¿Qué es RADIUS? Cómo los servidores RADIUS protegen las redes WiFi

Esta guía de referencia técnica autorizada explica cómo RADIUS (Remote Authentication Dial-In User Service) sustenta la seguridad de las redes WiFi empresariales a través del marco IEEE 802.1X, cubriendo la arquitectura, el despliegue y el cumplimiento normativo. Diseñada para gerentes de TI, arquitectos de red y directores de operaciones de recintos, proporciona orientación práctica sobre cómo pasar de las claves precompartidas (Pre-Shared Keys) compartidas a la autenticación por usuario con aplicación dinámica de políticas. La guía también mapea los puntos de integración de RADIUS con la plataforma de WiFi para invitados y análisis de Purple, con estudios de caso concretos de entornos de hostelería y comercio minorista.

📖 6 min de lectura📝 1,426 palabras🔧 2 ejemplos❓ 3 preguntas📚 10 términos clave

🎧 Escuchar esta guía

Ver transcripción

Welcome to the Purple Technical Briefing. I'm your host, and today we're tackling a foundational element of enterprise wireless security: RADIUS. If you're managing network architecture for a hotel chain, a retail footprint, or a large public venue, you know that handing out a single shared WiFi password simply doesn't scale. It's a security risk, it's an operational headache, and it completely blinds you to who is actually on your network. Today, we're going to break down what RADIUS is, how it secures your WiFi through the 802.1X framework, and how you should approach deploying it.

Let's start with the context. Why are we talking about RADIUS? Remote Authentication Dial-In User Service is an old protocol — it dates back to the dial-up days — but it remains the absolute bedrock of modern network access control. When you walk into a corporate office and your laptop seamlessly connects to the secure WiFi without you typing a password, that's RADIUS at work. For venue operators, moving from Pre-Shared Keys — or PSKs — to RADIUS is the transition from consumer-grade connectivity to enterprise-grade security.

So, let's dive into the technical architecture. When we talk about securing WiFi with RADIUS, we're really talking about the IEEE 802.1X standard. This framework relies on a triangle of trust. First, you have the Supplicant — that's the end-user device, the laptop or the smartphone. Second, you have the Authenticator — this is your Network Access Server, typically your wireless access point or a switch. And third, you have the Authentication Server, which is your RADIUS server.

Here is how the flow works. A device tries to connect to the WiFi. The Access Point acts as a bouncer. It blocks all network traffic except for authentication messages — specifically, Extensible Authentication Protocol, or EAP, messages. The AP takes these EAP messages from the device, wraps them up in a RADIUS packet, and sends them over UDP port 1812 to the RADIUS server. The RADIUS server then checks those credentials against your identity store — maybe that's Active Directory, LDAP, or a cloud provider like Azure AD. If the credentials check out, the RADIUS server sends an Access-Accept message back to the AP, and the bouncer lets the device onto the network.

But RADIUS isn't just about saying yes or no. It's about Authorization. That Access-Accept packet can carry Vendor-Specific Attributes, or VSAs. This is where it gets powerful. Instead of broadcasting five different WiFi networks for Staff, Management, Point of Sale, and IoT devices, you broadcast one secure SSID. When a user authenticates, the RADIUS server tells the Access Point: This is a Management user, put them on VLAN 30. Or: This is a POS device, put it on VLAN 40 with strict firewall rules. That dynamic policy enforcement is a game-changer for network design. It simplifies your RF environment, reduces interference, and gives you granular control over who can reach what.

Now, let's talk about the Accounting function of RADIUS — the third pillar of AAA. Every time a user connects and disconnects, the RADIUS server logs it. You get a full audit trail: who connected, from which device, for how long, and how much data they transferred. For compliance-conscious organisations — think PCI DSS for retail, or GDPR for any European operation — this audit trail is invaluable. It's the difference between being able to demonstrate access controls to an auditor and scrambling to explain why you have no records.

Let's move into implementation. The security of this whole setup depends entirely on the EAP method you choose. The gold standard is EAP-TLS. This uses digital certificates on both the server and the client device. There are no passwords to steal, no credentials to phish. It's incredibly secure, but it requires a solid Mobile Device Management platform to push those certificates to your corporate devices. If you have a mature Intune or Jamf deployment, EAP-TLS is the right choice for corporate-managed endpoints.

