IndexLayout.skipToMainContent
Português
Preços

RadSec: Como o RADIUS sobre TLS Melhora a Segurança da Autenticação WiFi

Esta referência técnica autoritária explica como o RadSec (RFC 6614) protege a autenticação WiFi empresarial ao encapsular o tráfego RADIUS tradicional em encriptação TLS. Concebido para gestores de TI e arquitetos de rede, abrange a arquitetura, estratégias de implementação e passos práticos para mitigar os riscos do tráfego RADIUS UDP não encriptado em redes corporativas e de convidados.

📖 4 min read📝 871 words🔧 2 worked examples3 practice questions📚 8 key definitions

Listen to this guide

View podcast transcript
RadSec: How RADIUS over TLS Improves WiFi Authentication Security A Purple Enterprise WiFi Intelligence Briefing Approximate runtime: 10 minutes --- [INTRODUCTION & CONTEXT — approx. 1 minute] Welcome to the Purple Enterprise WiFi Intelligence series. I'm your host, and today we're tackling a topic that sits right at the intersection of network security and operational risk: RadSec — formally defined in RFC 6614 — and why it should be on your infrastructure roadmap if it isn't already. If you're an IT manager, network architect, or CTO responsible for enterprise WiFi across a hotel group, a retail estate, a stadium, or a public-sector campus, this briefing is for you. We're going to cover what RadSec actually is, why the traditional RADIUS protocol leaves you exposed, how to deploy RadSec in a real-world environment, and the pitfalls that catch teams out. No theory for theory's sake — just the information you need to make a decision this quarter. Let's get into it. --- [TECHNICAL DEEP-DIVE — approx. 5 minutes] So, let's start with the problem. RADIUS — Remote Authentication Dial-In User Service — has been the backbone of enterprise WiFi authentication since the 1990s. When a user or device connects to your corporate or guest WiFi, the access point acts as a RADIUS client, forwarding authentication requests to a RADIUS server, which validates credentials against your directory — Active Directory, LDAP, or a cloud identity provider — and either grants or denies access. This is the 802.1X authentication model that underpins WPA2-Enterprise and WPA3-Enterprise networks. The problem is that traditional RADIUS was designed for a different era. It runs over UDP — User Datagram Protocol — on ports 1812 and 1813. UDP is connectionless, which means there's no handshake, no session state, and critically, no native encryption. The only protection between your access point and your RADIUS server is a shared secret — essentially a password — used to obfuscate the user's password in transit using MD5 hashing. MD5, as most of you will know, is cryptographically broken. It's been broken for years. What does that mean in practice? It means that on any network segment where an attacker can intercept RADIUS traffic — and that includes compromised switches, rogue devices on your management VLAN, or any point between a remote access point and a cloud-hosted RADIUS server — they can potentially capture authentication exchanges, attempt offline dictionary attacks against the shared secret, and in some configurations, expose user credentials entirely. For a hotel group running guest WiFi across 200 properties, or a retail chain with access points in every store backhauling to a central RADIUS server over the public internet, this is not a theoretical risk. It is a live attack surface. This is exactly what RadSec solves. RadSec — defined in RFC 6614 and updated by RFC 7360 — wraps RADIUS traffic inside a TLS tunnel. Instead of UDP, it uses TCP on port 2083. Instead of a shared secret and MD5, it uses mutual TLS authentication with X.509 certificates. Both the RADIUS client and the RADIUS server present certificates, verify each other's identity, and establish an encrypted session before any authentication data is exchanged. TLS 1.3 is the current recommended version, providing forward secrecy and eliminating a range of legacy cipher vulnerabilities. The practical effect is significant. Credential data, user attributes, and session tokens are encrypted end-to-end between the access point — or a RadSec proxy — and the RADIUS server. An attacker intercepting traffic on the wire sees only encrypted TLS records. The shared secret is still present for backward compatibility, but it's no longer doing any meaningful security work — TLS is carrying the load. There's another dimension here that's increasingly relevant: roaming. The Eduroam federation, used by universities and research institutions across Europe and beyond, has been running RadSec for years as part of its inter-institutional roaming infrastructure. More recently, the Wi-Fi Alliance's OpenRoaming standard — which enables seamless WiFi roaming across participating venues — mandates RadSec for all federation traffic. If you're deploying OpenRoaming-capable infrastructure, RadSec is not optional; it's a prerequisite. Purple supports OpenRoaming under its Connect licence, acting as an identity provider within the federation, and RadSec is central to how that secure roaming fabric operates. From a compliance standpoint, RadSec is increasingly relevant to PCI DSS 4.0, which tightens requirements around the protection of authentication data in transit. If your WiFi infrastructure touches payment card environments — and in retail and hospitality, it frequently does — the encryption gap in traditional RADIUS is a finding waiting to happen. GDPR similarly requires appropriate technical measures to protect personal data; user credentials and session metadata flowing unencrypted across your network are hard to defend in a data protection audit. Now let's talk architecture. There are two primary deployment patterns for RadSec. The first is native RadSec support on your RADIUS server and access points. FreeRADIUS 3.0 and above supports RadSec natively. Microsoft NPS does