IndexLayout.skipToMainContent
Español
Precios

RadSec: Cómo RADIUS sobre TLS mejora la seguridad de la autenticación WiFi

Esta referencia técnica autorizada explica cómo RadSec (RFC 6614) asegura la autenticación WiFi empresarial al encapsular el tráfico RADIUS tradicional en cifrado TLS. Diseñada para gerentes de IT y arquitectos de red, cubre la arquitectura, las estrategias de implementación y los pasos prácticos para mitigar los riesgos del tráfico RADIUS UDP sin cifrar en redes corporativas y de invitados.

📖 4 min read📝 871 words🔧 2 worked examples3 practice questions📚 8 key definitions

Listen to this guide

View podcast transcript
RadSec: How RADIUS over TLS Improves WiFi Authentication Security A Purple Enterprise WiFi Intelligence Briefing Approximate runtime: 10 minutes --- [INTRODUCTION & CONTEXT — approx. 1 minute] Welcome to the Purple Enterprise WiFi Intelligence series. I'm your host, and today we're tackling a topic that sits right at the intersection of network security and operational risk: RadSec — formally defined in RFC 6614 — and why it should be on your infrastructure roadmap if it isn't already. If you're an IT manager, network architect, or CTO responsible for enterprise WiFi across a hotel group, a retail estate, a stadium, or a public-sector campus, this briefing is for you. We're going to cover what RadSec actually is, why the traditional RADIUS protocol leaves you exposed, how to deploy RadSec in a real-world environment, and the pitfalls that catch teams out. No theory for theory's sake — just the information you need to make a decision this quarter. Let's get into it. --- [TECHNICAL DEEP-DIVE — approx. 5 minutes] So, let's start with the problem. RADIUS — Remote Authentication Dial-In User Service — has been the backbone of enterprise WiFi authentication since the 1990s. When a user or device connects to your corporate or guest WiFi, the access point acts as a RADIUS client, forwarding authentication requests to a RADIUS server, which validates credentials against your directory — Active Directory, LDAP, or a cloud identity provider — and either grants or denies access. This is the 802.1X authentication model that underpins WPA2-Enterprise and WPA3-Enterprise networks. The problem is that traditional RADIUS was designed for a different era. It runs over UDP — User Datagram Protocol — on ports 1812 and 1813. UDP is connectionless, which means there's no handshake, no session state, and critically, no native encryption. The only protection between your access point and your RADIUS server is a shared secret — essentially a password — used to obfuscate the user's password in transit using MD5 hashing. MD5, as most of you will know, is cryptographically broken. It's been broken for years. What does that mean in practice? It means that on any network segment where an attacker can intercept RADIUS traffic — and that includes compromised switches, rogue devices on your management VLAN, or any point between a remote access point and a cloud-hosted RADIUS server — they can potentially capture authentication exchanges, attempt offline dictionary attacks against the shared secret, and in some configurations, expose user credentials entirely. For a hotel group running guest WiFi across 200 properties, or a retail chain with access points in every store backhauling to a central RADIUS server over the public internet, this is not a theoretical risk. It is a live attack surface. This is exactly what RadSec solves. RadSec — defined in RFC 6614 and updated by RFC 7360 — wraps RADIUS traffic inside a TLS tunnel. Instead of UDP, it uses TCP on port 2083. Instead of a shared secret and MD5, it uses mutual TLS authentication with X.509 certificates. Both the RADIUS client and the RADIUS server present certificates, verify each other's identity, and establish an encrypted session before any authentication data is exchanged. TLS 1.3 is the current recommended version, providing forward secrecy and eliminating a range of legacy cipher vulnerabilities. The practical effect is significant. Credential data, user attributes, and session tokens are encrypted end-to-end between the access point — or a RadSec proxy — and the RADIUS server. An attacker intercepting traffic on the wire sees only encrypted TLS records. The shared secret is still present for backward compatibility, but it's no longer doing any meaningful security work — TLS is carrying the load. There's another dimension here that's increasingly relevant: roaming. The Eduroam federation, used by universities and research institutions across Europe and beyond, has been running RadSec for years as part of its inter-institutional roaming infrastructure. More recently, the Wi-Fi Alliance's OpenRoaming standard — which enables seamless WiFi roaming across participating venues — mandates RadSec for all federation traffic. If you're deploying OpenRoaming-capable infrastructure, RadSec is not optional; it's a prerequisite. Purple supports OpenRoaming under its Connect licence, acting as an identity provider within the federation, and RadSec is central to how that secure roaming fabric operates. From a compliance standpoint, RadSec is increasingly relevant to PCI DSS 4.0, which tightens requirements around the protection of authentication data in transit. If your WiFi infrastructure touches payment card environments — and in retail and hospitality, it frequently does — the encryption gap in traditional RADIUS is a finding waiting to happen. GDPR similarly requires appropriate technical measures to protect personal data; user credentials and session metadata flowing unencrypted across your network are hard to defend in a data protection audit. Now let's talk architecture. There are two primary deployment patterns for RadSec. The first is native RadSec support on your RADIUS server and access points. FreeRADIUS 3.0 and above supports RadSec natively. Microsoft NPS does