If you have BYOD devices, you might use PEAP — Protected EAP — which uses a username and password inside an encrypted TLS tunnel. It's easier to deploy, but you must ensure users are trained not to ignore certificate warnings, or they could fall victim to a rogue access point harvesting their credentials. The rule of thumb is: EAP-TLS for managed devices, PEAP for BYOD, and never use unprotected EAP methods in production.

When deploying RADIUS, high availability is critical. If your RADIUS server goes down, nobody gets on the network. You need redundancy — at minimum, a primary and a secondary server, ideally in separate data centres or availability zones. Configure every Access Point with both server addresses so it can fail over automatically. And you must watch your latency. EAP is sensitive to delays. If your APs are in Manchester and your RADIUS server is in a distant data centre, the authentication might time out before it completes. Cloud RADIUS services with global points of presence are increasingly the right answer here, particularly for organisations with distributed estates.

One more architectural consideration worth calling out: RADIUS Proxy. This is how federated identity works for WiFi. Think about eduroam — the academic roaming network — or govroam for public sector. When a user from University A visits University B, their device authenticates using their home institution's credentials. The local RADIUS server inspects the realm — the domain part of the username — and proxies the authentication request to the home institution's RADIUS server. The home server validates the credentials and returns the result. This same architecture is applicable to any multi-organisation deployment, including large enterprise estates with multiple subsidiaries.

Now, let's do a rapid-fire Q&A on the questions I get most often from clients.

Question one: Can we just use a captive portal instead of RADIUS? Answer: For guest access, a captive portal is absolutely appropriate. It's the right tool for collecting guest data, presenting terms and conditions, and enabling social login. But for staff or corporate devices, a captive portal provides no encryption over the air between the device and the access point. RADIUS, combined with WPA2-Enterprise or WPA3-Enterprise, provides per-session encryption keys. You need RADIUS for any device handling corporate data.

Question two: Why are my APs timing out when talking to the new RADIUS server? Answer: Check your Shared Secret first. The AP and the RADIUS server use a shared secret key to verify the integrity of their communications. If that key is mistyped on either side, the RADIUS server will silently drop the Access-Request packets without logging an authentication failure. The AP just sees a timeout. It's the number one configuration error in new deployments, and it's maddening to diagnose if you don't know to look for it.

Question three: We have IoT devices that don't support 802.1X. How do we handle them? Answer: This is a very common challenge. The answer is MAC Authentication Bypass, or MAB. The RADIUS server can be configured to accept a device's MAC address as its identity. It's not as secure as certificate-based auth, but it allows you to register known IoT devices and place them on a dedicated, restricted VLAN. Combine MAB with strict ACLs and network monitoring for a reasonable security posture.

To summarise everything we've covered today: RADIUS is the engine that drives 802.1X enterprise security. It moves you away from shared passwords and onto per-user, per-device identity. It enables dynamic network policies through VLAN assignment and Vendor-Specific Attributes. It provides the audit trail you need for compliance with PCI DSS and GDPR. And through proxy architectures, it enables federated identity and seamless roaming across organisational boundaries.

The investment in RADIUS infrastructure — whether that's an on-premises deployment like FreeRADIUS or Microsoft NPS, or a cloud-hosted service — pays for itself quickly in reduced helpdesk overhead, eliminated credential-sharing incidents, and the operational simplicity of managing one secure SSID instead of many. For any organisation operating at scale, RADIUS is not optional. It's foundational.

Thank you for listening to this Purple Technical Briefing. For more guides on enterprise WiFi security, including our deep-dive on WPA2 versus WPA3, visit purple dot ai.

Conclusiones clave

✓RADIUS provides centralised Authentication, Authorization, and Accounting (AAA) for network access, operating over UDP ports 1812 and 1813.
✓In WiFi networks, RADIUS operates within the IEEE 802.1X framework to replace shared Pre-Shared Keys with per-user, per-device credentials and audit trails.
✓The architecture relies on three components: the Supplicant (device), the Authenticator (AP or switch), and the Authentication Server (RADIUS server).
✓Dynamic VLAN assignment via RADIUS Vendor-Specific Attributes allows multiple user roles to securely share a single wireless SSID, simplifying the RF environment.
✓EAP-TLS offers the highest security by using mutual certificate authentication instead of passwords, eliminating credential theft and phishing vectors.
✓Deploying RADIUS is essential for meeting compliance standards including PCI DSS for retail and GDPR for any European operation handling personal data.
✓The most common deployment failure is a Shared Secret mismatch between the AP and the RADIUS server, which causes silent packet drops and AP-side timeouts.

