary function is. For example: Which of the following protocols provides centralized authentication, authorization, and accounting for remote users? The answer choices might include RADIUS, TACACS+, Kerberos, and LDAP. The learner must recognize that RADIUS is the AAA protocol for remote access.

Another common pattern is the port identification question. These questions ask which port number is used by RADIUS for authentication. The correct answer is UDP port 1812. The exam might also ask about the accounting port, which is 1813. Some questions present a scenario where a firewall blocks certain ports, and the learner must identify that RADIUS traffic is being blocked.

Scenario questions are very common, especially on the Security+ exam. A typical scenario might describe a company that wants employees to use individual credentials to connect to the corporate Wi-Fi network instead of a shared password. The question asks which technology should be implemented. The correct answer involves RADIUS combined with 802.1X and EAP. Another scenario might involve a company that needs to track how long each user is connected to the VPN for billing purposes. The learner should identify that RADIUS accounting provides this functionality.

Configuration questions appear on Network+ and Security+ exams. These questions might ask about the steps to configure a RADIUS server or the requirements for a RADIUS client to communicate with a server. The shared secret is a common point of emphasis. A question might say: A network administrator configured a RADIUS server but users cannot authenticate. What is the most likely cause? The answer could be a mismatched shared secret between the NAS and the RADIUS server.

Comparison questions are also frequent. The exam might ask: What is the primary difference between RADIUS and TACACS+? The correct answer is that RADIUS combines authentication and authorization, while TACACS+ separates them, and that RADIUS encrypts only the password while TACACS+ encrypts the entire payload.

Finally, there are troubleshooting questions. These might involve a user who can connect to the Wi-Fi but cannot access certain resources. The RADIUS server might be using authorization attributes to assign VLANs, and the user is placed in the wrong VLAN. The learner must understand that RADIUS controls more than just authentication; it also controls authorization.

Practise Remote Authentication Dial-in User Service Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A medium-sized company called GreenTech Solutions has 200 employees. They use Wi-Fi throughout their office building. Currently, all employees use the same Wi-Fi password. The IT manager is worried because if any employee leaves the company, the Wi-Fi password must be changed and communicated to everyone, which is inefficient. Also, the manager has no way to know which employee is using the Wi-Fi at any given time.

GreenTech Solutions decides to implement a more secure solution. They install a new Windows Server that runs a RADIUS service. This RADIUS server is linked to the company's Active Directory, which already holds all employee usernames and passwords. They reconfigure the Wi-Fi access points to act as RADIUS clients. The access points are configured to send all login attempts to the new RADIUS server using a shared secret.

Now, when an employee named Maria wants to connect to the Wi-Fi, her laptop prompts her for her Active Directory username and password. The access point sends these credentials to the RADIUS server. The RADIUS server checks the credentials against Active Directory. If they are valid, the RADIUS server sends an Access-Accept message back to the access point, along with instructions to place Maria in the general user VLAN. The access point allows Maria onto the network. The RADIUS server also records the start time of Maria's session.

When Maria leaves the company, the IT administrator disables her Active Directory account. The next time Maria tries to connect, the RADIUS server rejects the request, and she cannot access the Wi-Fi. The administrator does not need to change the Wi-Fi password or reconfigure any access points. The system is now more secure, auditable, and easier to manage.

Common Mistakes

Thinking RADIUS is only for dial-up connections.

While RADIUS was originally designed for dial-up connections, it is now used for Wi-Fi, VPN, Ethernet switches, and many other network access scenarios.

Remember that RADIUS is a general-purpose AAA protocol for any type of network access, not just dial-up.

Confusing the RADIUS server with the RADIUS client.

Many learners think the user's computer is the RADIUS client, but the RADIUS client is actually the network access device like a Wi-Fi access point or VPN server. The user's computer or device is called the supplicant.

Learn the three roles: the supplicant (user device), the authenticator (NAS, which is the RADIUS client), and the authentication server (the RADIUS server).

Believing RADIUS encrypts all data in the packet.

RADIUS only encrypts the password. All other attributes like the username are sent in cleartext. This is a security limitation.

For secure environments, use RADIUS over TLS (RadSec) or IPsec to encrypt the entire communication.

Using TCP ports instead of UDP ports for RADIUS.

RADIUS uses UDP, not TCP. The standard ports are UDP 1812 for authentication and UDP 1813 for accounting. Using TCP will not work unless specifically configured with RadSec.

Memorize that RADIUS uses UDP ports 1812 and 1813. This is a common exam question.

Thinking RADIUS is the same as 802.1X.

802.1X is a standard for port-based network access control. RADIUS is the protocol used to communicate between the authenticator (switch or access point) and the authentication server. They work together but are not the same thing.

