RADIUS — Remote Authentication Dial-In User Service
The AAA workhorse. Invented for dial-up modems in 1991, now the quiet backbone of every 802.1X, Wi-Fi enterprise, and VPN deployment.
The AAA model
| Letter | Meaning | RADIUS codes |
|---|---|---|
| Authentication | Who are you? | Access-Request / Access-Accept / Access-Reject / Access-Challenge |
| Authorization | What can you do? | Returned via attributes in Access-Accept |
| Accounting | What did you do? | Accounting-Request (Start/Interim/Stop) |
Authentication and authorization are bundled in the same flow; accounting is a separate conversation.
Message flow (simplified)
NAS (switch/AP/VPN) RADIUS server
|---- Access-Request -------->| shared secret HMAC
|<--- Access-Challenge -------| (for EAP)
|---- Access-Request -------->|
|<--- Access-Accept ----------| + attributes (VLAN, ACL, session-timeout)
|
|---- Accounting-Request Start->|
|<--- Accounting-Response -----|
... (session lives) ...
|---- Accounting-Request Stop->|
Terminology:
- NAS (Network Access Server) — the device that forwards the user’s auth to RADIUS (switch port, AP, VPN concentrator). Also called the “authenticator” in 802.1X.
- Supplicant — the user’s device (in 802.1X).
- Shared secret — symmetric key between NAS and server; used for HMAC of messages and obfuscating passwords. Never encrypts the whole packet.
Ports
- UDP 1812 — authentication (authoritative since RFC 2865)
- UDP 1813 — accounting
- UDP 1645 / 1646 — legacy (pre-standard); some devices still default here
UDP, not TCP — which means RADIUS has its own retransmit/timeout logic, and a server that’s slow but reachable can cause cascading timeouts on the NAS.
EAP-over-RADIUS — the 802.1X connection
In an 802.1X flow, the supplicant sends EAPOL (EAP over LAN) to the switch. The switch re-encapsulates the EAP payload as EAP-Message attributes inside RADIUS and shuttles it to the server. Multiple Access-Challenge round trips until the EAP method (PEAP, EAP-TLS, etc.) completes. Then Access-Accept with the session attributes.
The switch itself is stateless about the EAP method — it just relays. That’s why your switch doesn’t need to understand PEAP or EAP-TLS; only the RADIUS server does.
Key attributes (RFC 2865 + vendor-specific)
| Attribute | Purpose |
|---|---|
| User-Name (1) | Identity |
| NAS-IP-Address (4) | Which NAS is asking |
| NAS-Port (5) / NAS-Port-Id (87) | Which port/interface |
| Service-Type (6) | Framed, Login, Outbound, Administrative… |
| Called-Station-Id (30) | MAC of NAS (AP BSSID for Wi-Fi) |
| Calling-Station-Id (31) | MAC of client |
| EAP-Message (79) | EAP payload |
| Tunnel-Type (64) = VLAN | Dynamic VLAN assignment (with 65, 81) |
| Filter-Id (11) | ACL name to apply |
| Session-Timeout (27) | Max session length |
| Class (25) | Opaque; used to tie accounting to auth |
VSAs (Vendor-Specific Attributes) — attribute 26 with a vendor ID and custom sub-attributes. Most enforcement features (dACLs, URL redirect, SGTs) live here.
Change of Authorization (CoA, RFC 5176)
Standard RADIUS is one-shot — session attributes are fixed at auth time. CoA lets the server push a change to an active session (re-auth, disconnect, new VLAN). Essential for:
- NAC quarantine — move a misbehaving endpoint to a remediation VLAN without physically bouncing it
- Lost device — disconnect session from admin UI
- Posture re-check — force re-auth after compliance check
RADIUS vs TACACS+
| RADIUS | TACACS+ | |
|---|---|---|
| Designed for | Network access (users, devices) | Device admin (router/switch login) |
| Transport | UDP | TCP (49) |
| Encryption | Only the password (obscured by shared secret) | Full packet payload encrypted |
| AAA separation | Auth + authz combined | Auth / authz / accounting all separate |
| Standard | RFC 2865 | Cisco-driven; RFC 8907 (2020) |
| Typical use | 802.1X, Wi-Fi, VPN | Admin login with per-command authorisation |
Rule of thumb: RADIUS for users, TACACS+ for admins.
Transport security
Base RADIUS is scary — MD5-obscured passwords, UDP, shared secrets. Modern options:
- RadSec (RFC 6614) — RADIUS over TLS (TCP 2083). Encrypts everything. Needed for federated Wi-Fi (eduroam) and cloud RADIUS.
- IPsec tunnel — encapsulate legacy RADIUS between NAS and server.
Common gotchas
- Shared secret mismatch — silent drop on the server; NAS sees timeout. Always log the server side.
- NAS behind NAT — server sees translated IP, doesn’t match
NAS-IP-Addressattribute. Use RFC 3576 CoA source or RadSec. - Large EAP payloads fragmenting — certificate chains in EAP-TLS easily exceed typical MTU; fragmentation over UDP is fragile. Increase MTU or use RadSec (TCP).
- Accounting loss — UDP, no guaranteed delivery. Budget for it. Don’t use accounting as a billing source of truth without duplicates.
See also
- Dot1x, 802.1x method explain — primary consumer of RADIUS
- PacketFence vs OpenNAC — RADIUS servers at scale
- Authentication
- Identity