Resumen Ejecutivo

Para los arquitectos de redes empresariales y directores de TI, asegurar el acceso inalámbrico en recintos distribuidos requiere más que una contraseña compartida. A medida que la densidad de dispositivos aumenta en los sectores de hostelería, comercio minorista y público, las limitaciones de las claves precompartidas (PSK) y los Captive Portal básicos se convierten en vulnerabilidades críticas. Remote Authentication Dial-In User Service (RADIUS) proporciona la arquitectura fundamental para una seguridad WiFi robusta y escalable.

Esta guía de referencia técnica detalla cómo RADIUS opera dentro del marco 802.1X para ofrecer autenticación por usuario, aplicación dinámica de políticas y registros de auditoría completos. Al centralizar la gestión de identidades, RADIUS permite el acceso a la red de confianza cero, mitigando los riesgos de compartir credenciales y el acceso no autorizado, al tiempo que garantiza el cumplimiento de estrictos estándares de protección de datos. Exploramos los componentes principales, las metodologías de despliegue y cómo la integración de RADIUS con plataformas como la infraestructura de Guest WiFi de Purple optimiza las operaciones al tiempo que mejora la postura de seguridad.

Análisis Técnico Detallado: Arquitectura de RADIUS y 802.1X

RADIUS es un protocolo de capa de aplicación que opera sobre UDP (tradicionalmente el puerto 1812 para autenticación y el 1813 para contabilidad) que proporciona gestión centralizada de Autenticación, Autorización y Contabilidad (AAA) para los usuarios que se conectan a un servicio de red.

Al asegurar las redes WiFi empresariales, RADIUS actúa como el servidor de autenticación dentro del marco IEEE 802.1X. Esta arquitectura consta de tres componentes principales:

El Solicitante es el dispositivo del usuario final —portátil, smartphone o dispositivo IoT— que solicita acceso a la red. El Autenticador es el Servidor de Acceso a la Red (NAS), típicamente el punto de acceso inalámbrico o switch, que bloquea todo el tráfico hasta que la autenticación es exitosa. El Servidor de Autenticación es el propio servidor RADIUS, que valida las credenciales contra un almacén de identidades como Active Directory, LDAP o un proveedor de identidad en la nube.

El Flujo de Autenticación

Cuando un dispositivo se asocia con un SSID habilitado para 802.1X, el punto de acceso restringe todo el tráfico excepto los mensajes del Protocolo de Autenticación Extensible (EAP). El Autenticador envía un paquete EAP-Request/Identity al Solicitante. El Solicitante responde con un EAP-Response/Identity, que el Autenticador encapsula en un paquete RADIUS Access-Request y reenvía al servidor RADIUS. El servidor RADIUS negocia un método EAP —como EAP-TLS o PEAP-MSCHAPv2— con el Solicitante para intercambiar credenciales de forma segura. Tras una validación exitosa contra el almacén de identidades, el servidor RADIUS devuelve un paquete RADIUS Access-Accept. Este paquete a menudo contiene Atributos Específicos del Proveedor (VSAs) que instruyen al Autenticador a aplicar políticas específicas, como asignar al usuario a una VLAN particular o aplicar límites de ancho de banda.

Métodos EAP y Postura de Seguridad

La seguridad de un despliegue RADIUS depende en gran medida del método EAP elegido. EAP-TLS (Transport Layer Security) es el estándar de oro para la seguridad empresarial. Requiere certificados tanto del servidor como del cliente, eliminando la dependencia de contraseñas y mitigando el robo de credenciales. Sin embargo, exige una robusta Infraestructura de Clave Pública (PKI) y Gestión de Dispositivos Móviles (MDM) para el aprovisionamiento de certificados. PEAP (Protected EAP) crea un túnel TLS cifrado entre el Solicitante y el servidor RADIUS, dentro del cual se produce la autenticación interna —típicamente MSCHAPv2 utilizando un nombre de usuario y contraseña—. Aunque es más fácil de desplegar que EAP-TLS, es vulnerable a la recolección de credenciales si los usuarios ignoran las advertencias de validación del certificado del servidor.