not support RadSec natively as of current releases, which is a significant constraint for organisations running Windows-centric infrastructure. Cisco ISE supports RadSec. Aruba ClearPass supports RadSec. If your RADIUS server and your access point vendor both support RadSec natively, this is the cleanest path — configure TLS certificates on both ends, open TCP 2083 on your firewall, and you're encrypting RADIUS traffic end-to-end. The second pattern is a RadSec proxy. This is the more common deployment in practice, particularly for organisations with legacy RADIUS infrastructure or mixed-vendor environments. A RadSec proxy — radsecproxy is the most widely deployed open-source implementation — sits between your access points and your RADIUS server. The access points send standard RADIUS over UDP to the proxy on the local network. The proxy terminates that connection, re-encapsulates the RADIUS traffic inside a TLS tunnel, and forwards it to the upstream RADIUS server over TCP 2083. This approach lets you add RadSec to an existing infrastructure without replacing your RADIUS server, and it's particularly useful when your RADIUS server is hosted in the cloud or accessed over the public internet. Certificate management is the operational complexity you need to plan for. You'll need a PKI — Public Key Infrastructure — to issue and manage the X.509 certificates used for mutual TLS. That means a Certificate Authority, certificate issuance for each RADIUS client and server, and a process for certificate rotation before expiry. Certificates that expire unnoticed will break authentication for every user on your network simultaneously — and that is a scenario you want to avoid. Automate certificate renewal using ACME or your CA's API, and set monitoring alerts well in advance of expiry dates. --- [IMPLEMENTATION RECOMMENDATIONS & PITFALLS — approx. 2 minutes] Let me give you the practical recommendations. First: audit before you deploy. Map every RADIUS client — access points, VPN concentrators, switches doing 802.1X — and every RADIUS server in your environment. Understand which ones support RadSec natively and which will need a proxy. This audit typically surfaces legacy devices that don't support TLS at all, and those need to be on your replacement roadmap. Second: start with the highest-risk traffic. If you have RADIUS traffic traversing the public internet — remote sites, cloud-hosted RADIUS, multi-property hotel groups — that's your first priority. Local RADIUS traffic on a well-segmented management VLAN is lower risk, but it should still be on the roadmap. Third: test mutual TLS thoroughly before go-live. The most common failure mode in RadSec deployments is certificate validation errors — mismatched Common Names, expired intermediate certificates, or clients that don't trust the CA that signed the server certificate. Use openssl s_client to test TLS handshakes before you cut over production traffic. Fourth: don't neglect monitoring. RadSec adds a TCP connection layer that traditional RADIUS doesn't have. TCP connection failures, TLS handshake timeouts, and certificate errors will manifest as authentication failures for your users. Make sure your RADIUS server logs and your proxy logs are feeding into your SIEM or monitoring platform so you can distinguish a RadSec connectivity issue from an authentication policy issue. The pitfall I see most often is organisations deploying RadSec on the server side but forgetting to update their firewall rules. TCP 2083 needs to be open between every RADIUS client and the RADIUS server or proxy. If you're used to managing UDP 1812 rules, TCP 2083 can get missed in the firewall change process. --- [RAPID-FIRE Q&A — approx. 1 minute] Let me run through a few questions I hear regularly. "Does RadSec replace 802.1X?" No. RadSec secures the transport layer between the access point and the RADIUS server. 802.1X is the authentication framework between the client device and the access point. They operate at different layers and are complementary. "Is RadSec supported on all access point vendors?" Not universally. Cisco, Aruba, Ruckus, and Meraki all have varying levels of RadSec support — check your specific firmware version. Where native support is absent, a RadSec proxy is your solution. "What about DTLS — RADIUS over DTLS?" RFC 7360 defines RADIUS over DTLS, which uses UDP rather than TCP, preserving some of the connectionless characteristics of traditional RADIUS while adding encryption. It's less widely deployed than RadSec over TLS but is worth evaluating if latency is a concern in high-throughput environments. "How does this affect roaming performance?" RadSec's TCP connection is persistent, which can actually improve roaming performance in federated environments by reducing connection setup overhead for subsequent authentication requests. --- [SUMMARY & NEXT STEPS — approx. 1 minute] To wrap up: RadSec is the mature, standards-based answer to a genuine security gap in traditional RADIUS. If you're running enterprise WiFi at scale — across multiple sites, over the internet, or in environments subject to PCI DSS or GDPR — the question isn't whether to deploy RadSec, it's when and how. Your next steps: audit your RADIUS infrastructure this week. Identify your highest-risk traffic flows. Check your RADIUS server and access point vendor documentation for native RadSec support. If you're running FreeRADIUS, you can have a test RadSec deployment running in a day. If you're on Microsoft NPS, start evaluating a proxy or a migration path to a RadSec-capable server. Purple's platform is designed to integrate with enterprise RADIUS infrastructure, supporting secure authentication flows for both corporate and guest WiFi environments. If you want to understand how RadSec fits into your specific deployment, the Purple team can walk you through it. Thanks for listening. Until next time. --- END OF SCRIPT

