IndexLayout.skipToMainContent
English (UK)
Pricing

RadSec: How RADIUS over TLS Improves WiFi Authentication Security

This authoritative technical reference explains how RadSec (RFC 6614) secures enterprise WiFi authentication by wrapping traditional RADIUS traffic in TLS encryption. Designed for IT managers and network architects, it covers architecture, deployment strategies, and practical steps to mitigate the risks of unencrypted UDP RADIUS traffic across corporate and guest networks.

📖 4 min read📝 871 words🔧 2 worked examples3 practice questions📚 8 key definitions

Listen to this guide

View podcast transcript
RadSec: How RADIUS over TLS Improves WiFi Authentication Security A Purple Enterprise WiFi Intelligence Briefing Approximate runtime: 10 minutes --- [INTRODUCTION & CONTEXT — approx. 1 minute] Welcome to the Purple Enterprise WiFi Intelligence series. I'm your host, and today we're tackling a topic that sits right at the intersection of network security and operational risk: RadSec — formally defined in RFC 6614 — and why it should be on your infrastructure roadmap if it isn't already. If you're an IT manager, network architect, or CTO responsible for enterprise WiFi across a hotel group, a retail estate, a stadium, or a public-sector campus, this briefing is for you. We're going to cover what RadSec actually is, why the traditional RADIUS protocol leaves you exposed, how to deploy RadSec in a real-world environment, and the pitfalls that catch teams out. No theory for theory's sake — just the information you need to make a decision this quarter. Let's get into it. --- [TECHNICAL DEEP-DIVE — approx. 5 minutes] So, let's start with the problem. RADIUS — Remote Authentication Dial-In User Service — has been the backbone of enterprise WiFi authentication since the 1990s. When a user or device connects to your corporate or guest WiFi, the access point acts as a RADIUS client, forwarding authentication requests to a RADIUS server, which validates credentials against your directory — Active Directory, LDAP, or a cloud identity provider — and either grants or denies access. This is the 802.1X authentication model that underpins WPA2-Enterprise and WPA3-Enterprise networks. The problem is that traditional RADIUS was designed for a different era. It runs over UDP — User Datagram Protocol — on ports 1812 and 1813. UDP is connectionless, which means there's no handshake, no session state, and critically, no native encryption. The only protection between your access point and your RADIUS server is a shared secret — essentially a password — used to obfuscate the user's password in transit using MD5 hashing. MD5, as most of you will know, is cryptographically broken. It's been broken for years. What does that mean in practice? It means that on any network segment where an attacker can intercept RADIUS traffic — and that includes compromised switches, rogue devices on your management VLAN, or any point between a remote access point and a cloud-hosted RADIUS server — they can potentially capture authentication exchanges, attempt offline dictionary attacks against the shared secret, and in some configurations, expose user credentials entirely. For a hotel group running guest WiFi across 200 properties, or a retail chain with access points in every store backhauling to a central RADIUS server over the public internet, this is not a theoretical risk. It is a live attack surface. This is exactly what RadSec solves. RadSec — defined in RFC 6614 and updated by RFC 7360 — wraps RADIUS traffic inside a TLS tunnel. Instead of UDP, it uses TCP on port 2083. Instead of a shared secret and MD5, it uses mutual TLS authentication with X.509 certificates. Both the RADIUS client and the RADIUS server present certificates, verify each other's identity, and establish an encrypted session before any authentication data is exchanged. TLS 1.3 is the current recommended version, providing forward secrecy and eliminating a range of legacy cipher vulnerabilities. The practical effect is significant. Credential data, user attributes, and session tokens are encrypted end-to-end between the access point — or a RadSec proxy — and the RADIUS server. An attacker intercepting traffic on the wire sees only encrypted TLS records. The shared secret is still present for backward compatibility, but it's no longer doing any meaningful security work — TLS is carrying the load. There's another dimension here that's increasingly relevant: roaming. The Eduroam federation, used by universities and research institutions across Europe and beyond, has been running RadSec for years as part of its inter-institutional roaming infrastructure. More recently, the Wi-Fi Alliance's OpenRoaming standard — which enables seamless WiFi roaming across participating venues — mandates RadSec for all federation traffic. If you're deploying OpenRoaming-capable infrastructure, RadSec is not optional; it's a prerequisite. Purple supports OpenRoaming under its Connect licence, acting as an identity provider within the federation, and RadSec is central to how that secure roaming fabric operates. From a compliance standpoint, RadSec is increasingly relevant to PCI DSS 4.0, which tightens requirements around the protection of authentication data in transit. If your WiFi infrastructure touches payment card environments — and in retail and hospitality, it frequently does — the encryption gap in traditional RADIUS is a finding waiting to happen. GDPR similarly requires appropriate technical measures to protect personal data; user credentials and session metadata flowing unencrypted across your network are hard to defend in a data protection audit. Now let's talk architecture. There are two primary deployment patterns for RadSec. The first is native RadSec support on your RADIUS server and access points. FreeRADIUS 3.0 and above supports RadSec natively. Microsoft NPS does not support