La Función de Contabilidad

Más allá de la autenticación y autorización, RADIUS proporciona registros de contabilidad detallados. Cada inicio, detención y actualización intermedia de sesión se registra, capturando la identidad del usuario, la dirección MAC del dispositivo, la duración de la sesión y los datos transferidos. Esta pista de auditoría es un requisito de cumplimiento bajo PCI DSS para entornos de Comercio Minorista y soporta las obligaciones de control de acceso de GDPR. La integración de estos datos con plataformas de WiFi Analytics extiende su valor a la inteligencia operativa.

Guía de Implementación: Despliegue de RADIUS para WiFi Empresarial

El despliegue de RADIUS requiere una planificación cuidadosa para garantizar alta disponibilidad, baja latencia y una experiencia de usuario fluida.

Arquitectura y Dimensionamiento

RADIUS es una ruta crítica para el acceso a la red. Despliegue servidores RADIUS redundantes en centros de datos geográficamente diversos o zonas de disponibilidad. Configure los Autenticadores con direcciones IP de servidores RADIUS primarios y secundarios para habilitar la conmutación por error automática. La autenticación RADIUS es sensible a la latencia —una latencia alta puede causar tiempos de espera EAP, resultando en conexiones fallidas—. Posicione los servidores RADIUS cerca del borde de la red cuando sea factible, o utilice soluciones RADIUS en la nube con puntos de presencia globales.

Integración con Almacenes de Identidad

El servidor RADIUS debe comunicarse con su fuente de verdad para la identidad del usuario. Para despliegues locales, la integración con Microsoft Active Directory a través de Network Policy Server (NPS) o FreeRADIUS con enlaces LDAP es estándar. Los despliegues modernos aprovechan cada vez más los proveedores de identidad en la nube (IdPs) como Azure AD, Okta o Google Workspace. Esto a menudo requiere desplegar un proxy RADIUS o utilizar servicios RADIUS en la nube que conectan nativamente el protocolo RADIUS con las API de SAML y OIDC.

Aplicación de Políticas y Segmentación

Aproveche los atributos RADIUS para asignar dinámicamente políticas de red basadas en la identidad del usuario o la pertenencia a grupos. En lugar de difundir múltiples SSID para diferenDiferentes grupos de usuarios — Personal, Gestión, IoT — transmiten un único SSID 802.1X. El servidor RADIUS devuelve el atributo Tunnel-Private-Group-ID para asignar al usuario a la VLAN adecuada de forma dinámica. Aplique Listas de Control de Acceso (ACLs) basadas en las respuestas de RADIUS para restringir el acceso a recursos internos sensibles, implementando el Control de Acceso Basado en Roles (RBAC) en la capa de red.

Mejores Prácticas y Cumplimiento

La implementación de RADIUS es un componente clave para alinearse con los estándares de la industria y los marcos regulatorios.

Protección de la Infraestructura RADIUS

RADIUS utiliza un secreto compartido para cifrar la comunicación entre el Autenticador y el servidor RADIUS. Utilice secretos compartidos fuertes y generados aleatoriamente — un mínimo de 32 caracteres — y rótelos periódicamente. Coloque los servidores RADIUS en una VLAN de gestión segura y aislada. Restrinja el acceso utilizando reglas estrictas de firewall, permitiendo solo UDP 1812 y 1813 de Autenticadores conocidos. Si utiliza EAP-TLS o PEAP, asegúrese de que el certificado del servidor RADIUS sea emitido por una Autoridad de Certificación (CA) de confianza para los dispositivos cliente, y supervise rigurosamente las fechas de caducidad de los certificados.

Consideraciones de Cumplimiento

Para entornos de Comercio minorista que manejan datos de tarjetas de pago, RADIUS satisface los requisitos de PCI DSS para la identificación única de usuarios y la criptografía fuerte para redes inalámbricas. Para entornos de Sanidad , RADIUS proporciona el control de acceso y la pista de auditoría requeridos bajo los marcos de protección de datos. Al proporcionar responsabilidad individual, RADIUS es compatible con los requisitos de GDPR para la seguridad de los datos y el control de acceso. La integración de RADIUS con una plataforma de WiFi Analytics permite políticas de recopilación y retención de datos conformes. Comprender la interacción entre RADIUS y los estándares de cifrado inalámbrico también es fundamental — nuestra guía WPA, WPA2 and WPA3: What's the Difference and Which Should You Use? cubre la capa de cifrado en detalle.

