What Is RADIUS? How RADIUS Servers Secure WiFi Networks

This authoritative technical reference guide explains how RADIUS (Remote Authentication Dial-In User Service) underpins enterprise WiFi security through the IEEE 802.1X framework, covering architecture, deployment, and compliance. Designed for IT managers, network architects, and venue operations directors, it provides actionable guidance on moving from shared Pre-Shared Keys to per-user authentication with dynamic policy enforcement. The guide also maps RADIUS integration points to Purple's guest WiFi and analytics platform, with concrete case studies from hospitality and retail environments.

📖 6 min read📝 1,426 words🔧 2 examples❓ 3 questions📚 10 key terms

🎧 Listen to this Guide

View Transcript

Welcome to the Purple Technical Briefing. I'm your host, and today we're tackling a foundational element of enterprise wireless security: RADIUS. If you're managing network architecture for a hotel chain, a retail footprint, or a large public venue, you know that handing out a single shared WiFi password simply doesn't scale. It's a security risk, it's an operational headache, and it completely blinds you to who is actually on your network. Today, we're going to break down what RADIUS is, how it secures your WiFi through the 802.1X framework, and how you should approach deploying it.

Let's start with the context. Why are we talking about RADIUS? Remote Authentication Dial-In User Service is an old protocol — it dates back to the dial-up days — but it remains the absolute bedrock of modern network access control. When you walk into a corporate office and your laptop seamlessly connects to the secure WiFi without you typing a password, that's RADIUS at work. For venue operators, moving from Pre-Shared Keys — or PSKs — to RADIUS is the transition from consumer-grade connectivity to enterprise-grade security.

So, let's dive into the technical architecture. When we talk about securing WiFi with RADIUS, we're really talking about the IEEE 802.1X standard. This framework relies on a triangle of trust. First, you have the Supplicant — that's the end-user device, the laptop or the smartphone. Second, you have the Authenticator — this is your Network Access Server, typically your wireless access point or a switch. And third, you have the Authentication Server, which is your RADIUS server.

Here is how the flow works. A device tries to connect to the WiFi. The Access Point acts as a bouncer. It blocks all network traffic except for authentication messages — specifically, Extensible Authentication Protocol, or EAP, messages. The AP takes these EAP messages from the device, wraps them up in a RADIUS packet, and sends them over UDP port 1812 to the RADIUS server. The RADIUS server then checks those credentials against your identity store — maybe that's Active Directory, LDAP, or a cloud provider like Azure AD. If the credentials check out, the RADIUS server sends an Access-Accept message back to the AP, and the bouncer lets the device onto the network.

But RADIUS isn't just about saying yes or no. It's about Authorization. That Access-Accept packet can carry Vendor-Specific Attributes, or VSAs. This is where it gets powerful. Instead of broadcasting five different WiFi networks for Staff, Management, Point of Sale, and IoT devices, you broadcast one secure SSID. When a user authenticates, the RADIUS server tells the Access Point: This is a Management user, put them on VLAN 30. Or: This is a POS device, put it on VLAN 40 with strict firewall rules. That dynamic policy enforcement is a game-changer for network design. It simplifies your RF environment, reduces interference, and gives you granular control over who can reach what.

Now, let's talk about the Accounting function of RADIUS — the third pillar of AAA. Every time a user connects and disconnects, the RADIUS server logs it. You get a full audit trail: who connected, from which device, for how long, and how much data they transferred. For compliance-conscious organisations — think PCI DSS for retail, or GDPR for any European operation — this audit trail is invaluable. It's the difference between being able to demonstrate access controls to an auditor and scrambling to explain why you have no records.

Let's move into implementation. The security of this whole setup depends entirely on the EAP method you choose. The gold standard is EAP-TLS. This uses digital certificates on both the server and the client device. There are no passwords to steal, no credentials to phish. It's incredibly secure, but it requires a solid Mobile Device Management platform to push those certificates to your corporate devices. If you have a mature Intune or Jamf deployment, EAP-TLS is the right choice for corporate-managed endpoints.

If you have BYOD devices, you might use PEAP — Protected EAP — which uses a username and password inside an encrypted TLS tunnel. It's easier to deploy, but you must ensure users are trained not to ignore certificate warnings, or they could fall victim to a rogue access point harvesting their credentials. The rule of thumb is: EAP-TLS for managed devices, PEAP for BYOD, and never use unprotected EAP methods in production.