RadSec natively as of current releases, which is a significant constraint for organisations running Windows-centric infrastructure. Cisco ISE supports RadSec. Aruba ClearPass supports RadSec. If your RADIUS server and your access point vendor both support RadSec natively, this is the cleanest path — configure TLS certificates on both ends, open TCP 2083 on your firewall, and you're encrypting RADIUS traffic end-to-end. The second pattern is a RadSec proxy. This is the more common deployment in practice, particularly for organisations with legacy RADIUS infrastructure or mixed-vendor environments. A RadSec proxy — radsecproxy is the most widely deployed open-source implementation — sits between your access points and your RADIUS server. The access points send standard RADIUS over UDP to the proxy on the local network. The proxy terminates that connection, re-encapsulates the RADIUS traffic inside a TLS tunnel, and forwards it to the upstream RADIUS server over TCP 2083. This approach lets you add RadSec to an existing infrastructure without replacing your RADIUS server, and it's particularly useful when your RADIUS server is hosted in the cloud or accessed over the public internet. Certificate management is the operational complexity you need to plan for. You'll need a PKI — Public Key Infrastructure — to issue and manage the X.509 certificates used for mutual TLS. That means a Certificate Authority, certificate issuance for each RADIUS client and server, and a process for certificate rotation before expiry. Certificates that expire unnoticed will break authentication for every user on your network simultaneously — and that is a scenario you want to avoid. Automate certificate renewal using ACME or your CA's API, and set monitoring alerts well in advance of expiry dates. --- [IMPLEMENTATION RECOMMENDATIONS & PITFALLS — approx. 2 minutes] Let me give you the practical recommendations. First: audit before you deploy. Map every RADIUS client — access points, VPN concentrators, switches doing 802.1X — and every RADIUS server in your environment. Understand which ones support RadSec natively and which will need a proxy. This audit typically surfaces legacy devices that don't support TLS at all, and those need to be on your replacement roadmap. Second: start with the highest-risk traffic. If you have RADIUS traffic traversing the public internet — remote sites, cloud-hosted RADIUS, multi-property hotel groups — that's your first priority. Local RADIUS traffic on a well-segmented management VLAN is lower risk, but it should still be on the roadmap. Third: test mutual TLS thoroughly before go-live. The most common failure mode in RadSec deployments is certificate validation errors — mismatched Common Names, expired intermediate certificates, or clients that don't trust the CA that signed the server certificate. Use openssl s_client to test TLS handshakes before you cut over production traffic. Fourth: don't neglect monitoring. RadSec adds a TCP connection layer that traditional RADIUS doesn't have. TCP connection failures, TLS handshake timeouts, and certificate errors will manifest as authentication failures for your users. Make sure your RADIUS server logs and your proxy logs are feeding into your SIEM or monitoring platform so you can distinguish a RadSec connectivity issue from an authentication policy issue. The pitfall I see most often is organisations deploying RadSec on the server side but forgetting to update their firewall rules. TCP 2083 needs to be open between every RADIUS client and the RADIUS server or proxy. If you're used to managing UDP 1812 rules, TCP 2083 can get missed in the firewall change process. --- [RAPID-FIRE Q&A — approx. 1 minute] Let me run through a few questions I hear regularly. "Does RadSec replace 802.1X?" No. RadSec secures the transport layer between the access point and the RADIUS server. 802.1X is the authentication framework between the client device and the access point. They operate at different layers and are complementary. "Is RadSec supported on all access point vendors?" Not universally. Cisco, Aruba, Ruckus, and Meraki all have varying levels of RadSec support — check your specific firmware version. Where native support is absent, a RadSec proxy is your solution. "What about DTLS — RADIUS over DTLS?" RFC 7360 defines RADIUS over DTLS, which uses UDP rather than TCP, preserving some of the connectionless characteristics of traditional RADIUS while adding encryption. It's less widely deployed than RadSec over TLS but is worth evaluating if latency is a concern in high-throughput environments. "How does this affect roaming performance?" RadSec's TCP connection is persistent, which can actually improve roaming performance in federated environments by reducing connection setup overhead for subsequent authentication requests. --- [SUMMARY & NEXT STEPS — approx. 1 minute] To wrap up: RadSec is the mature, standards-based answer to a genuine security gap in traditional RADIUS. If you're running enterprise WiFi at scale — across multiple sites, over the internet, or in environments subject to PCI DSS or GDPR — the question isn't whether to deploy RadSec, it's when and how. Your next steps: audit your RADIUS infrastructure this week. Identify your highest-risk traffic flows. Check your RADIUS server and access point vendor documentation for native RadSec support. If you're running FreeRADIUS, you can have a test RadSec deployment running in a day. If you're on Microsoft NPS, start evaluating a proxy or a migration path to a RadSec-capable server. Purple's platform is designed to integrate with enterprise RADIUS infrastructure, supporting secure authentication flows for both corporate and guest WiFi environments. If you want to understand how RadSec fits into your specific deployment, the Purple team can walk you through it. Thanks for listening. Until next time. --- END OF SCRIPT

