Glossary

What is a RADIUS protocol?

RADIUS (Remote Authentication Dial-In User Service) is a network protocol that centralizes authentication, authorization, and accounting (AAA) to manage and secure user access.

Back to previous

What is RADIUS?

RADIUS (Remote Authentication Dial-In User Service) is a networking protocol designed to centralize authentication, authorization, and accounting (AAA) functions. Its primary purpose is to simplify network access and reduce management load through its robust AAA framework. Centralizing these critical functions helps RADIUS manage network access efficiently across various infrastructures and locations, including the network access identifier, while also supporting RADIUS authentication, remote authentication dial, and RADIUS client.

RADIUS has been adapted to support various types of network access, including Wi-Fi, virtual private networks, and wireless access points. Its design allows for scalability without disrupting existing functions, making it a versatile choice for organizations of all sizes. This adaptability is one of the key reasons RADIUS has become a fundamental component in network security.

Core functions of RADIUS (AAA)

The RADIUS protocol performs three fundamental functions that are essential for managing secure network access: authentication, authorization, and accounting.

Authentication

This function verifies the identity of devices or users before granting them access to the network. By checking credentials such as usernames, passwords, or other authentication methods, RADIUS ensures that only authorized entities can connect.

Authorization

After successful authentication, RADIUS determines the specific network services and resources that the device or user is permitted to access. This step enforces access control policies by assigning privileges based on roles, attributes, or predefined rules.

Accounting

RADIUS tracks and records the usage of network resources during a session, including metrics like the number of packets transmitted, bytes transferred, and session duration. This information is valuable for auditing, billing, and monitoring network activity.

Together, these AAA components provide a comprehensive framework that enhances network security and management. RADIUS leverages AAA to centralize control, making it easier for network administrators to enforce policies, monitor access, and maintain accountability across diverse network environments. This framework is widely applied in scenarios such as VPN access, wireless network authentication, and enterprise network access control.

RADIUS provides access control, privilege establishment, and activity recording. It authenticates users and facilitates communication between the Network Access Server (NAS) and the RADIUS server, ensuring that only authorized users gain access to the network.

The client/server model of RADIUS offers versatility in authentication by supporting various methods and protocols, including Password Authentication Protocol (PAP) and Extensible Authentication Protocol (EAP). This adaptability allows network administrators to select the most appropriate authentication approach for their environments. RADIUS also supports features like access server authentication and Change of Authorization (CoA), enabling dynamic adjustments to user permissions as needed.

Another vital function of RADIUS is accounting, which tracks the use of resources during a user’s session. This includes recording information such as session duration, data packets sent, and total data used, which is essential for billing and monitoring purposes. Through its integrated AAA functions, RADIUS significantly enhances network security and administrative efficiency. Now that you know what RADIUS does, let’s see how it works step by step.

How RADIUS works

RADIUS employs the User Datagram Protocol (UDP) for communication between clients and servers, enhancing transmission speed and reliability. The process involves a series of steps that ensure secure and efficient user authentication.

Radius integration

Step 1: User sends Access Request

A user attempts to connect to a network by submitting credentials, typically a username and password, through a login prompt provided by the NAS. The NAS processes these requests and generates an Access-Request packet containing the user’s details, including an encrypted password, utilizing various authentication mechanisms.
This Access-Request packet is then sent to the RADIUS server. Depending on the outcome, the RADIUS protocol can respond with Access-Accept, Access-Reject, or Challenge messages, ensuring that only authorized users gain access to the network.

Step 2: NAS forwards Request to RADIUS Server

Once the NAS receives the user’s credentials, it forwards an Access-Request containing this information to the RADIUS server. It selects the master server if available, or a backup server if necessary.
The communication between the NAS and the RADIUS server is authenticated using a shared secret, ensuring the integrity and security of the transmitted data.

Step 3: RADIUS server verifies credentials

The RADIUS server authenticates the user’s identity by checking their credentials against its records or delegating to an identity provider. If the credentials are correct, the server sends an Access-Accept response granting access according to predefined authorization attributes.
If the credentials are incorrect, the RADIUS server sends an Access-Reject message, denying access. This robust authentication process ensures that network access remains secure and controlled.

Components of RADIUS

The RADIUS protocol consists of several key components that work together to manage network access:

  • Client (NAS): The Network Access Server processes user connection requests and communicates user credentials to the RADIUS server for authentication.
  • RADIUS server: Authenticates remote users attempting to connect to corporate wireless networks or ISPs and enforces network security and access permissions.

Security mechanisms in RADIUS

RADIUS employs several security mechanisms to ensure the integrity and confidentiality of user authentication processes. One of the primary features is the use of a shared secret to authenticate the connection between the NAS and the RADIUS server. This shared secret is never transmitted over the network, adding an extra layer of security.
User passwords are encrypted during transmission to protect against interception and unauthorized access. Although RADIUS has robust security features, proper configuration is crucial to avoid vulnerabilities. Regular updates and correct implementation are necessary to maintain protocol security and protect the network from threats.

Common use cases of RADIUS

RADIUS is widely used to control user access to various network infrastructures, including routers, switches, and firewalls. It manages access across multiple network devices, ensuring that only authorized users can access critical resources.

