RadSec vs RADIUS: What’s the difference?
RADIUS and RadSec are both used in 802.11X authentication but are matter-of-factly different. In this article, we’ll explain what the two are and how they work concurrently for certificate-based authentication.
SecureW2’s Cloud RADIUS comes with built-in RadSec capabilities and an industry-exclusive dynamic policy engine. Read about how one of our customers switched from their on-prem AD servers to a full cloud infrastructure without any forklift upgrades.
What is RADIUS?
A RADIUS server essentially acts as the “security guard” of an 802.1X network; as users connect to the network, the RADIUS authenticates their identity and authorizes them for network use. A user becomes authorized for network access after enrolling for a certificate from the PKI (Private Key Infrastructure) or confirming their credentials.
Each time the user connects, the RADIUS confirms they have the correct certificate or credentials and prevents any unapproved users from accessing the network.
RADIUS servers can also be used to authenticate users from different organizations. Solutions like Eduroam have RADIUS servers working as proxies (such as RADSEC) so that if a student visits a neighboring university, the RADIUS server can authenticate their status at their home university and grant them secure network access at the university they are currently visiting.
What is RadSec?
RadSec, also known as RADIUS over TLS, is an 802.11x protocol for transporting RADIUS datagrams through TCP (Transmission Control Protocol) and TLS (Transport Layer Security), which themselves are protocols.
NOTE: This is not to be confused with RADIUS using EAP-TLS, which is referring to the RADIUS authenticating for the certificate-based 802.1X protocol.
RADIUS has historically relied on the MD5 message-digest algorithm to create a 128-bit hash value for a security, but that has had known vulnerabilities for many years. While that weakness could be overlooked by compensating with strong security in other network layers, the increase in network roaming has necessitated strict security on the transport layer, so MD5 is no longer sufficient.
The main focus of RadSec is to allow RADIUS communication to be secure in the transport layer. It allows authentication, authorization, and accounting to pass safely across untrusted networks.
How is RadSec Used?
The most common application of RadSec is in roaming environments. That is to say, when a device transitions between mobile or cellular networks to local Wi-Fi, it either has to disconnect and reconnect to the internet or be “handed off” by the networks.
When a device is seamlessly connected to a network it’s certainly convenient, but brings the potential threat of a man-in-the-middle attack. RadSec can eliminate this vulnerability by facilitating the switch on the transport layer (one of the key features of OpenRoaming).
One of the most widely implemented uses of RadSec comes from eduroam – a service that allows students and staff at educational facilities to access the internet while visiting other member institutions. In thanks partially to RadSec, users can simply access the network, without any onboarding process.
Easily Deploy RadSec with SecureW2
SecureW2 provides you with everything you need to deploy a powerful 802.1X network with EAP-TLS authentication, which enables you to take advantage of certificates and RadSec, without any forklift upgrades.
Our solution integrates with every major vendor so we can integrate it into any network environment. We can even build you a custom PKI from the ground up in just a couple of hours.
Don’t let your network become antiquated and insecure, get ready for the roaming age of network activity. We have affordable options for organizations of all sizes. Click here to see our pricing.
