RADIUS

RADIUS is an authentication and authorization protocol that centrally validates credentials for network access — VPN connections, Wi-Fi authentication, switch port access via 802.1X. It's the backend that decides who gets in.

When a device tries to connect to a network via 802.1X, or a user authenticates to a VPN or Wi-Fi, something has to validate their credentials and authorize access. RADIUS is that something.

The protocol operates on a client-server model: network devices (switches, VPN gateways, Wi-Fi controllers) act as RADIUS clients, forwarding authentication requests to a central RADIUS server. The server validates credentials against a user directory (Active Directory, LDAP, JumpCloud), then returns an Accept or Reject. For 802.1X, it can also return VLAN assignment, bandwidth policy, and other attributes.

RADIUS communicates over UDP — port 1812 for authentication, 1813 for accounting. The shared secret between the RADIUS client and server protects the exchange.

Authentication methods supported by RADIUS include PAP (plaintext — avoid this), CHAP, and various EAP methods (EAP-TLS, PEAP, EAP-TTLS). For Wi-Fi and 802.1X deployments, PEAP/MSCHAPv2 or EAP-TLS are standard.

RADIUS accounting (port 1813) logs connection events — who connected when, from where, for how long. This is valuable for security auditing and incident response.

In small to mid-market environments, RADIUS is often provided by your directory service: JumpCloud has a built-in RADIUS server, Microsoft NPS (Network Policy Server) provides RADIUS for Active Directory environments. Dedicated RADIUS appliances are also available for larger or more complex deployments.