When deploying RADIUS, high availability is critical. If your RADIUS server goes down, nobody gets on the network. You need redundancy — at minimum, a primary and a secondary server, ideally in separate data centres or availability zones. Configure every Access Point with both server addresses so it can fail over automatically. And you must watch your latency. EAP is sensitive to delays. If your APs are in Manchester and your RADIUS server is in a distant data centre, the authentication might time out before it completes. Cloud RADIUS services with global points of presence are increasingly the right answer here, particularly for organisations with distributed estates.

One more architectural consideration worth calling out: RADIUS Proxy. This is how federated identity works for WiFi. Think about eduroam — the academic roaming network — or govroam for public sector. When a user from University A visits University B, their device authenticates using their home institution's credentials. The local RADIUS server inspects the realm — the domain part of the username — and proxies the authentication request to the home institution's RADIUS server. The home server validates the credentials and returns the result. This same architecture is applicable to any multi-organisation deployment, including large enterprise estates with multiple subsidiaries.

Now, let's do a rapid-fire Q&A on the questions I get most often from clients.

Question one: Can we just use a captive portal instead of RADIUS? Answer: For guest access, a captive portal is absolutely appropriate. It's the right tool for collecting guest data, presenting terms and conditions, and enabling social login. But for staff or corporate devices, a captive portal provides no encryption over the air between the device and the access point. RADIUS, combined with WPA2-Enterprise or WPA3-Enterprise, provides per-session encryption keys. You need RADIUS for any device handling corporate data.

Question two: Why are my APs timing out when talking to the new RADIUS server? Answer: Check your Shared Secret first. The AP and the RADIUS server use a shared secret key to verify the integrity of their communications. If that key is mistyped on either side, the RADIUS server will silently drop the Access-Request packets without logging an authentication failure. The AP just sees a timeout. It's the number one configuration error in new deployments, and it's maddening to diagnose if you don't know to look for it.

Question three: We have IoT devices that don't support 802.1X. How do we handle them? Answer: This is a very common challenge. The answer is MAC Authentication Bypass, or MAB. The RADIUS server can be configured to accept a device's MAC address as its identity. It's not as secure as certificate-based auth, but it allows you to register known IoT devices and place them on a dedicated, restricted VLAN. Combine MAB with strict ACLs and network monitoring for a reasonable security posture.

To summarise everything we've covered today: RADIUS is the engine that drives 802.1X enterprise security. It moves you away from shared passwords and onto per-user, per-device identity. It enables dynamic network policies through VLAN assignment and Vendor-Specific Attributes. It provides the audit trail you need for compliance with PCI DSS and GDPR. And through proxy architectures, it enables federated identity and seamless roaming across organisational boundaries.

The investment in RADIUS infrastructure — whether that's an on-premises deployment like FreeRADIUS or Microsoft NPS, or a cloud-hosted service — pays for itself quickly in reduced helpdesk overhead, eliminated credential-sharing incidents, and the operational simplicity of managing one secure SSID instead of many. For any organisation operating at scale, RADIUS is not optional. It's foundational.

Thank you for listening to this Purple Technical Briefing. For more guides on enterprise WiFi security, including our deep-dive on WPA2 versus WPA3, visit purple dot ai.

Key Takeaways

✓RADIUS provides centralised Authentication, Authorization, and Accounting (AAA) for network access, operating over UDP ports 1812 and 1813.
✓In WiFi networks, RADIUS operates within the IEEE 802.1X framework to replace shared Pre-Shared Keys with per-user, per-device credentials and audit trails.
✓The architecture relies on three components: the Supplicant (device), the Authenticator (AP or switch), and the Authentication Server (RADIUS server).
✓Dynamic VLAN assignment via RADIUS Vendor-Specific Attributes allows multiple user roles to securely share a single wireless SSID, simplifying the RF environment.
✓EAP-TLS offers the highest security by using mutual certificate authentication instead of passwords, eliminating credential theft and phishing vectors.
✓Deploying RADIUS is essential for meeting compliance standards including PCI DSS for retail and GDPR for any European operation handling personal data.
✓The most common deployment failure is a Shared Secret mismatch between the AP and the RADIUS server, which causes silent packet drops and AP-side timeouts.