Think of 802.1X as the lock on the door and RADIUS as the security guard who checks the ID and decides whether to unlock it.

Exam Trap — Don't Get Fooled

The exam question states: A network administrator needs to implement a protocol that provides authentication and authorization but does not require accounting. Which protocol should they choose? Many learners see 'authentication and authorization' and immediately choose RADIUS.

The trap is that the question says 'does not require accounting.' While RADIUS can be used without accounting, TACACS+ separates authentication, authorization, and accounting into distinct packets, making it a better fit when accounting is not needed. Also, TACACS+ is often preferred for device administration.

Read the question carefully and consider the specific requirements.

Commonly Confused With

Remote Authentication Dial-in User ServicevsTACACS+

TACACS+ separates authentication, authorization, and accounting into three distinct processes. It encrypts the entire packet, not just the password. TACACS+ is more commonly used for managing network device access (e.g., logging into routers and switches), while RADIUS is more often used for end-user network access like Wi-Fi and VPN.

A network engineer logging into a Cisco router uses TACACS+. A company employee connecting to the office Wi-Fi uses RADIUS.

Remote Authentication Dial-in User ServicevsKerberos

Kerberos is a ticket-based authentication protocol used primarily within a single network domain, like an Active Directory environment. It does not handle authorization or accounting directly. RADIUS is used for remote access and can work with many different authentication backends, including Kerberos.

When you log into your Windows computer at work, Kerberos authenticates you. When you connect to the company VPN from home, RADIUS authenticates you.

Remote Authentication Dial-in User ServicevsLDAP

LDAP is a directory service protocol used to query and update a directory of users, such as an address book. LDAP can be used to look up a user's information, but it does not handle authentication and authorization the same way RADIUS does. RADIUS can use an LDAP directory as a backend to verify credentials, but RADIUS itself provides the AAA functions.

A company's phone directory is stored in an LDAP server. When you need to find a colleague's email, you use LDAP. When you need to access the company Wi-Fi, the RADIUS server might check your password against that same LDAP directory.

Step-by-Step Breakdown

1

User initiates connection

The user on their computer or device attempts to connect to a network service, such as a Wi-Fi network, a VPN, or a dial-up connection. The device sends its credentials (typically a username and password) to the network access server (NAS), which is the device that provides the network connection.

2

NAS creates Access-Request packet

The NAS, which acts as the RADIUS client, receives the credentials. It packages them into a RADIUS Access-Request packet. This packet includes the username, an encrypted version of the password, the NAS's own IP address, and other attributes like the port type or the SSID of the Wi-Fi network. The NAS sends this packet to the RADIUS server using UDP port 1812.

3

RADIUS server verifies credentials

The RADIUS server receives the Access-Request packet. It decrypts the password using the shared secret that it shares with the NAS. The server then checks the username and password against its user database. This database could be a local file, an LDAP directory, Active Directory, a SQL database, or any other supported backend.

4

RADIUS server checks authorization policies

If the credentials are valid, the RADIUS server does not grant access immediately. It first checks the authorization policies for that user. These policies determine what the user is allowed to do. For example, the server may assign a specific IP address, place the user in a specific VLAN, apply an access control list, or set a session timeout. These policies are stored in the RADIUS server's configuration.

5

RADIUS server sends response to NAS

Based on the authentication and authorization results, the RADIUS server sends a response packet back to the NAS. If the user is allowed, it sends an Access-Accept packet containing the authorization attributes. If the user is denied, it sends an Access-Reject packet. In some cases, it sends an Access-Challenge packet to request additional authentication factors, like a one-time code.

6

NAS allows or denies the connection

The NAS receives the response from the RADIUS server. If it is an Access-Accept, the NAS applies the authorization attributes and grants the user access to the network. If it is an Access-Reject, the NAS denies the connection and may display an error message. If it is an Access-Challenge, the NAS prompts the user for additional information and repeats the process.

7

RADIUS accounting begins

Once the user is connected, the NAS sends an Accounting-Request (Start) packet to the RADIUS server using UDP port 1813. This packet includes the user's identity, the session ID, the time the session started, and the NAS's IP address. The RADIUS server logs this information and sends back an Accounting-Response to acknowledge it.

8

RADIUS accounting ends

When the user disconnects from the network, the NAS sends an Accounting-Request (Stop) packet to the RADIUS server. This packet includes the session duration, the number of bytes sent and received, the reason for disconnection, and other statistics. The RADIUS server logs this information, which can be used for billing, auditing, or capacity planning. The server sends an Accounting-Response to confirm.

Practical Mini-Lesson

RADIUS is a cornerstone of network security in any organization that needs to manage user access to network resources. To work with RADIUS effectively, you must understand its three core functions: authentication, authorization, and accounting. Authentication is the process of verifying who the user is. Authorization determines what the user is allowed to do. Accounting tracks what the user did while connected. Together, these three functions are called AAA.