not support RadSec natively as of current releases, which is a significant constraint for organisations running Windows-centric infrastructure. Cisco ISE supports RadSec. Aruba ClearPass supports RadSec. If your RADIUS server and your access point vendor both support RadSec natively, this is the cleanest path — configure TLS certificates on both ends, open TCP 2083 on your firewall, and you're encrypting RADIUS traffic end-to-end. The second pattern is a RadSec proxy. This is the more common deployment in practice, particularly for organisations with legacy RADIUS infrastructure or mixed-vendor environments. A RadSec proxy — radsecproxy is the most widely deployed open-source implementation — sits between your access points and your RADIUS server. The access points send standard RADIUS over UDP to the proxy on the local network. The proxy terminates that connection, re-encapsulates the RADIUS traffic inside a TLS tunnel, and forwards it to the upstream RADIUS server over TCP 2083. This approach lets you add RadSec to an existing infrastructure without replacing your RADIUS server, and it's particularly useful when your RADIUS server is hosted in the cloud or accessed over the public internet. Certificate management is the operational complexity you need to plan for. You'll need a PKI — Public Key Infrastructure — to issue and manage the X.509 certificates used for mutual TLS. That means a Certificate Authority, certificate issuance for each RADIUS client and server, and a process for certificate rotation before expiry. Certificates that expire unnoticed will break authentication for every user on your network simultaneously — and that is a scenario you want to avoid. Automate certificate renewal using ACME or your CA's API, and set monitoring alerts well in advance of expiry dates. --- [IMPLEMENTATION RECOMMENDATIONS & PITFALLS — approx. 2 minutes] Let me give you the practical recommendations. First: audit before you deploy. Map every RADIUS client — access points, VPN concentrators, switches doing 802.1X — and every RADIUS server in your environment. Understand which ones support RadSec natively and which will need a proxy. This audit typically surfaces legacy devices that don't support TLS at all, and those need to be on your replacement roadmap. Second: start with the highest-risk traffic. If you have RADIUS traffic traversing the public internet — remote sites, cloud-hosted RADIUS, multi-property hotel groups — that's your first priority. Local RADIUS traffic on a well-segmented management VLAN is lower risk, but it should still be on the roadmap. Third: test mutual TLS thoroughly before go-live. The most common failure mode in RadSec deployments is certificate validation errors — mismatched Common Names, expired intermediate certificates, or clients that don't trust the CA that signed the server certificate. Use openssl s_client to test TLS handshakes before you cut over production traffic. Fourth: don't neglect monitoring. RadSec adds a TCP connection layer that traditional RADIUS doesn't have. TCP connection failures, TLS handshake timeouts, and certificate errors will manifest as authentication failures for your users. Make sure your RADIUS server logs and your proxy logs are feeding into your SIEM or monitoring platform so you can distinguish a RadSec connectivity issue from an authentication policy issue. The pitfall I see most often is organisations deploying RadSec on the server side but forgetting to update their firewall rules. TCP 2083 needs to be open between every RADIUS client and the RADIUS server or proxy. If you're used to managing UDP 1812 rules, TCP 2083 can get missed in the firewall change process. --- [RAPID-FIRE Q&A — approx. 1 minute] Let me run through a few questions I hear regularly. "Does RadSec replace 802.1X?" No. RadSec secures the transport layer between the access point and the RADIUS server. 802.1X is the authentication framework between the client device and the access point. They operate at different layers and are complementary. "Is RadSec supported on all access point vendors?" Not universally. Cisco, Aruba, Ruckus, and Meraki all have varying levels of RadSec support — check your specific firmware version. Where native support is absent, a RadSec proxy is your solution. "What about DTLS — RADIUS over DTLS?" RFC 7360 defines RADIUS over DTLS, which uses UDP rather than TCP, preserving some of the connectionless characteristics of traditional RADIUS while adding encryption. It's less widely deployed than RadSec over TLS but is worth evaluating if latency is a concern in high-throughput environments. "How does this affect roaming performance?" RadSec's TCP connection is persistent, which can actually improve roaming performance in federated environments by reducing connection setup overhead for subsequent authentication requests. --- [SUMMARY & NEXT STEPS — approx. 1 minute] To wrap up: RadSec is the mature, standards-based answer to a genuine security gap in traditional RADIUS. If you're running enterprise WiFi at scale — across multiple sites, over the internet, or in environments subject to PCI DSS or GDPR — the question isn't whether to deploy RadSec, it's when and how. Your next steps: audit your RADIUS infrastructure this week. Identify your highest-risk traffic flows. Check your RADIUS server and access point vendor documentation for native RadSec support. If you're running FreeRADIUS, you can have a test RadSec deployment running in a day. If you're on Microsoft NPS, start evaluating a proxy or a migration path to a RadSec-capable server. Purple's platform is designed to integrate with enterprise RADIUS infrastructure, supporting secure authentication flows for both corporate and guest WiFi environments. If you want to understand how RadSec fits into your specific deployment, the Purple team can walk you through it. Thanks for listening. Until next time. --- END OF SCRIPT