Executive Summary

For enterprise network architects and IT directors, securing wireless access across distributed venues requires more than a shared password. As device density scales across hospitality, retail, and public sectors, the limitations of Pre-Shared Keys (PSK) and basic captive portals become critical vulnerabilities. Remote Authentication Dial-In User Service (RADIUS) provides the foundational architecture for robust, scalable WiFi security.

This technical reference guide details how RADIUS operates within the 802.1X framework to deliver per-user authentication, dynamic policy enforcement, and comprehensive audit trails. By centralising identity management, RADIUS enables zero-trust network access, mitigating the risks of credential sharing and unauthorised access while ensuring compliance with stringent data protection standards. We explore the core components, deployment methodologies, and how integrating RADIUS with platforms like Purple's Guest WiFi infrastructure streamlines operations while enhancing security posture.

Technical Deep-Dive: RADIUS and 802.1X Architecture

RADIUS is an application-layer protocol operating over UDP (traditionally port 1812 for authentication and 1813 for accounting) that provides centralised Authentication, Authorisation, and Accounting (AAA) management for users connecting to a network service.

When securing enterprise WiFi, RADIUS acts as the authentication server within the IEEE 802.1X framework. This architecture consists of three primary components:

The Supplicant is the end-user device — laptop, smartphone, or IoT device — requesting network access. The Authenticator is the Network Access Server (NAS), typically the wireless access point or switch, which blocks all traffic until authentication is successful. The Authentication Server is the RADIUS server itself, which validates credentials against an identity store such as Active Directory, LDAP, or a cloud identity provider.

The Authentication Flow

When a device associates with an 802.1X-enabled SSID, the access point restricts all traffic except Extensible Authentication Protocol (EAP) messages. The Authenticator sends an EAP-Request/Identity packet to the Supplicant. The Supplicant responds with an EAP-Response/Identity, which the Authenticator encapsulates into a RADIUS Access-Request packet and forwards to the RADIUS server. The RADIUS server negotiates an EAP method — such as EAP-TLS or PEAP-MSCHAPv2 — with the Supplicant to securely exchange credentials. Upon successful validation against the identity store, the RADIUS server returns a RADIUS Access-Accept packet. This packet often contains Vendor-Specific Attributes (VSAs) that instruct the Authenticator to apply specific policies, such as assigning the user to a particular VLAN or applying bandwidth limits.

EAP Methods and Security Posture

The security of a RADIUS deployment relies heavily on the chosen EAP method. EAP-TLS (Transport Layer Security) is the gold standard for enterprise security. It requires both server and client certificates, eliminating the reliance on passwords and mitigating credential theft. However, it demands a robust Public Key Infrastructure (PKI) and Mobile Device Management (MDM) for certificate provisioning. PEAP (Protected EAP) creates an encrypted TLS tunnel between the Supplicant and the RADIUS server, within which inner authentication — typically MSCHAPv2 using a username and password — occurs. While easier to deploy than EAP-TLS, it is vulnerable to credential harvesting if users bypass server certificate validation warnings.

The Accounting Function

Beyond authentication and authorisation, RADIUS provides detailed accounting records. Every session start, stop, and interim update is logged — capturing the user identity, device MAC address, session duration, and data transferred. This audit trail is a compliance requirement under PCI DSS for Retail environments and supports GDPR access control obligations. Integrating this data with WiFi Analytics platforms extends its value into operational intelligence.

Implementation Guide: Deploying RADIUS for Enterprise WiFi

Deploying RADIUS requires careful planning to ensure high availability, low latency, and a seamless user experience.

Architecture and Sizing

RADIUS is a critical path for network access. Deploy redundant RADIUS servers across geographically diverse data centres or availability zones. Configure Authenticators with primary and secondary RADIUS server IP addresses to enable automatic failover. RADIUS authentication is sensitive to latency — high latency can cause EAP timeouts, resulting in failed connections. Position RADIUS servers close to the network edge where feasible, or utilise cloud RADIUS solutions with global points of presence.

Integration with Identity Stores

The RADIUS server must communicate with your source of truth for user identity. For on-premises deployments, integration with Microsoft Active Directory via Network Policy Server (NPS) or FreeRADIUS with LDAP bindings is standard. Modern deployments increasingly leverage cloud identity providers (IdPs) like Azure AD, Okta, or Google Workspace. This often requires deploying a RADIUS proxy or utilising cloud RADIUS services that natively bridge the RADIUS protocol to SAML and OIDC APIs.