Resolución de Problemas y Mitigación de Riesgos

Cuando la autenticación RADIUS falla, el impacto es inmediato: los usuarios no pueden conectarse. Un enfoque sistemático para la resolución de problemas es esencial.

Desajuste del Secreto Compartido es el error de configuración más común. Si el secreto compartido en el AP no coincide con el del servidor, el servidor RADIUS descartará silenciosamente los paquetes Access-Request. El síntoma es un tiempo de espera de conexión del cliente sin registros correspondientes en el servidor RADIUS. Tiempos de Espera EAP son causados por la latencia de la red entre el AP y el servidor RADIUS, o por un servidor RADIUS sobrecargado. El síntoma es que se solicita repetidamente a los clientes sus credenciales o que no logran conectarse durante las horas pico. Problemas de Confianza del Certificado ocurren cuando el dispositivo cliente no confía en la CA que firmó el certificado del servidor RADIUS, lo que provoca la terminación de la negociación EAP. El síntoma es una advertencia de certificado en el cliente o un fallo de conexión silencioso. Fallos de Conectividad del Almacén de Identidades ocurren cuando el servidor RADIUS no puede alcanzar Active Directory o LDAP para validar las credenciales, lo que resulta en fallos de autenticación a pesar de las credenciales correctas.

Para mitigar estos riesgos, agregue los registros RADIUS en un SIEM o plataforma de registro central para monitoreo y alertas en tiempo real. Implemente sondas sintéticas que simulen continuamente autenticaciones 802.1X para detectar problemas de latencia o disponibilidad antes de que afecten a los usuarios. Para organizaciones con propiedades distribuidas, comprender cómo RADIUS encaja en la arquitectura WAN más amplia es valioso — Los Beneficios Clave de SD WAN para Empresas Modernas proporciona un contexto relevante sobre los principios de diseño de red.

ROI e Impacto Empresarial

La transición a una arquitectura 802.1X respaldada por RADIUS requiere inversión en infraestructura y configuración, pero el retorno es significativo para entornos empresariales.

Eficiencia Operativa

RADIUS elimina la necesidad de actualizar y distribuir manualmente las Claves Precompartidas cuando un empleado se va o una clave se ve comprometida. La integración con plataformas MDM permite el aprovisionamiento de certificados o perfiles sin intervención, simplificando la incorporación de dispositivos. Para los operadores de Hostelería que gestionan cientos de dispositivos de personal en múltiples propiedades, esta simplificación operativa se traduce directamente en una reducción de los gastos generales de TI. Para los centros de Transporte que gestionan miles de conexiones concurrentes, la escalabilidad de RADIUS es innegociable.

Seguridad y Análisis Mejorados

El control de acceso granular y la asignación dinámica de VLAN reducen el radio de impacto de una posible brecha al limitar el movimiento lateral. Los datos de contabilidad de RADIUS proporcionan información valiosa sobre la utilización de la red y el comportamiento del usuario. Cuando se integra con la plataforma de Purple, estos datos mejoran las capacidades analíticas, impulsando mejores decisiones operativas en todos los tipos de recintos. La combinación de autenticación segura y análisis procesables representa la propuesta de valor completa de la infraestructura WiFi empresarial.

Términos clave y definiciones

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol providing centralised Authentication, Authorization, and Accounting (AAA) management for users connecting to a network service. Operates over UDP ports 1812 (authentication) and 1813 (accounting).

The core infrastructure required to move from shared passwords to individual user identities on an enterprise WiFi network.

802.1X

An IEEE standard for port-based Network Access Control (PNAC), providing an authentication mechanism to devices wishing to attach to a LAN or WLAN. It defines the roles of Supplicant, Authenticator, and Authentication Server.

The framework that utilises RADIUS to secure enterprise wireless networks. Any enterprise WiFi deployment targeting WPA2-Enterprise or WPA3-Enterprise must implement 802.1X.