header_image.png

Resumen Ejecutivo

El RADIUS tradicional sobre UDP (puertos 1812/1813) no fue diseñado para el panorama de amenazas empresarial moderno. Al depender únicamente de un secreto compartido y el hash MD5, deja las credenciales de autenticación y los atributos de sesión vulnerables a la interceptación, particularmente al atravesar redes públicas o grandes propiedades distribuidas como cadenas hoteleras y minoristas. RadSec (RADIUS sobre TLS, RFC 6614) resuelve esta brecha de seguridad fundamental al encapsular el tráfico RADIUS dentro de un túnel TLS 1.3 basado en TCP sobre el puerto 2083.

Para los CTOs y arquitectos de red, implementar RadSec ya no es solo una buena práctica, es un requisito crítico para proteger el WiFi corporativo , mantener el cumplimiento de PCI DSS 4.0 y participar en marcos modernos de roaming federado como OpenRoaming. Esta guía detalla la arquitectura, los patrones de implementación y los requisitos operativos para asegurar su infraestructura de autenticación.

Análisis Técnico Detallado: RADIUS vs. RadSec

La Vulnerabilidad en el RADIUS Tradicional

En una implementación estándar 802.1X, el punto de acceso (autenticador) reenvía las credenciales del cliente al servidor RADIUS (servidor de autenticación). En el RADIUS tradicional, esta carga útil se envía a través de UDP. La única protección es una clave precompartida (PSK) utilizada para ofuscar la contraseña mediante MD5.

Esta arquitectura presenta tres riesgos críticos:

  1. Falta de Cifrado de Transporte: Los atributos de usuario, las direcciones MAC y los datos de sesión se transmiten en texto claro.
  2. Debilidad Criptográfica: MD5 es vulnerable a ataques de diccionario offline si un atacante captura el tráfico.
  3. Sin Autenticación Mutua: El punto de acceso no puede verificar criptográficamente que está hablando con el servidor RADIUS legítimo, lo que permite ataques de servidores no autorizados.

La Arquitectura RadSec (RFC 6614)

RadSec aborda estas fallas al cambiar la capa de transporte de UDP a TCP y encapsular toda la carga útil en TLS.

architecture_overview.png

  • Transporte: El puerto TCP 2083 garantiza una entrega fiable y conexiones con estado, mejorando el rendimiento en entornos de alta latencia.
  • Cifrado: TLS 1.2 o 1.3 proporciona un cifrado robusto de extremo a extremo de todos los atributos RADIUS.
  • Autenticación Mutua: Tanto el cliente RADIUS (o proxy) como el servidor deben presentar certificados X.509 válidos emitidos por una Autoridad de Certificación (CA) de confianza. El secreto compartido se mantiene solo por compatibilidad con versiones anteriores; TLS proporciona la seguridad real.

Esta arquitectura es esencial para entornos distribuidos, como cadenas minoristas o establecimientos hoteleros , donde los puntos de acceso reenvían las solicitudes de autenticación a través de internet público a un servidor RADIUS central o alojado en la nube.