Policy Enforcement and Segmentation

Leverage RADIUS attributes to dynamically assign network policies based on user identity or group membership. Rather than broadcasting multiple SSIDs for diffesegment user groups — Staff, Management, IoT — broadcast a single 802.1X SSID. The RADIUS server returns the Tunnel-Private-Group-ID attribute to assign the user to the appropriate VLAN dynamically. Apply Access Control Lists (ACLs) based on RADIUS responses to restrict access to sensitive internal resources, implementing Role-Based Access Control (RBAC) at the network layer.

Best Practices and Compliance

Implementing RADIUS is a key component of aligning with industry standards and regulatory frameworks.

Securing the RADIUS Infrastructure

RADIUS uses a shared secret to encrypt communication between the Authenticator and the RADIUS server. Use strong, randomly generated shared secrets — a minimum of 32 characters — and rotate them periodically. Place RADIUS servers in a secure, isolated management VLAN. Restrict access using strict firewall rules, allowing only UDP 1812 and 1813 from known Authenticators. If using EAP-TLS or PEAP, ensure the RADIUS server certificate is issued by a Certificate Authority (CA) trusted by client devices, and monitor certificate expiration dates rigorously.

Compliance Considerations

For Retail environments handling payment card data, RADIUS satisfies PCI DSS requirements for unique user identification and strong cryptography for wireless networks. For Healthcare environments, RADIUS provides the access control and audit trail required under data protection frameworks. By providing individual accountability, RADIUS supports GDPR requirements for data security and access control. Integrating RADIUS with a WiFi Analytics platform allows for compliant data collection and retention policies. Understanding the interplay between RADIUS and wireless encryption standards is also critical — our guide WPA, WPA2 and WPA3: What's the Difference and Which Should You Use? covers the encryption layer in detail.

Troubleshooting & Risk Mitigation

When RADIUS authentication fails, the impact is immediate: users cannot connect. A systematic troubleshooting approach is essential.

Shared Secret Mismatch is the most common configuration error. If the shared secret on the AP does not match the server, the RADIUS server will silently drop the Access-Request packets. The symptom is a client connection timeout with no corresponding logs on the RADIUS server. EAP Timeouts are caused by network latency between the AP and the RADIUS server, or an overloaded RADIUS server. The symptom is clients being repeatedly prompted for credentials or failing to connect during peak times. Certificate Trust Issues occur when the client device does not trust the CA that signed the RADIUS server certificate, causing the EAP negotiation to terminate. The symptom is a certificate warning on the client or a silent connection failure. Identity Store Connectivity failures occur when the RADIUS server cannot reach Active Directory or LDAP to validate credentials, resulting in authentication failures despite correct credentials.

To mitigate these risks, aggregate RADIUS logs into a SIEM or central logging platform for real-time monitoring and alerting. Deploy synthetic probes that continuously simulate 802.1X authentications to detect latency or availability issues before they impact users. For organisations with distributed estates, understanding how RADIUS fits into the broader WAN architecture is valuable — The Core SD WAN Benefits for Modern Businesses provides relevant context on network design principles.

ROI & Business Impact

Transitioning to a RADIUS-backed 802.1X architecture requires investment in infrastructure and configuration, but the return is significant for enterprise environments.

Operational Efficiency

RADIUS eliminates the need to manually update and distribute Pre-Shared Keys when an employee leaves or a key is compromised. Integration with MDM platforms allows for zero-touch provisioning of certificates or profiles, simplifying device onboarding. For Hospitality operators managing hundreds of staff devices across multiple properties, this operational simplification translates directly to reduced IT overheads. For Transport hubs managing thousands of concurrent connections, the scalability of RADIUS is non-negotiable.

Enhanced Security and Analytics

Granular access control and dynamic VLAN assignment reduce the blast radius of a potential breach by limiting lateral movement. RADIUS accounting data provides rich insights into network utilisation and user behaviour. When integrated with Purple's platform, this data enhances analytics capabilities, driving better operational decisions across venue types. The combination of secure authentication and actionable analytics represents the full value proposition of enterprise WiFi infrastructure.

Key Terms & Definitions

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol providing centralised Authentication, Authorization, and Accounting (AAA) management for users connecting to a network service. Operates over UDP ports 1812 (authentication) and 1813 (accounting).

The core infrastructure required to move from shared passwords to individual user identities on an enterprise WiFi network.

