This chapter dives into two cornerstone protocols for network authentication: RADIUS and LDAP. Understanding their differences, use cases, and how they interact is critical for the N10-009 exam, as network security (Domain 4) makes up roughly 20% of the exam, and authentication protocols are frequently tested. You will learn exactly what each protocol does, how they work under the hood, and when to deploy which—along with common exam traps that trip up candidates.
Jump to a section
Imagine a nightclub with a bouncer (RADIUS) at the door. The bouncer's job is to check IDs, verify membership, and decide who gets in. He doesn't maintain a list of members; he calls the club's membership office (RADIUS server) which looks up the member database. The bouncer only asks for credentials (username/password or swipe card) and the membership office returns a simple 'yes, this person is allowed in' or 'no, this person is banned.' The bouncer also enforces rules like 'VIPs can enter the VIP lounge' (authorization attributes). He does not care about the member's address, phone number, or how many drinks they've had previously—only authentication and authorization for entry. In contrast, an LDAP directory is like the club's employee directory. It stores detailed information about every member: name, address, photo, membership type, emergency contacts, etc. When the bouncer needs to know if a member is over 21, he could query the directory for the member's birth date. But the directory itself doesn't enforce entry rules; it just provides data. A security guard (application) could use the directory to look up a member's details, but the guard must decide what to do with that information. RADIUS is a protocol for authentication, authorization, and accounting (AAA), while LDAP is a protocol for accessing and maintaining directory information. RADIUS is specialized for network access control; LDAP is a general-purpose directory service.
What is RADIUS?
RADIUS (Remote Authentication Dial-In User Service) is a client-server protocol defined in RFC 2865 (and updated by RFC 2866 for accounting). It provides centralized Authentication, Authorization, and Accounting (AAA) for network access. It was originally designed for dial-up connections but is now used for VPNs, wireless LANs (802.1X), and network device administration.
RADIUS operates at the application layer (UDP ports 1812 for authentication/authorization, 1813 for accounting; older implementations use ports 1645/1646). It is a stateless protocol—each request is independent. The RADIUS client (often a Network Access Server, NAS, like a wireless controller or VPN concentrator) sends user credentials to the RADIUS server, which responds with an accept, reject, or challenge.
How RADIUS Works Internally
The process follows these steps: 1. A user attempts to connect to a network resource (e.g., Wi-Fi access point). 2. The NAS (RADIUS client) prompts for credentials. 3. The NAS sends an Access-Request packet to the RADIUS server. This packet contains the username, password (encrypted using a shared secret), NAS identifier, and other attributes like calling-station-id. 4. The RADIUS server checks the credentials against its database (or forwards to an external identity source like LDAP). 5. The server responds with:
- Access-Accept: user is authenticated and optionally includes authorization attributes (e.g., VLAN assignment, ACL name). - Access-Reject: user is denied. - Access-Challenge: server requests additional verification (e.g., OTP token). 6. The NAS enforces the decision and logs accounting data (start, interim, stop) to the RADIUS accounting server.
Key attributes in RADIUS packets include:
User-Name (1)
User-Password (2) – encrypted with MD5 hash of shared secret
NAS-IP-Address (4)
Service-Type (6) – e.g., Framed, Login
Framed-IP-Address (8)
Session-Timeout (27)
Idle-Timeout (28)
Filter-Id (11) – for ACL name
RADIUS uses a shared secret (pre-shared key) between client and server to encrypt passwords and authenticate packet integrity. The secret is never sent over the wire; it is used to create an MD5 hash of the password.
What is LDAP?
LDAP (Lightweight Directory Access Protocol) is an open, vendor-neutral protocol defined in RFC 4511 for accessing and maintaining distributed directory information services over an IP network. It is a lightweight version of the older X.500 DAP protocol. LDAP runs over TCP port 389 (plain) or port 636 (LDAPS, LDAP over SSL/TLS).
LDAP directories are hierarchical databases that store information about users, groups, devices, and other resources. Common LDAP directories include Microsoft Active Directory, OpenLDAP, and Novell eDirectory.
How LDAP Works Internally
LDAP uses a client-server model where the client (application) sends LDAP messages to the server. The basic operations are:
Bind: authenticate to the directory (usually with a DN and password).
Search: retrieve entries that match a filter.
Add, Modify, Delete: manage directory entries.
Compare: check if an entry has a specific attribute value.
An LDAP directory is organized as a tree (Directory Information Tree, DIT). Entries have a Distinguished Name (DN) that uniquely identifies them, e.g., cn=John Doe,ou=Users,dc=company,dc=com. Attributes within entries store data like uid, mail, userPassword.