Guía de Implementación

La implementación de RadSec suele seguir uno de dos patrones: Soporte Nativo o Basado en Proxy.

Patrón 1: RadSec Nativo

Si su infraestructura lo soporta de forma nativa (p. ej., FreeRADIUS 3.0+, Cisco ISE, Aruba ClearPass), configure los certificados TLS directamente en el servidor RADIUS y en los puntos de acceso/controladores. Esto proporciona un cifrado de extremo a extremo real desde el borde hasta el núcleo.

Patrón 2: El Proxy RadSec

Muchos servidores RADIUS heredados (notablemente Microsoft NPS) no soportan RadSec de forma nativa. En estos entornos, se implementa un proxy (como radsecproxy).

  1. Tramo Local: El AP envía RADIUS UDP estándar al proxy local.
  2. Tramo WAN: El proxy encapsula el tráfico en TLS y lo envía a través de TCP 2083 al servidor ascendente.

Este patrón le permite asegurar el tráfico de área amplia sin reemplazar la infraestructura heredada.

deployment_checklist.png

Integración con Purple

Las plataformas Guest WiFi y WiFi Analytics de Purple se integran perfectamente con la infraestructura RADIUS empresarial. Bajo la licencia Connect, Purple actúa como un proveedor de identidad gratuito para OpenRoaming, donde RadSec es un requisito obligatorio para asegurar el tráfico de federación entre ubicaciones y el hub central.

Mejores Prácticas

  1. Gestión del Ciclo de Vida de los Certificados: TLS mutuo se basa en certificados válidos. Implemente la renovación automatizada (p. ej., a través de ACME) y una monitorización estricta. Un certificado caducado causará una interrupción total de la autenticación.
  2. Configuración del Firewall: Asegúrese de que el puerto TCP 2083 esté explícitamente permitido tanto saliente desde la ubicación como entrante al servidor RADIUS. No asuma que las reglas UDP 1812 existentes se aplicarán.
  3. Priorice el Tráfico de Alto Riesgo: Comience la implementación en enlaces que atraviesen internet público o WANs no confiables antes de pasar a las VLANs de gestión local.

Para más información sobre cómo asegurar el borde, lea nuestra guía sobre Seguridad del Punto de Acceso: Su Guía Empresarial 2026 .

Resolución de Problemas y Mitigación de Riesgos

Cuando RadSec falla, rara vez es un problema de autenticación; casi siempre es un problema de TLS o TCP.

  • Síntoma: Los puntos de acceso aparecen como desconectados del servidor RADIUS.
  • Verificar: Reglas del firewall para TCP 2083. El RADIUS tradicional usa UDP; los equipos de red con frecuencia olvidan abrir el puerto TCP.
  • Síntoma: La conexión TCP se establece, pero la autenticación falla inmediatamente.
  • Verificar: Validación del certificado. Verifique que el Nombre Común (CN) o el Nombre Alternativo del Sujeto (SAN) coincidan, que el certificado no haya caducado y que el cliente confíe en la CA firmante. Use openssl s_client -connect :2083 para depurar el handshake.

Asegúrese de que sus fundamentos de red sean sólidos. Revise nuestro consejo sobre Proteja su Red con un DNS y Seguridad Robustos .

ROI y BuImpacto en el Negocio

La implementación de RadSec es una inversión en mitigación de riesgos. El ROI se mide en la prevención de filtraciones de datos, multas por incumplimiento (PCI DSS, GDPR) y daño reputacional. Además, permite la participación en federaciones de roaming modernas como OpenRoaming, lo que puede mejorar significativamente la experiencia del huésped en entornos de Atención Sanitaria y Transporte .

Escuche la Sesión Informativa

Para una inmersión más profunda en las realidades operativas del despliegue de RadSec, escuche nuestra sesión informativa técnica de 10 minutos:

Para conocer los pasos de configuración específicos en dispositivos cliente, consulte Cómo configurar WiFi empresarial en iOS y macOS con 802.1X o la versión en portugués Como Configurar WiFi Corporativo em iOS e macOS com 802.1X .

Key Definitions

RadSec

An extension to the RADIUS protocol that encapsulates RADIUS traffic within a TLS tunnel over TCP port 2083.

Used to secure authentication traffic when traversing untrusted networks, preventing credential interception.

Mutual TLS (mTLS)

A security process where both the client and the server present X.509 certificates to verify each other's identity before establishing an encrypted connection.