In practice, RADIUS is deployed on a server that runs special software. Common RADIUS server implementations include Microsoft Network Policy Server (NPS), FreeRADIUS, and Cisco ISE. The server must be configured with one or more user databases. For most enterprises, this means integrating with an existing identity store like Microsoft Active Directory. This integration allows the RADIUS server to authenticate users against their domain credentials without duplicating user accounts.

Configuring a RADIUS server involves several steps. First, you define the clients that are allowed to communicate with the server. These clients are the NAS devices, such as access points, VPN gateways, or network switches. For each client, you configure a shared secret. This secret must match the one configured on the NAS. The shared secret is used to encrypt the password and to authenticate the communication between the client and server. If the secrets do not match, authentication will fail.

Next, you define the connection request policies. These policies determine which incoming requests are processed and how they are handled. For example, you might have a policy for Wi-Fi connections that requires EAP-TLS certificate-based authentication, and another policy for VPN connections that requires username and password plus a one-time code. The policies can specify which user groups are allowed and what authorization attributes to assign.

Network administrators must also manage the authorization policies. These policies define the set of attributes that are returned in the Access-Accept packet. Common attributes include the Framed-IP-Address, which gives the user a specific IP address, and the Tunnel-Private-Group-ID, which assigns the user to a specific VLAN. These attributes control the user's network experience and security posture.

Troubleshooting RADIUS is a common task. The most frequent problem is a mismatch in the shared secret. If users cannot authenticate, check that the shared secret on the NAS matches the one on the RADIUS server. Another common issue is firewall rules blocking UDP ports 1812 and 1813. Many organizations have strict firewall rules that can prevent the NAS from reaching the RADIUS server. Network administrators should verify that these ports are open between the NAS and the server.

RADIUS also connects to broader concepts like 802.1X, EAP, and network access control. In a wired network using 802.1X, a switch port blocks all traffic until the device authenticates through the RADIUS server. This prevents unauthorized devices from plugging into the network. In a wireless network, RADIUS enables enterprise-grade security by allowing each user to have unique credentials. Understanding RADIUS is essential for any IT professional involved in network security.

Memory Tip

Remember the three A's: Authentication (who you are), Authorization (what you can do), Accounting (what you did). RADIUS is the protocol that delivers all three A's for remote network access. Also remember the ports: 18 and 12 are friends, so port 1812 for authentication, and 18 and 13 are neighbours, so port 1813 for accounting.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What port does RADIUS use?

RADIUS uses UDP port 1812 for authentication and authorization, and UDP port 1813 for accounting. Some older implementations use ports 1645 and 1646, but these are deprecated.

Is RADIUS secure?

RADIUS has some security limitations. It only encrypts the password, not the rest of the packet. For better security, you can use RADIUS over TLS (RadSec) or run it over an IPsec tunnel to encrypt all traffic.

What is the difference between RADIUS and TACACS+?

RADIUS combines authentication and authorization in one packet, while TACACS+ separates them into three distinct processes. TACACS+ encrypts the entire packet, while RADIUS only encrypts the password. TACACS+ is more common for device administration, while RADIUS is more common for user network access.

What is a RADIUS client?

A RADIUS client is not the user's computer. It is the network access server (NAS) that forwards user credentials to the RADIUS server. Examples include Wi-Fi access points, VPN gateways, and network switches.

Can RADIUS work with Active Directory?

Yes, most RADIUS servers can integrate with Active Directory. The RADIUS server checks user credentials against Active Directory, allowing organizations to use their existing domain accounts for network access.

What is the difference between RADIUS and LDAP?

RADIUS is an AAA protocol that handles authentication, authorization, and accounting for network access. LDAP is a directory access protocol used to query and update a directory of users and resources. RADIUS can use an LDAP directory as a backend to verify credentials.

Summary

RADIUS is a fundamental protocol for network security that provides centralized authentication, authorization, and accounting for users connecting to a network from remote locations. It works by having a network access device, like a Wi-Fi access point or VPN server, forward user credentials to a central RADIUS server. The server verifies the credentials against a user database, decides what the user is allowed to do, and returns that information to the access device.

RADIUS also tracks usage through its accounting function, which logs session start and stop times and data usage. This centralized approach simplifies management, enhances security, and enables detailed auditing. In certification exams for CompTIA A+, Network+, and Security+, you will encounter RADIUS in questions about remote access, AAA frameworks, port numbers, and scenario-based troubleshooting.

Remember that RADIUS uses UDP ports 1812 and 1813, and that it is different from TACACS+, Kerberos, and LDAP. Understanding RADIUS is essential for any IT professional working with enterprise networks, Wi-Fi security, VPNs, or network access control.