For authentication, an application (e.g., a web app) performs an LDAP bind with the user's DN and password. The server verifies the password (usually by comparing against the stored hash) and returns success or failure. LDAP does not provide authorization attributes like VLAN or ACL—it just confirms identity. Authorization must be implemented by the application based on directory attributes (e.g., group membership).
Key Differences in Protocol Mechanics
Transport: RADIUS uses UDP (connectionless, fast but unreliable; retransmission handled by client). LDAP uses TCP (connection-oriented, reliable).
Encryption: RADIUS encrypts only the password attribute; other attributes are in cleartext unless using RADIUS over TLS (RadSec) or IPsec. LDAP can be encrypted via LDAPS (SSL/TLS) or StartTLS.
State: RADIUS is stateless; each Access-Request is independent. LDAP maintains a session after bind.
Authorization: RADIUS returns authorization attributes inline in the Access-Accept. LDAP requires separate queries to retrieve group memberships or other attributes.
Accounting: RADIUS has built-in accounting (start, stop, interim updates). LDAP has no native accounting.
Integration: RADIUS with LDAP Backend
In many enterprises, RADIUS servers are configured to use an LDAP directory as the identity source. The RADIUS server (e.g., Cisco ISE, FreeRADIUS) receives an Access-Request, then performs an LDAP bind with the user's credentials to verify them. If successful, it may also query LDAP for group membership to assign authorization attributes (e.g., VLAN based on group). This combines the AAA strengths of RADIUS with the centralized user management of LDAP.
Configuration Examples
Cisco IOS RADIUS configuration:
radius server RADIUS_SERVER
address ipv4 192.168.1.10 auth-port 1812 acct-port 1813
key MySecretKey
!
aaa new-model
aaa authentication login default group radius local
aaa authorization network default group radius
aaa accounting exec default start-stop group radiusOpenLDAP search example:
ldapsearch -x -H ldap://ldap.example.com -b "dc=example,dc=com" "(uid=jdoe)"FreeRADIUS LDAP module (raddb/mods-enabled/ldap):
ldap {
server = 'ldap.example.com'
identity = 'cn=admin,dc=example,dc=com'
password = 'adminpass'
base_dn = 'dc=example,dc=com'
}Exam-Relevant Details
RADIUS uses UDP ports 1812 (auth) and 1813 (acct). Older systems may use 1645/1646.
RADIUS encrypts only the User-Password attribute (using MD5 hash of shared secret). Other attributes are in cleartext.
LDAP uses TCP port 389 (plain) or 636 (LDAPS).
LDAP is often used as a backend for RADIUS, but they are not interchangeable.
RADIUS is primarily for network access control (VPN, Wi-Fi, switch port authentication). LDAP is for directory services (user info, email lookups, application authentication).
The N10-009 exam expects you to know that RADIUS is an AAA protocol, while LDAP is a directory access protocol.
User initiates network connection
A user attempts to connect to a wireless network via an access point (AP) or to a VPN concentrator. The NAS (Network Access Server) detects the new connection request. For 802.1X, the AP acts as the authenticator and sends an EAP-Request Identity to the client. The client responds with its identity (e.g., username). The AP then encapsulates this in a RADIUS Access-Request packet and sends it to the RADIUS server. The NAS includes attributes like NAS-IP-Address, NAS-Port, and the user identity. The RADIUS client uses the shared secret to encrypt the password (if PAP) or may forward EAP messages.
RADIUS server receives Access-Request
The RADIUS server listens on UDP port 1812. It receives the packet and validates it using the shared secret (checks the Request Authenticator field). If the packet is valid, the server extracts the User-Name and User-Password (or EAP payload). The server then looks up the user in its local database or forwards the authentication request to an external identity source, such as an LDAP directory or Active Directory. The server may also check authorization policies at this stage, such as time-of-day restrictions or group memberships.
RADIUS server authenticates user via LDAP
If the RADIUS server is configured to use LDAP as an identity source, it performs an LDAP bind operation. First, the RADIUS server binds to the LDAP directory with a service account (e.g., cn=radius,dc=example,dc=com). Then it searches for the user entry using a filter like (uid=jdoe). Once found, it attempts to bind as that user with the provided password. If the bind succeeds, LDAP returns success. The RADIUS server may also retrieve additional attributes (e.g., group membership) for authorization decisions. This occurs over TCP port 389 or 636 (LDAPS).
RADIUS server sends Access-Accept/Reject
Based on the authentication result and authorization policies, the RADIUS server constructs a response. An Access-Accept includes attributes such as Session-Timeout (e.g., 86400 seconds), Idle-Timeout (e.g., 1800 seconds), Filter-Id (e.g., 'acl_vlan10'), or Framed-IP-Address. An Access-Reject includes a Reply-Message attribute that may indicate the reason. The server computes a Response Authenticator using the shared secret and sends the packet back to the NAS on UDP port 1812. The NAS then enforces the decision: it grants or denies network access.