header_image.png

Resumo Executivo

O RADIUS tradicional sobre UDP (portas 1812/1813) não foi concebido para o panorama de ameaças empresariais moderno. Confiando apenas num segredo partilhado e no hashing MD5, deixa as credenciais de autenticação e os atributos de sessão vulneráveis à interceção, particularmente ao atravessar redes públicas ou grandes infraestruturas distribuídas como cadeias de hotelaria e retalho. O RadSec (RADIUS sobre TLS, RFC 6614) resolve esta lacuna de segurança fundamental ao encapsular o tráfego RADIUS dentro de um túnel TLS 1.3 baseado em TCP sobre a porta 2083.

Para CTOs e arquitetos de rede, a implementação do RadSec já não é apenas uma boa prática — é um requisito crítico para proteger o WiFi corporativo , manter a conformidade com o PCI DSS 4.0 e participar em frameworks de roaming federado modernos como o OpenRoaming. Este guia detalha a arquitetura, os padrões de implementação e os requisitos operacionais para proteger a sua infraestrutura de autenticação.

Análise Técnica Aprofundada: RADIUS vs. RadSec

A Vulnerabilidade no RADIUS Tradicional

Numa implementação 802.1X padrão, o ponto de acesso (autenticador) encaminha as credenciais do cliente para o servidor RADIUS (servidor de autenticação). No RADIUS tradicional, este payload é enviado sobre UDP. A única proteção é uma chave pré-partilhada (PSK) usada para ofuscar a palavra-passe via MD5.

Esta arquitetura apresenta três riscos críticos:

  1. Falta de Encriptação de Transporte: Atributos de utilizador, endereços MAC e dados de sessão são transmitidos em texto simples.
  2. Fraqueza Criptográfica: O MD5 é vulnerável a ataques de dicionário offline se um atacante capturar o tráfego.
  3. Sem Autenticação Mútua: O ponto de acesso não consegue verificar criptograficamente que está a comunicar com o servidor RADIUS legítimo, permitindo ataques de servidor malicioso.

A Arquitetura RadSec (RFC 6614)

O RadSec aborda estas falhas ao mudar a camada de transporte de UDP para TCP e ao encapsular todo o payload em TLS.

architecture_overview.png

  • Transporte: A Porta TCP 2083 garante entrega fiável e ligações com estado, melhorando o desempenho em ambientes de alta latência.
  • Encriptação: O TLS 1.2 ou 1.3 fornece encriptação robusta e de ponta a ponta de todos os atributos RADIUS.
  • Autenticação Mútua: Tanto o cliente RADIUS (ou proxy) como o servidor devem apresentar certificados X.509 válidos emitidos por uma Autoridade de Certificação (CA) fidedigna. O segredo partilhado é mantido apenas para compatibilidade retroativa; o TLS fornece a segurança real.

Esta arquitetura é essencial para ambientes distribuídos, como cadeias de Retalho ou locais de Hotelaria , onde os pontos de acesso encaminham os pedidos de autenticação pela internet pública para um servidor RADIUS central ou alojado na nuvem.