header_image.png

Executive Summary

Traditional RADIUS over UDP (ports 1812/1813) was not designed for the modern enterprise threat landscape. Relying solely on a shared secret and MD5 hashing, it leaves authentication credentials and session attributes vulnerable to interception, particularly when traversing public networks or large distributed estates like hospitality and retail chains. RadSec (RADIUS over TLS, RFC 6614) solves this fundamental security gap by encapsulating RADIUS traffic within a TCP-based TLS 1.3 tunnel over port 2083.

For CTOs and network architects, deploying RadSec is no longer just a best practice—it is a critical requirement for protecting corporate wifi , maintaining PCI DSS 4.0 compliance, and participating in modern federated roaming frameworks like OpenRoaming. This guide details the architecture, implementation patterns, and operational requirements for securing your authentication infrastructure.

Technical Deep-Dive: RADIUS vs. RadSec

The Vulnerability in Traditional RADIUS

In a standard 802.1X deployment, the access point (authenticator) forwards client credentials to the RADIUS server (authentication server). In traditional RADIUS, this payload is sent over UDP. The only protection is a pre-shared key (PSK) used to obfuscate the password via MD5.

This architecture presents three critical risks:

  1. Lack of Transport Encryption: User attributes, MAC addresses, and session data are transmitted in cleartext.
  2. Cryptographic Weakness: MD5 is vulnerable to offline dictionary attacks if an attacker captures the traffic.
  3. No Mutual Authentication: The access point cannot cryptographically verify it is talking to the legitimate RADIUS server, enabling rogue server attacks.

The RadSec Architecture (RFC 6614)

RadSec addresses these flaws by shifting the transport layer from UDP to TCP and wrapping the entire payload in TLS.

architecture_overview.png

  • Transport: TCP Port 2083 ensures reliable delivery and stateful connections, improving performance in high-latency environments.
  • Encryption: TLS 1.2 or 1.3 provides robust, end-to-end encryption of all RADIUS attributes.
  • Mutual Authentication: Both the RADIUS client (or proxy) and the server must present valid X.509 certificates issued by a trusted Certificate Authority (CA). The shared secret is retained only for backward compatibility; TLS provides the actual security.