Accounting begins (RADIUS)
After the user is authenticated, the NAS sends an Accounting-Request (Start) packet to the RADIUS accounting server (often the same server) on UDP port 1813. This packet includes Acct-Status-Type=Start, Acct-Session-Id (a unique identifier), and user attributes. The server responds with an Accounting-Response. Periodically, the NAS sends Interim-Update packets (Acct-Status-Type=Interim-Update) with updated counters (e.g., bytes sent/received). When the user disconnects, a Stop packet is sent. This accounting data is used for billing, auditing, or monitoring.
Scenario 1: Enterprise Wi-Fi with 802.1X
A large corporation uses Cisco ISE (Identity Services Engine) as its RADIUS server for WPA2-Enterprise Wi-Fi. Employees connect with their domain credentials. The wireless LAN controller (WLC) is the RADIUS client. When an employee connects, the WLC forwards EAP-TLS (certificate-based) or PEAP-MSCHAPv2 (password-based) authentication to ISE. ISE authenticates against Active Directory (LDAP) and then applies authorization policies: if the user is in the 'Engineering' group, they get VLAN 100; if in 'Guest', they get VLAN 200 with internet-only access. ISE also performs posture checks (e.g., antivirus status) via RADIUS CoA (Change of Authorization) to dynamically change ACLs. Common issues: misconfigured shared secrets cause authentication failures; LDAP timeouts if the directory server is overloaded; RADIUS packets dropped due to UDP unreliability (solved by adding multiple RADIUS servers).
Scenario 2: VPN Remote Access
A company uses a Cisco ASA firewall as a VPN concentrator. Remote users authenticate via RADIUS to a FreeRADIUS server that uses an OpenLDAP directory. The LDAP directory stores user attributes like 'radiusVLAN' and 'radiusSessionTimeout'. FreeRADIUS is configured to query LDAP for these attributes after authentication. The VPN assigns IP addresses from a pool and applies ACLs based on the returned attributes. Performance: each authentication takes ~50ms with LDAP on the same LAN; with WAN latency, it can exceed 200ms. Timeouts are configured (e.g., 5 seconds for LDAP bind). If LDAP is down, RADIUS can fall back to a local database.
Scenario 3: Network Device Administration
Network administrators log into routers and switches using RADIUS for AAA. The devices (RADIUS clients) send authentication requests to a RADIUS server that authenticates against LDAP. Authorization is handled by RADIUS attributes: for example, Cisco AV-pairs like 'shell:priv-lvl=15' grant full privilege. Accounting logs all commands entered. Common misconfigurations: RADIUS server IP not allowed in the device's RADIUS server list; shared secret mismatch; LDAP schema missing required attributes. Scale: a single RADIUS server can handle thousands of authentications per second; LDAP queries can be cached to reduce load.
What N10-009 Tests
Objective 4.5 (Network Security) specifically covers authentication protocols, including RADIUS and LDAP. The exam expects you to:
Differentiate between RADIUS and LDAP in terms of purpose (AAA vs directory access).
Know that RADIUS uses UDP ports 1812/1813 (or 1645/1646) and LDAP uses TCP 389/636.
Understand that RADIUS encrypts only the password attribute; LDAP can encrypt the whole session.
Recognize that RADIUS is used for network access control (VPN, 802.1X, dial-up), while LDAP is used for directory queries (user lookup, email).
Identify that RADIUS can use LDAP as a backend for user authentication.
Common Wrong Answers and Why
'LDAP is used for authentication in Wi-Fi networks.' This is wrong because LDAP is a directory protocol, not an AAA protocol. While RADIUS may use LDAP as a backend, the actual authentication protocol for Wi-Fi is RADIUS (via 802.1X).
'RADIUS uses TCP for reliability.' Candidates see that RADIUS is an application protocol and assume TCP. But RADIUS uses UDP; it relies on retransmission timers and multiple servers for reliability.
'LDAP encrypts all attributes by default.' LDAP plain (port 389) sends data in cleartext; only LDAPS (636) encrypts. RADIUS encrypts the password but not other attributes.
'RADIUS and LDAP are interchangeable.' They serve different purposes; you cannot replace one with the other.
Specific Values and Terms
UDP ports: 1812 (auth), 1813 (acct) — remember the sequence (12 for auth, 13 for acct).
TCP ports: 389 (LDAP), 636 (LDAPS).
RADIUS attributes: User-Password (encrypted), Session-Timeout, Filter-Id.
LDAP operations: Bind, Search, Compare.
Edge Cases
RADIUS over TLS (RadSec) uses TCP 2083 — not commonly tested but may appear as a distractor.
LDAP can be used for authentication (via bind), but it does not provide accounting or authorization attributes like VLAN.
