Transport Security in RADIUS vs. RadSec
When deploying secure authentication using Extensible Authentication Protocol (EAP), the choice of transport protocol - RADIUS over UDP vs. RADIUS over TLS (RadSec) - plays a critical role in determining how securely metadata and protocol elements are transmitted across the network.
Both RADIUS and RadSec can carry EAP messages including those used in common methods like EAP-TLS, PEAP, and EAP-TTLS. While the inner workings of the EAP method remain the same, the transport protocol impacts visibility, integrity, confidentiality of metadata, and operational behaviour.
This document compares how RADIUS and RadSec affect EAP transport - focusing on encryption, shared secret usage, attribute exposure, logging implications, and deployment considerations.
Transport Security: Core Differences
EAP methods such as EAP-TLS, PEAP, and EAP-TTLS provide authentication mechanisms between clients (supplicants) and authentication servers. However, these methods do not inherently encrypt the transport of metadata between intermediate nodes. This role falls to the transport layer protocol:
RADIUS (UDP) transmits EAP messages and RADIUS attributes in plaintext.
RadSec (TLS) encrypts the entire RADIUS packet, securing all attributes and protocol headers during transit.
The table below summarises these differences which affects confidentiality of attributes such as outer identity, NAS IP, calling station ID, and more. While EAP methods may encrypt user credentials (e.g., certificates or passwords), metadata remains exposed over standard RADIUS unless RadSec is used.
Transport Layer Protocol
UDP (typically)
TLS over TCP
Encryption
No transport encryption
Full transport encryption
Default Port*
UDP 1812
TCP 2083
Notes
Stateless; may be filtered by firewalls.
Stateful; establishes secure tunnels.
*While these ports are the recognised standards, some deployments may customise them for local policy or infrastructure reasons.
The Role of the RADIUS Shared Secret in Both Protocols
The RADIUS shared secret is used for packet integrity and legacy encryption behaviours. This applies regardless of whether the transport is standard RADIUS or RadSec.
Key uses:
Message-Authenticator AVP: Ensures packet integrity using HMAC-MD5.
User-Password AVP (legacy methods): Encrypts credentials using the shared secret.
RadSec compatibility: Even in RadSec, the shared secret is maintained for compatibility with RADIUS semantics and intermediate systems.
Data Element Visibility: RADIUS vs. RadSec
This table compares key data elements when using EAP-TLS over RADIUS (UDP) and RadSec (TLS), grouped by visibility risk during transmission.
Outer RADIUS packet
Clear text (over UDP or TCP).
Encrypted (over TLS).
Includes both headers and AVPs. E.g., packet visible in Wireshark or tcpdump.
User identity (outer identity)
Sent in clear text.
Encrypted (over TLS).
[email protected] used for realm routing.
RADIUS AVPs (Attributes)
Some in clear text (e.g., NAS-IP, User-Name).
Fully encrypted in TLS.
NAS-IP-Address,
Calling-Station-Id
RADIUS headers
Clear text
Encrypted in TLS
Code (Access-Request), Identifier,
Length,
Authenticator
RADIUS shared secret
Not transmitted (used internally)
Not transmitted (used internally)
Used for AVP encryption and Message-Authenticator validation.
EAP payload
Encrypted between client and server
Encrypted in TLS
Includes TLS handshake, certificate validation, etc.
User credentials (certificates/keys)
Encrypted in EAP tunnel
Encrypted in EAP-tunnel + TLS
Applies to certificate-based (EAP-TLS) and password-based (PEAP) methods. Client certificate with subject CN=jsmith, OU=IT
Password (e.g., PEAP or MSCHAPv2)
Encrypted in tunnelled method (e.g., PEAP)
Encrypted in EAP tunnel + TLS
Applies to password-based methods.
Identity Privacy: Outer vs. Inner Identity
EAP methods that use tunnelling or certificates (e.g., PEAP, EAP-TTLS, EAP-TLS) support outer and inner identities:
Outer Identity: Sent in the clear in the User-Name AVP to facilitate realm routing. Often anonymised (e.g.,
[email protected]).Inner Identity: Carried securely inside the encrypted EAP tunnel (e.g., username/password, certificate CN).
Behaviour across transports:
In RADIUS, the outer identity is sent in plaintext and is visible on the wire.
In RadSec, the entire packet including the outer identity is encrypted.
Privacy concerns related to the Outer Identity being transmitted in plaintext with RADIUS can be mitigated by configuring identity privacy or leveraging device certificates that do not contain PII data in the common name attribute
Outer Identity
The table below provides an overview on the typical values various OS platforms populate the Outer Identity with.
Username/Password
Typically:
- UPN
- Email Address
Windows (can be anonymised)
iOS, iPadOS, macOS (can be anonymised)
Android (can be anonymised)
Device Certificate
Common name (CN) property of the client certificate's subject name.
Typically:
- DeviceName
- Intune Device ID (GUID)
- AAD Device ID (GUID)
Windows (cannot be anonymised) *
iOS, iPadOS, macOS (can be anonymised)
Android (can be anonymised)
User Certificate
Common name (CN) property of the client certificate's subject name.
Typically:
- UPN
- Email Address
Windows (cannot be anonymised)*
iOS, iPadOS, macOS (can be anonymised)
Android (can be anonymised)
*The EAP client used in Windows does not support identity privacy for EAP-TLS.
Logging and Deployment Considerations
RadSec (TLS)
RadSec encrypts the entire RADIUS packet, which prevents passive eavesdropping. This shifts logging and diagnostics from network inspection to the application or RADIUS server level, as these are the endpoints that terminate the TLS session. Organizations transitioning to RadSec should evaluate monitoring workflows to accommodate encrypted traffic.
RADIUS (UDP)
The plaintext transmission of attributes (User-Name, NAS-IP-Address, etc.) simplifies troubleshooting and live diagnostics, enabling packet capture with minimal tooling. However, this increases the exposure risk of sensitive metadata during transit.
Network Support
Support for RadSec is not universal across all network devices and infrastructure. Many network switches, wireless access points, and firewalls support only traditional RADIUS. In mixed environments, a RadSec-to-RADIUS proxy may be needed to bridge modern and legacy components. Infrastructure assessments are recommended before deploying RadSec in production.
Conclusion and Key Takeaways
Transporting EAP methods over either RADIUS or RadSec offers the same strong end-to-end protection for user credentials but differs significantly in how metadata and protocol elements are exposed during transit.
EAP End-to-End Protection: EAP provides strong protection for user credentials over both RADIUS and RadSec.
Primary Difference: RADIUS uses UDP and does not encrypt the RADIUS packet itself, while RadSec wraps the entire packet in TLS, hiding all attributes and headers from the wire.
Metadata Confidentiality: RadSec encrypts all metadata (headers, attributes, and Outer Identity), preventing network-level exposure.
Shared Secret: The Shared Secret is never transmitted. It is only used locally to compute message integrity checks and verify authenticity.
Trade-Offs: RadSec provides enhanced confidentiality but complicates diagnostics due to encryption, and its support is not universal across all network equipment.
Standards and RFC References
For further detail on protocols and specifications:
EAP (Extensible Authentication Protocol): RFC 3748
EAP-TLS: RFC 5216
RADIUS (Remote Authentication Dial-In User Service): RFC 2865
RadSec (RADIUS over TLS): RFC 6614
Last updated
Was this helpful?