Network Security
RADIUS
RADIUS is the Remote Authentication Dial-In User Service, a networking protocol that provides centralized authentication, authorization, and accounting for users and devices connecting to a network, widely used with enterprise Wi-Fi, VPNs, and network equipment.
In plain terms
RADIUS is the central service that says yes or no when a device tries to get onto a network. Wi-Fi access points, VPNs, and switches ask RADIUS to check the credentials and decide what the user is allowed to do. It puts access decisions in one place instead of scattering them.
RADIUS, the Remote Authentication Dial-In User Service, is a long-established protocol for centralizing network access decisions. Its name reflects its origins in dial-up remote access, but it has remained central far beyond that context. RADIUS provides three related functions often summarized as AAA: authentication, verifying who a user or device is; authorization, determining what they are permitted to do; and accounting, recording details of their session. By centralizing these functions in a server, RADIUS lets many network devices defer access decisions to a single authoritative source rather than each maintaining its own credentials and policies.
The protocol works in a client-server model with a specific meaning of client. The RADIUS client is not the end user’s device but the network access device, such as a wireless access point, VPN concentrator, or switch, which receives a connection attempt and forwards the credentials to the RADIUS server. The server checks those credentials against a user database or directory, applies policy, and returns a decision: accept, reject, or a challenge for more information. If accepted, the response can also carry attributes telling the network device how to treat the session, such as which network segment to place the user in. The accounting function then logs session start, stop, and usage information.
RADIUS is the authentication server behind many common access scenarios. In enterprise Wi-Fi using 802.1X, the access point relays each user’s authentication to a RADIUS server, which is what enables per-user login rather than a shared passphrase. VPN gateways frequently use RADIUS to authenticate remote users. Network device administration can use RADIUS so that administrators log in to switches and routers with centrally managed credentials. This central role makes RADIUS a backbone of network access control, tying connectivity to verified identity and consistent policy across diverse equipment.
The centralization RADIUS provides is its principal benefit. Instead of provisioning and maintaining credentials on every access point, switch, and gateway, an organization manages identities and policy in one place, often integrated with a directory service. This makes granting and revoking access far easier, supports consistent policy enforcement, and produces centralized accounting records useful for auditing and troubleshooting. It also means that a user’s access across many devices and entry points can be governed by a single identity, which is essential for manageability at scale.
RADIUS has security characteristics that must be understood and handled. The traditional protocol has known limitations in how it protects credentials and messages, with only parts of the exchange strongly protected, so RADIUS traffic is commonly carried over secure transport or within protected network segments, and modern practice increasingly uses hardened variants and transport encryption. Because the RADIUS server is the arbiter of network access, it is critical infrastructure: compromise of the server or its secrets could undermine access control broadly, and an outage can prevent legitimate users from connecting. Protecting the server, its shared secrets, and its communications is therefore essential.
There is also a related protocol, TACACS+, often mentioned alongside RADIUS, which is more oriented toward device administration and separates the AAA functions more fully, encrypting more of the exchange. Organizations sometimes use RADIUS for network access and TACACS+ for administrative access to network devices. The existence of both reflects that centralized AAA is a general need with different emphases, and that choosing among them depends on the use case, though RADIUS remains the dominant choice for network and Wi-Fi access authentication.
In practice, RADIUS is the centralized authentication, authorization, and accounting service that lets network devices defer access decisions to a single trusted server. It underpins enterprise Wi-Fi, VPN access, and managed device administration, enabling per-identity access control and consistent policy at scale. Understanding RADIUS clarifies how the various points where users and devices connect to a network can all rely on one identity and policy source, and why protecting that server and its communications is fundamental to the security of network access.