Some exam questions describe a scenario where a company wants to centralize user accounts for multiple applications — that points to LDAP, not RADIUS.
Eliminating Wrong Answers
If the scenario involves network access control (e.g., 'authenticate users connecting to Wi-Fi or VPN'), the answer is RADIUS.
If the scenario involves 'storing user information' or 'directory service', the answer is LDAP.
If the question mentions 'AAA', 'accounting', or 'VLAN assignment', it is RADIUS.
If the question mentions 'TCP port 389' or 'distinguished name', it is LDAP.
RADIUS uses UDP ports 1812 (authentication) and 1813 (accounting); older systems use 1645/1646.
LDAP uses TCP port 389 (plain) or 636 (LDAPS).
RADIUS encrypts only the User-Password attribute; other attributes are in cleartext.
RADIUS is an AAA protocol for network access; LDAP is a directory service protocol.
RADIUS can use LDAP as a backend for user authentication and attribute retrieval.
Common RADIUS attributes: Session-Timeout, Idle-Timeout, Filter-Id, Framed-IP-Address.
LDAP operations: Bind (authenticate), Search, Compare, Add, Modify, Delete.
For N10-009, know the port numbers and primary use cases to differentiate them.
These come up on the exam all the time. Here's how to tell them apart.
RADIUS
AAA protocol: Authentication, Authorization, Accounting
Uses UDP ports 1812 (auth) and 1813 (acct)
Encrypts only the password attribute
Designed for network access control (VPN, Wi-Fi, dial-up)
Returns authorization attributes (VLAN, ACL) in the response
LDAP
Directory access protocol: read/write directory data
Uses TCP ports 389 (plain) and 636 (LDAPS)
Can encrypt entire session via LDAPS or StartTLS
Used for centralized user information, email lookups, app authentication
Does not provide authorization attributes; application must interpret directory data
Mistake
RADIUS and LDAP are both authentication protocols and can be used interchangeably.
Correct
RADIUS is an AAA protocol (authentication, authorization, accounting) designed for network access. LDAP is a directory access protocol for reading/writing directory data. While LDAP can authenticate users via bind, it lacks built-in authorization attributes (like VLAN) and accounting. They are not interchangeable; RADIUS often uses LDAP as a backend.
Mistake
RADIUS encrypts all data in the packet.
Correct
RADIUS encrypts only the User-Password attribute using a shared secret and MD5 hash. Other attributes (e.g., username, NAS-IP-Address, Filter-Id) are sent in cleartext. For full encryption, RADIUS over TLS (RadSec) or IPsec must be used.
Mistake
LDAP uses UDP for fast queries.
Correct
LDAP uses TCP (port 389 or 636) because it requires reliable, ordered delivery for directory operations. UDP would not guarantee delivery of search results or updates.
Mistake
RADIUS is only for dial-up connections.
Correct
RADIUS was originally designed for dial-up but is now widely used for VPN, 802.1X wireless, network device administration, and even cloud-based network access control.
Mistake
LDAP provides accounting (start/stop records).
Correct
LDAP does not have native accounting. Accounting is a feature of RADIUS (start, interim, stop records). If accounting is needed, RADIUS is the appropriate protocol.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
RADIUS uses UDP port 1812 for authentication and authorization, and UDP port 1813 for accounting. Some older implementations use ports 1645 and 1646. For encrypted communication, RadSec (RADIUS over TLS) uses TCP port 2083.
LDAP uses TCP port 389 for plaintext connections and TCP port 636 for LDAPS (LDAP over SSL/TLS). Alternatively, StartTLS can upgrade a plain connection to encrypted on port 389.
LDAP can authenticate users via the Bind operation, but it is not designed for network access control. It lacks built-in authorization attributes (e.g., VLAN assignment) and accounting. For network authentication, RADIUS is the appropriate protocol, though RADIUS servers often use LDAP as a backend identity source.
RADIUS uses UDP and combines authentication and authorization in one packet; it encrypts only the password. TACACS+ uses TCP and separates authentication, authorization, and accounting; it encrypts the entire payload. TACACS+ is often used for device administration, while RADIUS is used for network access.
RADIUS encrypts the User-Password attribute by XORing the password with an MD5 hash of the shared secret and the Request Authenticator (a random number). The shared secret is never sent over the wire. Other attributes are not encrypted.
A pre-shared key configured on both the RADIUS client (NAS) and server. It is used to encrypt the password and to authenticate packets via the Request/Response Authenticator. It must be kept confidential and should be a strong, random string.
Yes, RADIUS servers like Microsoft NPS (Network Policy Server) or third-party solutions can integrate with Active Directory. The RADIUS server authenticates users against AD (using LDAP or Kerberos) and applies network policies.
You've just covered RADIUS vs LDAP for Network Authentication — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?