Guia de Implementação

A implementação do RadSec segue tipicamente um de dois padrões: Suporte Nativo ou Baseado em Proxy.

Padrão 1: RadSec Nativo

Se a sua infraestrutura o suportar nativamente (por exemplo, FreeRADIUS 3.0+, Cisco ISE, Aruba ClearPass), configura os certificados TLS diretamente no servidor RADIUS e nos pontos de acesso/controladores. Isto fornece uma verdadeira encriptação de ponta a ponta, da periferia ao núcleo.

Padrão 2: O Proxy RadSec

Muitos servidores RADIUS legados (notavelmente Microsoft NPS) não suportam nativamente o RadSec. Nestes ambientes, um proxy (como radsecproxy) é implementado.

  1. Segmento Local: O AP envia RADIUS UDP padrão para o proxy local.
  2. Segmento WAN: O proxy encapsula o tráfego em TLS e envia-o sobre TCP 2083 para o servidor upstream.

Este padrão permite-lhe proteger o tráfego de área alargada sem substituir a infraestrutura legada.

deployment_checklist.png

Integração com a Purple

As plataformas Guest WiFi e WiFi Analytics da Purple integram-se perfeitamente com a infraestrutura RADIUS empresarial. Sob a licença Connect, a Purple atua como um fornecedor de identidade gratuito para o OpenRoaming, onde o RadSec é um requisito obrigatório para proteger o tráfego de federação entre locais e o hub central.

Melhores Práticas

  1. Gestão do Ciclo de Vida dos Certificados: O TLS mútuo depende de certificados válidos. Implemente a renovação automatizada (por exemplo, via ACME) e monitorização rigorosa. Um certificado expirado causará uma interrupção total da autenticação.
  2. Configuração da Firewall: Certifique-se de que a porta TCP 2083 é explicitamente permitida tanto na saída do local como na entrada para o servidor RADIUS. Não assuma que as regras UDP 1812 existentes se aplicarão.
  3. Priorize o Tráfego de Alto Risco: Comece a implementação em ligações que atravessam a internet pública ou WANs não fidedignas antes de passar para as VLANs de gestão local.

Para mais informações sobre como proteger a periferia, leia o nosso guia sobre Segurança de Pontos de Acesso: O Seu Guia Empresarial para 2026 .

Resolução de Problemas e Mitigação de Riscos

Quando o RadSec falha, raramente é um problema de autenticação; é quase sempre um problema de TLS ou TCP.

  • Sintoma: Os pontos de acesso aparecem como desconectados do servidor RADIUS.
  • Verificar: Regras da firewall para TCP 2083. O RADIUS tradicional usa UDP; as equipas de rede frequentemente esquecem-se de abrir a porta TCP.
  • Sintoma: A ligação TCP estabelece, mas a autenticação falha imediatamente.
  • Verificar: Validação do certificado. Verifique se o Common Name (CN) ou Subject Alternative Name (SAN) corresponde, se o certificado não expirou e se o cliente confia na CA de assinatura. Use openssl s_client -connect :2083 para depurar o handshake.

Certifique-se de que os seus fundamentos de rede são sólidos. Reveja o nosso conselho sobre Proteja a Sua Rede com DNS e Segurança Fortes .

ROI e BuImpacto no Negócio

A implementação do RadSec é um investimento na mitigação de riscos. O ROI é medido na prevenção de violações de dados, multas de conformidade (PCI DSS, GDPR) e danos à reputação. Além disso, permite a participação em federações de roaming modernas como o OpenRoaming, o que pode melhorar significativamente a experiência do hóspede em ambientes de Saúde e Transporte .

Ouça o Briefing

Para uma análise mais aprofundada das realidades operacionais da implementação do RadSec, ouça o nosso briefing técnico de 10 minutos:

Para passos de configuração específicos em dispositivos cliente, consulte How to Set Up Enterprise WiFi on iOS and macOS with 802.1X ou a versão em português Como Configurar WiFi Corporativo em iOS e macOS com 802.1X .

Key Definitions

RadSec

An extension to the RADIUS protocol that encapsulates RADIUS traffic within a TLS tunnel over TCP port 2083.

Used to secure authentication traffic when traversing untrusted networks, preventing credential interception.

Mutual TLS (mTLS)

A security process where both the client and the server present X.509 certificates to verify each other's identity before establishing an encrypted connection.