Supplicant

The client device — laptop, smartphone, or IoT device — that wishes to attach to the network and must provide credentials to the Authenticator.

The endpoint that requires configuration, often via MDM, to support the chosen EAP method and trust the RADIUS server's certificate.

Authenticator

The network device — typically a wireless Access Point or an 802.1X-capable switch — that facilitates the authentication process by relaying EAP messages between the Supplicant and the RADIUS server.

The infrastructure component that enforces the block or allow decision based on the RADIUS server's response. It is the 'bouncer' of the network.

EAP (Extensible Authentication Protocol)

An authentication framework that defines a set of negotiable authentication methods (EAP methods) used to carry credentials securely between the Supplicant and the Authentication Server.

The protocol that carries the actual authentication credentials — certificates, passwords — securely over the air within the 802.1X framework.

EAP-TLS (EAP Transport Layer Security)

An EAP method that uses mutual TLS authentication, requiring both the RADIUS server and the client device to present valid digital certificates. It eliminates password-based authentication entirely.

The most secure method for wireless authentication. Recommended for all corporate-managed devices where an MDM platform can provision client certificates.

VSA (Vendor-Specific Attribute)

Custom attributes within a RADIUS packet that allow network vendors to support proprietary or extended features beyond the standard RADIUS attribute set defined in RFC 2865.

Used extensively for advanced policy enforcement, including dynamic VLAN assignment (Tunnel-Private-Group-ID), bandwidth limits, and applying specific firewall roles to authenticated sessions.

Shared Secret

A text string known only to the Authenticator and the RADIUS server, used to verify the integrity of RADIUS packets and encrypt the password field within Access-Request packets.

A critical security parameter. A mismatch between the AP and the server causes silent packet drops and is the most common cause of authentication failure in new deployments.

NAS (Network Access Server)

The network device — typically an Access Point or switch — that acts as the Authenticator in the 802.1X framework, enforcing access control based on RADIUS decisions.

Often used interchangeably with 'Authenticator' in RADIUS documentation and vendor configuration guides.

PEAP (Protected EAP)

An EAP method that establishes an encrypted TLS tunnel between the Supplicant and the RADIUS server, within which a simpler inner authentication method (typically MSCHAPv2) is used to validate username and password credentials.

A pragmatic choice for BYOD environments where deploying client certificates is impractical. Requires strict enforcement of server certificate validation on client devices to prevent credential harvesting attacks.

Casos de éxito

A 200-room hotel needs to segment its wireless network. Currently, they use a single PSK for staff and a captive portal for guests. Staff devices — tablets for housekeeping, laptops for management — are intermingled on the same subnet. How should they redesign this using RADIUS?

Deploy a cloud-hosted RADIUS server integrated with the hotel's Azure AD. Configure the wireless access points to use 802.1X authentication pointing to the RADIUS server. In Azure AD, create security groups for 'Housekeeping' and 'Management'. On the RADIUS server, configure network policies: if the authenticating user is a member of the 'Housekeeping' group, return Access-Accept with the RADIUS attribute Tunnel-Private-Group-ID set to VLAN 20. If the user is in 'Management', return VLAN 30. Deploy MDM profiles via Intune to staff devices with EAP-TLS certificates for seamless, password-free authentication. Guest access continues via a separate SSID using Purple's captive portal for data capture and terms acceptance.

Notas de implementación: This approach eliminates the shared PSK vulnerability and automatically segments traffic based on identity, without requiring additional SSIDs. Using EAP-TLS removes the need for staff to enter passwords on shared devices, improving both user experience and security posture. The dynamic VLAN assignment simplifies the RF environment by reducing the number of broadcast SSIDs, which improves overall wireless performance. The hotel retains the guest captive portal for marketing data collection while applying enterprise-grade security to operational devices.

A retail chain with 80 stores is experiencing frequent WiFi connection drops for their handheld inventory scanners during peak holiday shopping hours. The scanners use PEAP-MSCHAPv2 against a central RADIUS server located in a regional data centre connected via a managed MPLS WAN.

