# Transport Security in RADIUS vs. RadSec When deploying secure authentication using Extensible Authentication Protocol (EAP), the choice of transport protocol - RADIUS over UDP vs. RADIUS over TLS (RadSec) - plays a critical role in determining how securely metadata and protocol elements are transmitted across the network. Both RADIUS and RadSec can carry EAP messages including those used in common methods like EAP-TLS, PEAP, and EAP-TTLS. While the inner workings of the EAP method remain the same, the transport protocol impacts visibility, integrity, confidentiality of metadata, and operational behaviour. This document compares how RADIUS and RadSec affect EAP transport - focusing on encryption, shared secret usage, attribute exposure, logging implications, and deployment considerations. *** ### Transport Security: Core Differences EAP methods such as EAP-TLS, PEAP, and EAP-TTLS provide authentication mechanisms between clients (supplicants) and authentication servers. However, these methods do not inherently encrypt the transport of metadata between intermediate nodes. This role falls to the transport layer protocol: * RADIUS (UDP) transmits EAP messages and RADIUS attributes in plaintext. * RadSec (TLS) encrypts the entire RADIUS packet, securing all attributes and protocol headers during transit. The table below summarises these differences which affects confidentiality of attributes such as outer identity, NAS IP, calling station ID, and more. While EAP methods may encrypt user credentials (e.g., certificates or passwords), metadata remains exposed over standard RADIUS unless RadSec is used. | Protocol | RADIUS | RadSec | | ------------------------ | ---------------------------------------- | ------------------------------------- | | Transport Layer Protocol | UDP (typically) | TLS over TCP | | Encryption | No transport encryption | Full transport encryption | | Default Port\* | UDP 1812 | TCP 2083 | | Notes | Stateless; may be filtered by firewalls. | Stateful; establishes secure tunnels. | \*While these ports are the recognised standards, some deployments may customise them for local policy or infrastructure reasons. *** ### The Role of the RADIUS Shared Secret in Both Protocols The RADIUS shared secret is used for packet integrity and legacy encryption behaviours. This applies regardless of whether the transport is standard RADIUS or RadSec. **Key uses:** * **Message-Authenticator AVP**: Ensures packet integrity using HMAC-MD5. * **User-Password AVP (legacy methods)**: Encrypts credentials using the shared secret. * **RadSec compatibility**: Even in RadSec, the shared secret is maintained for compatibility with RADIUS semantics and intermediate systems. {% hint style="info" %} **Note:** The shared secret is never transmitted over the network - it is used locally for HMAC operations and AVP validation. {% endhint %} *** ### Data Element Visibility: RADIUS vs. RadSec This table compares key data elements when using EAP-TLS over RADIUS (UDP) and RadSec (TLS), grouped by visibility risk during transmission.

Data Element	RADIUS (UDP)	RadSec (RADIUS over TLS)	Example / Notes
Outer RADIUS packet	Clear text (over UDP or TCP).	Encrypted (over TLS).	Includes both headers and AVPs. E.g., packet visible in Wireshark or tcpdump.
User identity (outer identity)	Sent in clear text.	Encrypted (over TLS).	`anonymous@organisation.com` used for realm routing.
RADIUS AVPs (Attributes)	Some in clear text (e.g., NAS-IP, User-Name).	Fully encrypted in TLS.	`NAS-IP-Address,` `Calling-Station-Id`
RADIUS headers	Clear text	Encrypted in TLS	Code (`Access-Request`), `Identifier,` `Length,` `Authenticator`
RADIUS shared secret	Not transmitted (used internally)	Not transmitted (used internally)	Used for AVP encryption and `Message-Authenticator` validation.
EAP payload	Encrypted between client and server	Encrypted in TLS	Includes TLS handshake, certificate validation, etc.
User credentials (certificates/keys)	Encrypted in EAP tunnel	Encrypted in EAP-tunnel + TLS	Applies to certificate-based (EAP-TLS) and password-based (PEAP) methods. Client certificate with subject `CN=jsmith, OU=IT`
Password (e.g., PEAP or MSCHAPv2)	Encrypted in tunnelled method (e.g., PEAP)	Encrypted in EAP tunnel + TLS	Applies to password-based methods.

