- by x32x01 ||
The RADIUS (Remote Authentication Dial-In User Service) protocol is a networking standard used to authenticate, authorize, and account for users accessing a remote network. It’s a core component in managing secure network access across VPNs, Wi-Fi, and enterprise systems.
Today, RADIUS is the de facto industry standard for controlling remote access authentication and has been widely adopted by network vendors around the world.
Merit developed an early proprietary authentication protocol but needed to convert it for IP-based networks. In 1991, Livingston Enterprises proposed a protocol that met Merit’s requirements - and thus, the RADIUS protocol was born.
By 1995, RADIUS was adopted by the Internet Engineering Task Force (IETF) as the standard for remote network authentication, quickly becoming the industry favorite despite a few early security concerns.
RADIUS is based on a client-server model.
When a user attempts to log in, the NAS sends an Access-Request packet to the server containing credentials, IP address, and port info.
If credentials are valid, the server responds with an Access-Accept message, defining parameters like:
If authentication fails, an Access-Reject response is sent.
One of RADIUS’s strengths is that it combines authentication and authorization in a single process, streamlining network security.
When a session starts, the NAS sends an Accounting-Start packet to the RADIUS server. During the session, Interim-Update packets may be sent with live usage data, and finally, an Accounting-Stop packet marks the end of the session.
ISPs and enterprises use RADIUS accounting for:
However, with the rise of hybrid and cloud environments, remote work, and cross-platform networks, organizations are shifting toward cloud-based IAM (Identity and Access Management) solutions.
These Cloud RADIUS services offer:
This cloud evolution allows companies to maintain strong authentication while reducing operational complexity and costs.
Although legacy RADIUS deployments are being replaced by Cloud RADIUS microservices, the core principles continue to secure modern IT systems - from corporate Wi-Fi to global VPN infrastructures.
Today, RADIUS is the de facto industry standard for controlling remote access authentication and has been widely adopted by network vendors around the world.
The Three Core Functions of RADIUS
Authentication
Before granting access, RADIUS verifies the identity of users or devices by checking their credentials against a centralized database.Authorization
After authentication, RADIUS determines what network services and permissions the user is allowed to use.Accounting
RADIUS tracks session data such as connection time, data usage, and transferred packets for monitoring, billing, or analytics.A Brief History of RADIUS
The story of RADIUS began in 1987, when the National Science Foundation (NSF) awarded Merit Network Inc. a contract to expand NSFnet - the foundation of today’s Internet.Merit developed an early proprietary authentication protocol but needed to convert it for IP-based networks. In 1991, Livingston Enterprises proposed a protocol that met Merit’s requirements - and thus, the RADIUS protocol was born.
By 1995, RADIUS was adopted by the Internet Engineering Task Force (IETF) as the standard for remote network authentication, quickly becoming the industry favorite despite a few early security concerns.
How Does RADIUS Work?
RADIUS is based on a client-server model.
- The RADIUS client is usually a Network Access Server (NAS) such as a router or VPN concentrator.
- The RADIUS server runs as a background process on a UNIX or Windows system.
Typical RADIUS Authentication Flow:
- The user initiates a connection to the NAS.
- The NAS requests credentials (username/password or challenge).
- The client sends the encrypted credentials to the RADIUS server.
- The RADIUS server validates them and responds with Accept, Reject, or Challenge.
- The NAS applies the server’s response, granting or denying access accordingly.
Authentication and Authorization with RADIUS
The RADIUS server maintains a centralized user profile database, supporting multiple authentication mechanisms such as PAP, CHAP, and EAP.When a user attempts to log in, the NAS sends an Access-Request packet to the server containing credentials, IP address, and port info.
If credentials are valid, the server responds with an Access-Accept message, defining parameters like:
- Service type (e.g., framed or shell)
- Assigned IP address
- Access control list (ACL)
- Static routing entries
If authentication fails, an Access-Reject response is sent.
One of RADIUS’s strengths is that it combines authentication and authorization in a single process, streamlining network security.
RADIUS Accounting Explained
RADIUS is not just about access - it also handles accounting and monitoring.When a session starts, the NAS sends an Accounting-Start packet to the RADIUS server. During the session, Interim-Update packets may be sent with live usage data, and finally, an Accounting-Stop packet marks the end of the session.
ISPs and enterprises use RADIUS accounting for:
- Usage-based billing
- Session auditing
- Network performance monitoring
Limitations and Modern Challenges of RADIUS
While RADIUS has been a reliable protocol for decades, modern IT environments have evolved beyond its original design. Historically, RADIUS required on-premises infrastructure, tightly integrated with systems like Microsoft Active Directory (AD).However, with the rise of hybrid and cloud environments, remote work, and cross-platform networks, organizations are shifting toward cloud-based IAM (Identity and Access Management) solutions.
These Cloud RADIUS services offer:
- Secure, zero-trust access from anywhere
- Centralized management without on-prem servers
- Vendor-neutral, cross-platform compatibility
This cloud evolution allows companies to maintain strong authentication while reducing operational complexity and costs.
Final Thoughts
RADIUS remains a cornerstone of secure network access. By combining authentication, authorization, and accounting into a unified protocol, it provides robust access control across enterprise networks.Although legacy RADIUS deployments are being replaced by Cloud RADIUS microservices, the core principles continue to secure modern IT systems - from corporate Wi-Fi to global VPN infrastructures.
Last edited: