Subscribe to Our Updates
Join our community and be the first to receive exclusive insights
You are subscribed now!
.svg){kind=small}
Products
Solutions
Resources
Software Platforms
WiFi
RADIUS is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) services for users connecting to a network.
Remote Authentication Dial-In User Service was originally developed to authenticate users connecting through dial-up systems, but it has since evolved into a core protocol for managing network access across a broad range of technologies. Today, RADIUS operates as the backbone of centralized authentication in enterprise Wi-Fi networks, VPN systems, wired 802.1X deployments, and ISP broadband access platforms.
Its primary purpose is to provide a unified mechanism for verifying user identity, determining access privileges, and tracking usage activity. The protocol allows network access devices, referred to as RADIUS clients, to forward authentication requests to a centralized RADIUS server. The server then evaluates credentials against backend identity sources such as Active Directory, LDAP directories, SQL databases, or certificate authorities.
This centralized architecture ensures that access decisions are not fragmented across multiple devices. Instead, authentication logic is applied consistently, regardless of where the user connects within the organization’s infrastructure.
RADIUS delivers three fundamental services commonly known as Authentication, Authorization, and Accounting.
Authentication ensures that a user or device attempting to connect to the network is legitimate. When credentials are submitted—whether in the form of a username and password, digital certificate, token, or SIM-based credential—the RADIUS server validates those credentials against its configured identity store. In modern enterprise Wi-Fi environments, authentication often occurs through Extensible Authentication Protocol (EAP) methods, with RADIUS acting as the decision authority.
Authorization determines what resources the authenticated entity is permitted to access. After successful authentication, the RADIUS server can return policy attributes that define the user’s access level. These attributes may include VLAN assignment, access control lists, bandwidth restrictions, quality-of-service policies, or session timeout values. This allows organizations to dynamically segment users based on identity rather than physical location, aligning with Zero Trust security principles.
Accounting provides detailed logging of session activity. The RADIUS server records session start and stop times, connection duration, data usage, and device identifiers. These records support auditing, compliance reporting, billing systems in service provider environments, and forensic analysis in enterprise settings. Accounting enhances visibility and ensures traceability across network sessions
RADIUS operates using a structured client-server interaction model. When a user attempts to connect to a network, the access device, such as a Wi-Fi access point or VPN concentrator, acts as the RADIUS client. The device forwards the user’s credentials inside an Access-Request message to the RADIUS server.
The RADIUS server evaluates the credentials by consulting its configured backend systems. If authentication succeeds, it responds with an Access-Accept message that may include authorization attributes defining access permissions. If authentication fails, it responds with Access-Reject, and the network access device denies connectivity.
In environments using IEEE 802.1X, RADIUS integrates closely with EAP authentication. The access device does not validate credentials itself but instead encapsulates EAP messages within RADIUS packets and forwards them to the authentication server. This design ensures that sensitive credentials are processed centrally rather than stored on edge devices.
Throughout the session, accounting messages may be transmitted to track usage and session metrics. When the session ends, a final accounting record is generated to complete the activity log.
RADIUS operates over UDP and commonly uses port 1812 for authentication and port 1813 for accounting. Earlier implementations used ports 1645 and 1646. Because it uses UDP rather than TCP, RADIUS includes retransmission mechanisms to handle potential packet loss.
In traditional implementations, the user password field is protected using a shared secret and an MD5-based hashing mechanism between the RADIUS client and server. However, this approach encrypts only the password portion of the packet rather than the entire communication exchange. For stronger security, many modern deployments implement RADIUS over TLS (often referred to as RadSec), which encrypts the entire RADIUS session and provides certificate-based mutual authentication between servers.
RADIUS also supports vendor-specific attributes, allowing equipment manufacturers to extend the protocol with custom policy controls while maintaining interoperability.
In enterprise network security, RADIUS is widely deployed to manage employee Wi-Fi access and wired port authentication. It enables dynamic VLAN assignment and identity-based segmentation, ensuring that users are placed into appropriate network zones based on authentication results.
Internet Service Providers rely on RADIUS to authenticate subscribers and track broadband usage. It plays a central role in billing systems, bandwidth enforcement, and subscriber management frameworks.
In VPN environments, RADIUS authenticates remote users attempting to establish secure tunnels into corporate networks. It can integrate with multi-factor authentication systems to enhance security.
From a monitoring and compliance perspective, RADIUS accounting logs provide detailed session data required for regulatory reporting and audit trails. Organizations can use these logs to demonstrate adherence to security standards and to investigate suspicious activity.
RADIUS is a foundational networking protocol that centralizes authentication, authorization, and accounting functions across diverse network environments. By separating identity verification from access enforcement, it enables scalable policy management, strengthens security controls, and provides detailed session tracking for auditing and compliance.
Its integration with 802.1X and EAP makes it indispensable in enterprise Wi-Fi and secure wired access deployments, while its flexibility and extensibility continue to support modern authentication frameworks and large-scale service provider networks.