This architecture is essential for distributed environments, such as Retail chains or Hospitality venues, where access points backhaul authentication requests over the public internet to a central or cloud-hosted RADIUS server.

Implementation Guide

Deploying RadSec typically follows one of two patterns: Native Support or Proxy-based.

Pattern 1: Native RadSec

If your infrastructure supports it natively (e.g., FreeRADIUS 3.0+, Cisco ISE, Aruba ClearPass), you configure TLS certificates directly on the RADIUS server and the access points/controllers. This provides true end-to-end encryption from the edge to the core.

Pattern 2: The RadSec Proxy

Many legacy RADIUS servers (notably Microsoft NPS) do not natively support RadSec. In these environments, a proxy (such as radsecproxy) is deployed.

  1. Local Leg: The AP sends standard UDP RADIUS to the local proxy.
  2. WAN Leg: The proxy encapsulates the traffic in TLS and sends it over TCP 2083 to the upstream server.

This pattern allows you to secure wide-area traffic without replacing legacy infrastructure.

deployment_checklist.png

Integration with Purple

Purple's Guest WiFi and WiFi Analytics platforms integrate seamlessly with enterprise RADIUS infrastructure. Under the Connect licence, Purple acts as a free identity provider for OpenRoaming, where RadSec is a mandatory requirement for securing federation traffic between venues and the central hub.

Best Practices

  1. Certificate Lifecycle Management: Mutual TLS relies on valid certificates. Implement automated renewal (e.g., via ACME) and strict monitoring. An expired certificate will cause a total authentication outage.
  2. Firewall Configuration: Ensure TCP port 2083 is explicitly allowed both outbound from the venue and inbound to the RADIUS server. Do not assume existing UDP 1812 rules will apply.
  3. Prioritise High-Risk Traffic: Begin deployment on links that traverse the public internet or untrusted WANs before moving to local management VLANs.

For more on securing the edge, read our guide on Access Point Security: Your 2026 Enterprise Guide .

Troubleshooting & Risk Mitigation

When RadSec fails, it is rarely an authentication issue; it is almost always a TLS or TCP issue.

  • Symptom: Access points show as disconnected from the RADIUS server.
    • Check: Firewall rules for TCP 2083. Traditional RADIUS uses UDP; network teams frequently forget to open the TCP port.
  • Symptom: TCP connection establishes, but authentication fails immediately.
    • Check: Certificate validation. Verify that the Common Name (CN) or Subject Alternative Name (SAN) matches, the certificate has not expired, and the client trusts the signing CA. Use openssl s_client -connect :2083 to debug the handshake.

Ensure your network fundamentals are solid. Review our advice on Protect Your Network with Strong DNS and Security .

ROI & Business Impact

Implementing RadSec is a risk mitigation investment. The ROI is measured in the avoidance of data breaches, compliance fines (PCI DSS, GDPR), and reputational damage. Furthermore, it enables participation in modern roaming federations like OpenRoaming, which can significantly enhance the guest experience in Healthcare and Transport environments.

Listen to the Briefing

For a deeper dive into the operational realities of deploying RadSec, listen to our 10-minute technical briefing:

For specific configuration steps on client devices, refer to How to Set Up Enterprise WiFi on iOS and macOS with 802.1X or the Portuguese version Como Configurar WiFi Corporativo em iOS e macOS com 802.1X .

Key Definitions

RadSec

An extension to the RADIUS protocol that encapsulates RADIUS traffic within a TLS tunnel over TCP port 2083.

Used to secure authentication traffic when traversing untrusted networks, preventing credential interception.

Mutual TLS (mTLS)

A security process where both the client and the server present X.509 certificates to verify each other's identity before establishing an encrypted connection.

The core authentication mechanism of RadSec, replacing reliance on static shared secrets.

802.1X

The IEEE standard for port-based network access control, used to authenticate devices attempting to connect to a LAN or WLAN.