Cloudi-Fi environments commonly use RADIUS for:

  • MAC authentication: Authenticates devices based on their MAC addresses, allowing administrators to grant or restrict access without requiring user credentials.
  • Captive portal integration: Works with captive portals to authenticate users after login or registration, granting appropriate access and enabling secure onboarding.
  • 802.1X authentication: Supports port-based network access control by authenticating devices and users before granting connectivity, ensuring strong security for wired and wireless networks.

Cloud-based RADIUS solutions also provide redundancy and scalability, enhancing reliability during high traffic events and making RADIUS a vital tool for secure and scalable network access management.

Learn more about RADIUS and Syslog servers configurations. 

Advantages and disadvantages of RADIUS

Benefits of RADIUS

  • RADIUS simplifies user management by acting as a central hub for authentication and authorization, reducing the administrative burden and ensuring consistent procedures across access points.
  • Hosted RADIUS solutions can lower costs by removing the need for upfront investment in servers or software licenses.
  • Centralized management enhances network security by consistently applying authentication and authorization procedures.
  • RADIUS also offers robust authorization through specific attributes that enable granular access control, such as the Fortinet-Group-Name or Filter-ID attributes used by FortiGate, Cisco Meraki, or Aruba devices.

Drawbacks of RADIUS

  • The configuration of RADIUS can be complex, especially during setup and integration.
  • Redundancy options like replication and clustering add management complexity. 
  • On-premises RADIUS solutions also require ongoing maintenance, which can be time-consuming for IT teams.

On-premises vs. cloud-based RADIUS

Organizations must consider the distinct features and benefits of on-premises and cloud-based RADIUS solutions when deciding on implementation.

On-premises RADIUS

Requires significant hardware, network resources, and maintenance, including regular server upkeep, hardware costs, network infrastructure expenses, electricity, and setup.
Smaller companies may find solutions like Cisco ISE costly and may seek alternatives like JumpCloud or FreeRADIUS.

Cloud-based RADIUS

Leverages modern cloud directory technologies to simplify management and reduce IT workload.
Cloud-based solutions provide cost-effective RADIUS implementations with built-in scalability and reliability. Hosted RADIUS servers allow IT administrators to configure and operate the system easily without deep RADIUS expertise.

Frequently asked questions

How does RADIUS improve network security?

RADIUS enhances network security by centralizing authentication and authorization, encrypting user passwords in transit, and ensuring data integrity through digital signatures. This approach mitigates unauthorized access risks.

What are the primary components of RADIUS?

The Network Access Server (NAS), which acts as the client, and the RADIUS server, which handles user authentication by processing connection requests and verifying credentials.

What are the advantages of cloud-based RADIUS solutions?

Cloud-based RADIUS solutions provide scalability, ease of configuration, and reduced IT workload, making them a cost-effective and efficient option for organizations.

How does RADIUS handle user authentication?

RADIUS manages authentication by validating credentials through its own records or an identity provider and issues an Access-Accept or Access-Reject message based on the result, ensuring secure network access control.

Cloudi-Fi white logo

Start your Journey with Cloudi-Fi

Get Cloudi-Fi
Cloudi-Fi white logo
Table of content
Text Link
Ready to start your success story?
See our platform in action, share your challenges, and find a solution you've been looking for.
Get Cloudi-Fi
Platform

Integrated with the best technologies on the market

Infrastructure agnostic and plug-and-play deployment: rapidly roll-out Cloudi-Fi across global sites with any infrastructure provider

Browse integrationsGet Cloudi-Fi

Cloud native, borderless, scalable and global!

Unlocking Universal Zero Trust Network Access on all continents

World map
90+
Countries
500M+
Users and devices
100k+
Secured sites
Blog

Latest news and articles

Browse all articles
Starlink integration to Cloudi-Fi
Articles
All
October 13, 2025

Internet on the edge: How Starlink and Cloudi-Fi bring controlled access to the remote world

Fortigate and Cloudi-Fi logos with captive portal on phone in the background.
Use cases
All
October 14, 2025

FortiGate and Cloudi-Fi deliver granular access control via captive portal

Success stories
All
August 1, 2025

Implementing a dynamic, compliant guest Wi-Fi solution across a global luxury fashion group

View all
Cloudi-Fi white logo

Start your journey with Cloudi-Fi

Get Cloudi-Fi
Platform

One platform for all industries

Cloudi-Fi empowers organizations with a scalable, cloud-based solution to secure users, devices and data.
Designed to integrate seamlessly into existing infrastructures.

Enterprises

Securely connect unmanaged devices across all locations from one central cloud-based platform. Cloudi-Fi simplifies Wi-Fi access and compliance with a scalable, cloud-based solution.

Learn more ->

Finance

As digital and mobile-first experiences reshape the finance industry, secure, compliant, and seamless Internet access is essential to support both customer engagement and employee productivity.

Learn more ->

Transport

Reliable Internet connectivity is vital across all transportation sectors: land, rail, air, and maritime. The Cloudi-Fi platform enables seamless, secure connectivity and dynamic bandwidth consumption management at scale.

Learn more ->

Healthcare

Cloudi-Fi delivers secure, reliable Internet access enhancing patient experience while safeguarding hospital networks and sensitive data with advanced security and seamless connectivity.

Learn more ->