The core authentication mechanism of RadSec, replacing reliance on static shared secrets.

802.1X

The IEEE standard for port-based network access control, used to authenticate devices attempting to connect to a LAN or WLAN.

The framework that relies on RADIUS (and by extension, RadSec) to validate user credentials against a directory.

radsecproxy

An open-source daemon that acts as a proxy, converting standard UDP RADIUS traffic into RadSec (TLS over TCP) and vice versa.

Deployed when native RadSec support is missing from access points or legacy RADIUS servers like Microsoft NPS.

OpenRoaming

A federation standard developed by the Wi-Fi Alliance that allows users to seamlessly and securely connect to participating WiFi networks globally.

OpenRoaming mandates the use of RadSec to secure authentication traffic between venues and identity providers.

Shared Secret

A static text string used in traditional RADIUS to obfuscate passwords and verify the source of requests.

While still technically present in RadSec configurations for backward compatibility, it is superseded by TLS encryption.

FreeRADIUS

A widely deployed open-source RADIUS server that provides native support for RadSec.

Often used in enterprise environments and roaming federations due to its flexibility and native TLS capabilities.

PKI (Public Key Infrastructure)

The framework of roles, policies, and software needed to create, manage, distribute, and revoke digital certificates.

A prerequisite for deploying RadSec, as you must issue and manage certificates for all RADIUS clients and servers.

Worked Examples

A 200-property hotel group uses Microsoft NPS centrally for staff authentication. Access points at each hotel currently send RADIUS requests over the public internet via UDP 1812. The CTO mandates encryption for all authentication traffic, but replacing NPS is not an option this year.

Deploy a RadSec proxy (e.g., radsecproxy) at each hotel site and a corresponding proxy in the central data centre in front of the NPS servers. The local APs send UDP RADIUS to the local proxy. The local proxy establishes a mutual TLS tunnel over TCP 2083 across the internet to the central proxy. The central proxy terminates the TLS tunnel and forwards standard UDP RADIUS to the NPS server.

Examiner's Commentary: This approach achieves the primary security goal—encrypting authentication data over the untrusted WAN—without requiring a costly and disruptive rip-and-replace of the core Microsoft NPS infrastructure. It introduces certificate management overhead for the proxies, which must be automated.

A large university is deploying OpenRoaming across its campus to allow seamless access for visiting academics. They are running FreeRADIUS 3.0.

Enable native RadSec within FreeRADIUS. Generate X.509 certificates from a CA trusted by the OpenRoaming federation. Configure the campus firewall to allow inbound and outbound TCP 2083 traffic to the federation hubs. Configure the wireless LAN controllers to use RadSec for all federation-bound authentication requests.

Examiner's Commentary: Because FreeRADIUS natively supports RadSec, no proxy is required. This is the cleanest architecture. The critical dependency here is ensuring the certificates align with the specific PKI requirements of the OpenRoaming federation.

Practice Questions

Q1. Your team has deployed native RadSec between your remote branch access points and your central FreeRADIUS server. The APs can ping the server, but authentication requests are timing out completely, and no traffic is hitting the RADIUS logs.

Hint: RadSec uses a different transport protocol and port than traditional RADIUS.

View model answer

The firewall is likely blocking TCP port 2083. Network teams accustomed to traditional RADIUS often only permit UDP ports 1812/1813. You must explicitly allow TCP 2083 outbound from the branch and inbound to the RADIUS server.

Q2. You are auditing a retail client's WiFi architecture. They use Microsoft NPS centrally. Their store APs send authentication requests over the internet via an IPsec VPN. Is RadSec required here?

Hint: Consider the layers of encryption already in place.

View model answer

While RadSec is best practice, the IPsec VPN is already providing transport layer encryption for the UDP RADIUS traffic over the untrusted internet. Deploying RadSec here would provide defence-in-depth but is less urgent than if the traffic were traversing the internet natively.

Q3. A week after a successful RadSec proxy deployment, all WiFi authentication across the enterprise fails simultaneously at 09:00 AM on a Monday. The network team confirms firewall rules are unchanged.

Hint: What is the primary authentication mechanism for the TLS tunnel itself?

View model answer

The X.509 certificates used for mutual TLS authentication have likely expired. When certificates expire, the TLS handshake fails, the TCP connection drops, and RADIUS traffic cannot flow. Implement automated certificate monitoring and rotation to prevent this.