The framework that relies on RADIUS (and by extension, RadSec) to validate user credentials against a directory.

radsecproxy

An open-source daemon that acts as a proxy, converting standard UDP RADIUS traffic into RadSec (TLS over TCP) and vice versa.

Deployed when native RadSec support is missing from access points or legacy RADIUS servers like Microsoft NPS.

OpenRoaming

A federation standard developed by the Wi-Fi Alliance that allows users to seamlessly and securely connect to participating WiFi networks globally.

OpenRoaming mandates the use of RadSec to secure authentication traffic between venues and identity providers.

Shared Secret

A static text string used in traditional RADIUS to obfuscate passwords and verify the source of requests.

While still technically present in RadSec configurations for backward compatibility, it is superseded by TLS encryption.

FreeRADIUS

A widely deployed open-source RADIUS server that provides native support for RadSec.

Often used in enterprise environments and roaming federations due to its flexibility and native TLS capabilities.

PKI (Public Key Infrastructure)

The framework of roles, policies, and software needed to create, manage, distribute, and revoke digital certificates.

A prerequisite for deploying RadSec, as you must issue and manage certificates for all RADIUS clients and servers.

Worked Examples

A 200-property hotel group uses Microsoft NPS centrally for staff authentication. Access points at each hotel currently send RADIUS requests over the public internet via UDP 1812. The CTO mandates encryption for all authentication traffic, but replacing NPS is not an option this year.

Deploy a RadSec proxy (e.g., radsecproxy) at each hotel site and a corresponding proxy in the central data centre in front of the NPS servers. The local APs send UDP RADIUS to the local proxy. The local proxy establishes a mutual TLS tunnel over TCP 2083 across the internet to the central proxy. The central proxy terminates the TLS tunnel and forwards standard UDP RADIUS to the NPS server.

Examiner's Commentary: This approach achieves the primary security goal—encrypting authentication data over the untrusted WAN—without requiring a costly and disruptive rip-and-replace of the core Microsoft NPS infrastructure. It introduces certificate management overhead for the proxies, which must be automated.

A large university is deploying OpenRoaming across its campus to allow seamless access for visiting academics. They are running FreeRADIUS 3.0.

Enable native RadSec within FreeRADIUS. Generate X.509 certificates from a CA trusted by the OpenRoaming federation. Configure the campus firewall to allow inbound and outbound TCP 2083 traffic to the federation hubs. Configure the wireless LAN controllers to use RadSec for all federation-bound authentication requests.

Examiner's Commentary: Because FreeRADIUS natively supports RadSec, no proxy is required. This is the cleanest architecture. The critical dependency here is ensuring the certificates align with the specific PKI requirements of the OpenRoaming federation.

Practice Questions

Q1. Your team has deployed native RadSec between your remote branch access points and your central FreeRADIUS server. The APs can ping the server, but authentication requests are timing out completely, and no traffic is hitting the RADIUS logs.

Hint: RadSec uses a different transport protocol and port than traditional RADIUS.

View model answer

The firewall is likely blocking TCP port 2083. Network teams accustomed to traditional RADIUS often only permit UDP ports 1812/1813. You must explicitly allow TCP 2083 outbound from the branch and inbound to the RADIUS server.

Q2. You are auditing a retail client's WiFi architecture. They use Microsoft NPS centrally. Their store APs send authentication requests over the internet via an IPsec VPN. Is RadSec required here?

Hint: Consider the layers of encryption already in place.

View model answer

While RadSec is best practice, the IPsec VPN is already providing transport layer encryption for the UDP RADIUS traffic over the untrusted internet. Deploying RadSec here would provide defence-in-depth but is less urgent than if the traffic were traversing the internet natively.

Q3. A week after a successful RadSec proxy deployment, all WiFi authentication across the enterprise fails simultaneously at 09:00 AM on a Monday. The network team confirms firewall rules are unchanged.

Hint: What is the primary authentication mechanism for the TLS tunnel itself?

View model answer

The X.509 certificates used for mutual TLS authentication have likely expired. When certificates expire, the TLS handshake fails, the TCP connection drops, and RADIUS traffic cannot flow. Implement automated certificate monitoring and rotation to prevent this.