*** ### Identity Privacy: Outer vs. Inner Identity EAP methods that use tunnelling or certificates (e.g., PEAP, EAP-TTLS, EAP-TLS) support outer and inner identities: * **Outer Identity**: Sent in the clear in the User-Name AVP to facilitate realm routing. Often anonymised (e.g., `anonymous@domain.com`). * **Inner Identity**: Carried securely inside the encrypted EAP tunnel (e.g., username/password, certificate CN). #### Behaviour across transports: * In **RADIUS**, the outer identity is sent in plaintext and is visible on the wire. * In **RadSec**, the entire packet including the outer identity is encrypted. Privacy concerns related to the Outer Identity being transmitted in plaintext with RADIUS can be mitigated by configuring identity privacy or leveraging device certificates that do not contain PII data in the common name attribute {% hint style="info" %} **Note**: Some platforms, like Windows’ native EAP client, may not support identity privacy by default in methods like EAP-TLS, potentially exposing the real identity in the outer layer. {% endhint %} #### Outer Identity The table below provides an overview on the typical values various OS platforms populate the Outer Identity with. | Credential Type | Outer Idenity | Applicable OS | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Username/Password |

Typically:
- UPN
- Email Address

Windows
(can be anonymised)
iOS, iPadOS, macOS
(can be anonymised)
Android
(can be anonymised)

| | Device Certificate |

Common name (CN) property of the client certificate's subject name.

Typically:
- DeviceName
- Intune Device ID (GUID)
- AAD Device ID (GUID)

Windows
(cannot be anonymised) \*
iOS, iPadOS, macOS
(can be anonymised)
Android
(can be anonymised)

| | User Certificate |

Common name (CN) property of the client certificate's subject name.

Typically:
- UPN
- Email Address

Windows
(cannot be anonymised)\*
iOS, iPadOS, macOS
(can be anonymised)
Android
(can be anonymised)

| \*The EAP client used in Windows does not support identity privacy for EAP-TLS. *** ### Logging and Deployment Considerations #### RadSec (TLS) RadSec encrypts the entire RADIUS packet, which prevents passive eavesdropping. This shifts logging and diagnostics from network inspection to the application or RADIUS server level, as these are the endpoints that terminate the TLS session. Organizations transitioning to RadSec should evaluate monitoring workflows to accommodate encrypted traffic. #### RADIUS (UDP) The plaintext transmission of attributes (User-Name, NAS-IP-Address, etc.) simplifies troubleshooting and live diagnostics, enabling packet capture with minimal tooling. However, this increases the exposure risk of sensitive metadata during transit. #### Network Support Support for RadSec is not universal across all network devices and infrastructure. Many network switches, wireless access points, and firewalls support only traditional RADIUS. In mixed environments, a RadSec-to-RADIUS proxy may be needed to bridge modern and legacy components. Infrastructure assessments are recommended before deploying RadSec in production. *** ### Conclusion and Key Takeaways Transporting EAP methods over either RADIUS or RadSec offers the same strong end-to-end protection for user credentials but differs significantly in how metadata and protocol elements are exposed during transit. * **EAP End-to-End Protection**: EAP provides strong protection for user credentials over both RADIUS and RadSec. * **Primary Difference**: RADIUS uses UDP and does not encrypt the RADIUS packet itself, while RadSec wraps the entire packet in TLS, hiding all attributes and headers from the wire. * **Metadata Confidentiality**: RadSec encrypts all metadata (headers, attributes, and Outer Identity), preventing network-level exposure. * **Shared Secret**: The Shared Secret is never transmitted. It is only used locally to compute message integrity checks and verify authenticity. * **Trade-Offs**: RadSec provides enhanced confidentiality but complicates diagnostics due to encryption, and its support is not universal across all network equipment. *** ### Standards and RFC References For further detail on protocols and specifications: * EAP (Extensible Authentication Protocol): RFC 3748 * EAP-TLS: RFC 5216 * RADIUS (Remote Authentication Dial-In User Service): RFC 2865 * RadSec (RADIUS over TLS): RFC 6614 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.radiusaas.com/other/faqs/security-and-privacy/transport-security-in-radius-vs.-radsec.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.