What is RADIUS (Remote Authentication Dial-In User Service)?
Learn what RADIUS is, its Access-Request/Accept flow, and how it centralizes authentication, authorization, and accounting.
Expected Interview Answer
RADIUS (Remote Authentication Dial-In User Service) is a client-server networking protocol that centralizes AAA — Authentication, Authorization, and Accounting — so that switches, wireless access points, and VPN gateways can offload the decision of who is allowed on the network, what they are allowed to do, and how long they used it, to one shared backend server instead of managing credentials locally on every device.
In a RADIUS deployment, network devices like switches or wireless controllers act as RADIUS clients (also called Network Access Servers), while the RADIUS server holds or proxies to the actual identity store, such as Active Directory or an LDAP directory. When a user or device tries to connect, the client packages the credentials into an Access-Request packet and sends it to the RADIUS server, which checks them and replies with Access-Accept, Access-Reject, or Access-Challenge if more information is needed, such as a one-time password. On acceptance, the server can also return authorization attributes in the same reply, like which VLAN to assign or which access-control list to apply, letting a single authentication event also determine what the device is allowed to do. RADIUS also handles accounting: the client sends Accounting-Start and Accounting-Stop records marking session begin and end, which is how organizations get usage logs and session duration data for auditing or billing. RADIUS is the standard backend for 802.1X port-based access control and for VPN and Wi-Fi enterprise authentication, and it communicates over UDP, historically ports 1812/1813, with shared-secret-based obfuscation of the password field rather than full end-to-end encryption of the whole packet.
- Centralizes authentication so credentials are not duplicated on every device
- Combines authentication, authorization, and accounting in one protocol
- Lets a single login also assign VLANs or access policies via reply attributes
- Provides session accounting records for auditing and usage tracking
AI Mentor Explanation
RADIUS is like a cricket league’s central membership office that every ground in the league calls to verify a player’s credentials instead of each ground keeping its own separate membership list. A ground’s gatekeeper sends the player’s ID to the office, the office checks it against the master list and replies with approve, deny, or a request for more proof, and it also logs exactly when that player entered and left the ground for the season records. Every ground in the league relies on the same office rather than maintaining its own duplicate list, which is exactly how RADIUS centralizes authentication, authorization, and accounting for many network devices. The office’s reply can also tell the gate which stand to seat the player in, mirroring how RADIUS returns a VLAN assignment.
Step-by-Step Explanation
Step 1
Access-Request
A network device (RADIUS client), such as a switch or Wi-Fi controller, sends the user's credentials to the RADIUS server in an Access-Request packet.
Step 2
Server verifies
The RADIUS server checks the credentials against its identity store (or proxies to one like Active Directory/LDAP).
Step 3
Access decision
The server replies Access-Accept, Access-Reject, or Access-Challenge, optionally including authorization attributes like a VLAN ID.
Step 4
Accounting
The client sends Accounting-Start and Accounting-Stop records to log session duration and usage for auditing.
What Interviewer Expects
- Explains RADIUS as centralized AAA: authentication, authorization, and accounting
- Describes the client-server model with Access-Request/Accept/Reject/Challenge
- Knows RADIUS is the common backend for 802.1X, VPN, and enterprise Wi-Fi authentication
- Mentions accounting records (session start/stop) as a distinct RADIUS function
Common Mistakes
- Thinking RADIUS encrypts the entire packet, when only the password field is obscured via a shared secret
- Confusing RADIUS with 802.1X — RADIUS is the backend AAA server, 802.1X is the port-based access-control mechanism that often uses it
- Forgetting the "A" for Accounting and only mentioning authentication
- Not knowing RADIUS traditionally runs over UDP, not TCP
Best Answer (HR Friendly)
“RADIUS is the behind-the-scenes service that checks who you are when you log into a company Wi-Fi network, VPN, or a secured switch port. Instead of every device having its own separate list of usernames and passwords, they all just ask the same central RADIUS server, which checks the credentials and sends back an approve or deny, and it can even say which part of the network you should land on. It also quietly logs when each session starts and stops, which is how companies get an audit trail of who used the network and for how long.”
Code Example
# Send a test Access-Request to a RADIUS server
radtest alice mypassword radius.corp.example.com 1812 testing123
# Typical successful response:
# Sent Access-Request Id 42 from 0.0.0.0 to 10.0.0.5 port 1812
# Received Access-Accept Id 42 from 10.0.0.5 to 0.0.0.0 port 1812
# Tunnel-Type = VLAN
# Tunnel-Private-Group-Id = "20"Follow-up Questions
- How does RADIUS differ from TACACS+ for device administration?
- What roles do Access-Challenge packets play in multi-factor RADIUS authentication?
- How does RADIUS relate to 802.1X in an enterprise Wi-Fi deployment?
- Why does RADIUS use UDP instead of TCP, and what tradeoffs does that involve?
MCQ Practice
1. What does the "AAA" in a RADIUS deployment stand for?
RADIUS centralizes Authentication, Authorization, and Accounting for network access.
2. What packet does a RADIUS client send to request authentication?
The RADIUS client (e.g. a switch or Wi-Fi controller) sends an Access-Request packet containing the user's credentials.
3. Which transport protocol does RADIUS traditionally use?
RADIUS traditionally operates over UDP, historically on ports 1812 (authentication) and 1813 (accounting).
Flash Cards
What is RADIUS? — A client-server AAA protocol that centralizes authentication, authorization, and accounting for network access.
What does a RADIUS client send? — An Access-Request packet with the user's credentials, to which the server replies Accept/Reject/Challenge.
What extra info can an Access-Accept carry? — Authorization attributes, such as a VLAN ID to assign the device.
How does RADIUS handle accounting? — The client sends Accounting-Start/Stop records logging session duration for auditing.