802.1X

An IEEE standard for port-based Network Access Control (PNAC), providing an authentication mechanism to devices wishing to attach to a LAN or WLAN. It defines the roles of Supplicant, Authenticator, and Authentication Server.

The framework that utilises RADIUS to secure enterprise wireless networks. Any enterprise WiFi deployment targeting WPA2-Enterprise or WPA3-Enterprise must implement 802.1X.

Supplicant

The client device — laptop, smartphone, or IoT device — that wishes to attach to the network and must provide credentials to the Authenticator.

The endpoint that requires configuration, often via MDM, to support the chosen EAP method and trust the RADIUS server's certificate.

Authenticator

The network device — typically a wireless Access Point or an 802.1X-capable switch — that facilitates the authentication process by relaying EAP messages between the Supplicant and the RADIUS server.

The infrastructure component that enforces the block or allow decision based on the RADIUS server's response. It is the 'bouncer' of the network.

EAP (Extensible Authentication Protocol)

An authentication framework that defines a set of negotiable authentication methods (EAP methods) used to carry credentials securely between the Supplicant and the Authentication Server.

The protocol that carries the actual authentication credentials — certificates, passwords — securely over the air within the 802.1X framework.

EAP-TLS (EAP Transport Layer Security)

An EAP method that uses mutual TLS authentication, requiring both the RADIUS server and the client device to present valid digital certificates. It eliminates password-based authentication entirely.

The most secure method for wireless authentication. Recommended for all corporate-managed devices where an MDM platform can provision client certificates.

VSA (Vendor-Specific Attribute)

Custom attributes within a RADIUS packet that allow network vendors to support proprietary or extended features beyond the standard RADIUS attribute set defined in RFC 2865.

Used extensively for advanced policy enforcement, including dynamic VLAN assignment (Tunnel-Private-Group-ID), bandwidth limits, and applying specific firewall roles to authenticated sessions.

Shared Secret

A text string known only to the Authenticator and the RADIUS server, used to verify the integrity of RADIUS packets and encrypt the password field within Access-Request packets.

A critical security parameter. A mismatch between the AP and the server causes silent packet drops and is the most common cause of authentication failure in new deployments.

NAS (Network Access Server)

The network device — typically an Access Point or switch — that acts as the Authenticator in the 802.1X framework, enforcing access control based on RADIUS decisions.

Often used interchangeably with 'Authenticator' in RADIUS documentation and vendor configuration guides.

PEAP (Protected EAP)

An EAP method that establishes an encrypted TLS tunnel between the Supplicant and the RADIUS server, within which a simpler inner authentication method (typically MSCHAPv2) is used to validate username and password credentials.

A pragmatic choice for BYOD environments where deploying client certificates is impractical. Requires strict enforcement of server certificate validation on client devices to prevent credential harvesting attacks.

Case Studies

A 200-room hotel needs to segment its wireless network. Currently, they use a single PSK for staff and a captive portal for guests. Staff devices — tablets for housekeeping, laptops for management — are intermingled on the same subnet. How should they redesign this using RADIUS?

Deploy a cloud-hosted RADIUS server integrated with the hotel's Azure AD. Configure the wireless access points to use 802.1X authentication pointing to the RADIUS server. In Azure AD, create security groups for 'Housekeeping' and 'Management'. On the RADIUS server, configure network policies: if the authenticating user is a member of the 'Housekeeping' group, return Access-Accept with the RADIUS attribute Tunnel-Private-Group-ID set to VLAN 20. If the user is in 'Management', return VLAN 30. Deploy MDM profiles via Intune to staff devices with EAP-TLS certificates for seamless, password-free authentication. Guest access continues via a separate SSID using Purple's captive portal for data capture and terms acceptance.

Implementation Notes: This approach eliminates the shared PSK vulnerability and automatically segments traffic based on identity, without requiring additional SSIDs. Using EAP-TLS removes the need for staff to enter passwords on shared devices, improving both user experience and security posture. The dynamic VLAN assignment simplifies the RF environment by reducing the number of broadcast SSIDs, which improves overall wireless performance. The hotel retains the guest captive portal for marketing data collection while applying enterprise-grade security to operational devices.

A retail chain with 80 stores is experiencing frequent WiFi connection drops for their handheld inventory scanners during peak holiday shopping hours. The scanners use PEAP-MSCHAPv2 against a central RADIUS server located in a regional data centre connected via a managed MPLS WAN.