Analyse RADIUS server logs to confirm EAP timeouts correlating with peak traffic periods. Measure the round-trip latency between the store APs and the RADIUS server — if this exceeds 150ms, EAP timeouts become likely. Implement local survivability at the branch level by deploying a lightweight RADIUS proxy or edge appliance at each store that caches session credentials for a defined period. Alternatively, migrate to a cloud RADIUS service with regional points of presence to reduce WAN dependency. Adjust the EAP timeout and retry parameters on the wireless controllers to accommodate the measured latency. For the longer term, evaluate migrating scanner authentication to MAC Authentication Bypass (MAB) with strict VLAN assignment, reducing the authentication overhead for non-interactive IoT devices.

Notas de implementación: Relying on a centralised RADIUS server across a high-latency WAN link is a common design flaw for time-sensitive EAP authentications, particularly for IoT and handheld devices that re-authenticate frequently. Local survivability ensures business continuity for critical operational devices even if the WAN link degrades. The MAB recommendation for scanners is appropriate because these are known, registered devices that do not require user-level identity — the security objective is device registration and VLAN placement, not user accountability.

Análisis de escenarios

Q1. Your organisation is migrating from a single PSK to 802.1X. You have a mix of corporate-owned laptops managed via Intune and employee BYOD smartphones. What EAP methods should you deploy for each device category, and what are the key configuration requirements for each?

💡 Sugerencia:Consider the certificate provisioning capabilities available for managed versus unmanaged devices, and the security trade-offs of password-based versus certificate-based authentication.

Mostrar enfoque recomendado

Deploy EAP-TLS for corporate-owned laptops, utilising Intune to silently push the required client certificates via a SCEP or PKCS profile. This eliminates password-based authentication and provides the strongest security posture. For BYOD smartphones where client certificate management is impractical, deploy PEAP-MSCHAPv2, allowing users to authenticate with their corporate username and password within a protected TLS tunnel. Critically, configure the RADIUS server to present a certificate from a well-known CA, and enforce server certificate validation on client devices via a WiFi configuration profile to prevent rogue AP attacks. Consider separating BYOD devices onto a restricted VLAN with limited access to internal resources.

Q2. After deploying a new RADIUS server for a stadium's staff WiFi, clients are failing to connect. The AP logs show 'RADIUS Server Timeout'. Network team confirms UDP 1812 is open between the APs and the RADIUS server. What is the most likely root cause, and what is your diagnostic process?

💡 Sugerencia:The RADIUS server will silently discard packets if a specific security parameter does not match, producing a timeout on the AP side with no corresponding log entry on the server.

Mostrar enfoque recomendado

The most likely cause is a Shared Secret mismatch. If the shared secret configured on the Access Point does not exactly match the shared secret configured for that AP's IP address on the RADIUS server, the server will drop the Access-Request packets without generating an authentication failure log entry. The diagnostic process is: (1) Check the RADIUS server logs — if there are zero entries for the AP's IP address, the server is discarding packets, pointing to a shared secret mismatch. (2) Verify the shared secret on both the AP and the RADIUS server client configuration, checking for trailing spaces or character encoding issues. (3) If shared secrets match, use a packet capture on the RADIUS server's network interface to confirm packets are arriving. (4) If packets arrive but are dropped, verify the AP's source IP address matches the client IP configured on the RADIUS server.

Q3. A public sector venue wants to offer seamless, secure WiFi to visitors from partner government departments, allowing them to authenticate using their home organisation's credentials without requiring a separate guest account. How does RADIUS enable this, and what are the key security considerations?

💡 Sugerencia:Think about how RADIUS requests can be forwarded between different organisations based on the identity realm, and what trust relationships must be established.

Mostrar enfoque recomendado

This is achieved using a RADIUS Proxy architecture, similar to the eduroam or govroam models. The local RADIUS server is configured as a proxy. When it receives an Access-Request, it inspects the realm — the domain portion of the username, such as user@department.gov.uk . If the realm belongs to a partner organisation, the local server forwards the Access-Request to the partner's RADIUS server over a pre-established, encrypted RADIUS proxy connection. The partner server authenticates the user against its own identity store and returns the result to the local server, which relays it to the AP. Key security considerations include: establishing formal trust agreements with each partner organisation; using RadSec (RADIUS over TLS) rather than standard UDP for proxy connections to encrypt traffic in transit; validating that the partner RADIUS server's certificate is trusted before accepting proxied responses; and defining clear policies for what network access level to grant to visiting users from each partner realm.