The core authentication mechanism of RadSec, replacing reliance on static shared secrets.

802.1X

The IEEE standard for port-based network access control, used to authenticate devices attempting to connect to a LAN or WLAN.

The framework that relies on RADIUS (and by extension, RadSec) to validate user credentials against a directory.

radsecproxy

An open-source daemon that acts as a proxy, converting standard UDP RADIUS traffic into RadSec (TLS over TCP) and vice versa.

Deployed when native RadSec support is missing from access points or legacy RADIUS servers like Microsoft NPS.

OpenRoaming

A federation standard developed by the Wi-Fi Alliance that allows users to seamlessly and securely connect to participating WiFi networks globally.

OpenRoaming mandates the use of RadSec to secure authentication traffic between venues and identity providers.

Shared Secret

A static text string used in traditional RADIUS to obfuscate passwords and verify the source of requests.

While still technically present in RadSec configurations for backward compatibility, it is superseded by TLS encryption.

FreeRADIUS

A widely deployed open-source RADIUS server that provides native support for RadSec.

Often used in enterprise environments and roaming federations due to its flexibility and native TLS capabilities.

PKI (Public Key Infrastructure)

The framework of roles, policies, and software needed to create, manage, distribute, and revoke digital certificates.

A prerequisite for deploying RadSec, as you must issue and manage certificates for all RADIUS clients and servers.

Worked Examples

A 200-property hotel group uses Microsoft NPS centrally for staff authentication. Access points at each hotel currently send RADIUS requests over the public internet via UDP 1812. The CTO mandates encryption for all authentication traffic, but replacing NPS is not an option this year.

Deploy a RadSec proxy (e.g., radsecproxy) at each hotel site and a corresponding proxy in the central data centre in front of the NPS servers. The local APs send UDP RADIUS to the local proxy. The local proxy establishes a mutual TLS tunnel over TCP 2083 across the internet to the central proxy. The central proxy terminates the TLS tunnel and forwards standard UDP RADIUS to the NPS server.

Examiner's Commentary: This approach achieves the primary security goal—encrypting authentication data over the untrusted WAN—without requiring a costly and disruptive rip-and-replace of the core Microsoft NPS infrastructure. It introduces certificate management overhead for the proxies, which must be automated.

A large university is deploying OpenRoaming across its campus to allow seamless access for visiting academics. They are running FreeRADIUS 3.0.

Enable native RadSec within FreeRADIUS. Generate X.509 certificates from a CA trusted by the OpenRoaming federation. Configure the campus firewall to allow inbound and outbound TCP 2083 traffic to the federation hubs. Configure the wireless LAN controllers to use RadSec for all federation-bound authentication requests.

Examiner's Commentary: Because FreeRADIUS natively supports RadSec, no proxy is required. This is the cleanest architecture. The critical dependency here is ensuring the certificates align with the specific PKI requirements of the OpenRoaming federation.

Practice Questions

Q1. Your team has deployed native RadSec between your remote branch access points and your central FreeRADIUS server. The APs can ping the server, but authentication requests are timing out completely, and no traffic is hitting the RADIUS logs.

Hint: RadSec uses a different transport protocol and port than traditional RADIUS.

View model answer

The firewall is likely blocking TCP port 2083. Network teams accustomed to traditional RADIUS often only permit UDP ports 1812/1813. You must explicitly allow TCP 2083 outbound from the branch and inbound to the RADIUS server.

Q2. You are auditing a retail client's WiFi architecture. They use Microsoft NPS centrally. Their store APs send authentication requests over the internet via an IPsec VPN. Is RadSec required here?

Hint: Consider the layers of encryption already in place.

View model answer

While RadSec is best practice, the IPsec VPN is already providing transport layer encryption for the UDP RADIUS traffic over the untrusted internet. Deploying RadSec here would provide defence-in-depth but is less urgent than if the traffic were traversing the internet natively.

Q3. A week after a successful RadSec proxy deployment, all WiFi authentication across the enterprise fails simultaneously at 09:00 AM on a Monday. The network team confirms firewall rules are unchanged.

Hint: What is the primary authentication mechanism for the TLS tunnel itself?

View model answer

The X.509 certificates used for mutual TLS authentication have likely expired. When certificates expire, the TLS handshake fails, the TCP connection drops, and RADIUS traffic cannot flow. Implement automated certificate monitoring and rotation to prevent this.