Analyse RADIUS server logs to confirm EAP timeouts correlating with peak traffic periods. Measure the round-trip latency between the store APs and the RADIUS server — if this exceeds 150ms, EAP timeouts become likely. Implement local survivability at the branch level by deploying a lightweight RADIUS proxy or edge appliance at each store that caches session credentials for a defined period. Alternatively, migrate to a cloud RADIUS service with regional points of presence to reduce WAN dependency. Adjust the EAP timeout and retry parameters on the wireless controllers to accommodate the measured latency. For the longer term, evaluate migrating scanner authentication to MAC Authentication Bypass (MAB) with strict VLAN assignment, reducing the authentication overhead for non-interactive IoT devices.

Implementation Notes: Relying on a centralised RADIUS server across a high-latency WAN link is a common design flaw for time-sensitive EAP authentications, particularly for IoT and handheld devices that re-authenticate frequently. Local survivability ensures business continuity for critical operational devices even if the WAN link degrades. The MAB recommendation for scanners is appropriate because these are known, registered devices that do not require user-level identity — the security objective is device registration and VLAN placement, not user accountability.

Scenario Analysis

Q1. Your organisation is migrating from a single PSK to 802.1X. You have a mix of corporate-owned laptops managed via Intune and employee BYOD smartphones. What EAP methods should you deploy for each device category, and what are the key configuration requirements for each?

💡 Hint:Consider the certificate provisioning capabilities available for managed versus unmanaged devices, and the security trade-offs of password-based versus certificate-based authentication.

Show Recommended Approach

Deploy EAP-TLS for corporate-owned laptops, utilising Intune to silently push the required client certificates via a SCEP or PKCS profile. This eliminates password-based authentication and provides the strongest security posture. For BYOD smartphones where client certificate management is impractical, deploy PEAP-MSCHAPv2, allowing users to authenticate with their corporate username and password within a protected TLS tunnel. Critically, configure the RADIUS server to present a certificate from a well-known CA, and enforce server certificate validation on client devices via a WiFi configuration profile to prevent rogue AP attacks. Consider separating BYOD devices onto a restricted VLAN with limited access to internal resources.

Q2. After deploying a new RADIUS server for a stadium's staff WiFi, clients are failing to connect. The AP logs show 'RADIUS Server Timeout'. Network team confirms UDP 1812 is open between the APs and the RADIUS server. What is the most likely root cause, and what is your diagnostic process?

💡 Hint:The RADIUS server will silently discard packets if a specific security parameter does not match, producing a timeout on the AP side with no corresponding log entry on the server.

Show Recommended Approach

The most likely cause is a Shared Secret mismatch. If the shared secret configured on the Access Point does not exactly match the shared secret configured for that AP's IP address on the RADIUS server, the server will drop the Access-Request packets without generating an authentication failure log entry. The diagnostic process is: (1) Check the RADIUS server logs — if there are zero entries for the AP's IP address, the server is discarding packets, pointing to a shared secret mismatch. (2) Verify the shared secret on both the AP and the RADIUS server client configuration, checking for trailing spaces or character encoding issues. (3) If shared secrets match, use a packet capture on the RADIUS server's network interface to confirm packets are arriving. (4) If packets arrive but are dropped, verify the AP's source IP address matches the client IP configured on the RADIUS server.

Q3. A public sector venue wants to offer seamless, secure WiFi to visitors from partner government departments, allowing them to authenticate using their home organisation's credentials without requiring a separate guest account. How does RADIUS enable this, and what are the key security considerations?

💡 Hint:Think about how RADIUS requests can be forwarded between different organisations based on the identity realm, and what trust relationships must be established.

Show Recommended Approach

This is achieved using a RADIUS Proxy architecture, similar to the eduroam or govroam models. The local RADIUS server is configured as a proxy. When it receives an Access-Request, it inspects the realm — the domain portion of the username, such as user@department.gov.uk . If the realm belongs to a partner organisation, the local server forwards the Access-Request to the partner's RADIUS server over a pre-established, encrypted RADIUS proxy connection. The partner server authenticates the user against its own identity store and returns the result to the local server, which relays it to the AP. Key security considerations include: establishing formal trust agreements with each partner organisation; using RadSec (RADIUS over TLS) rather than standard UDP for proxy connections to encrypt traffic in transit; validating that the partner RADIUS server's certificate is trusted before accepting proxied responses; and defining clear policies for what network access level to grant to visiting users from each partner realm.