Join Us at Oktane 2025! September 24-26 | Caesars Palace, Las Vegas | Booth S6
Learn More

Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices
EAP-TLS secures authentication, RadSec secures the transmission path.

Does RadSec support roaming services, such as Eduroam? 

Key Points
  • Traditional RADIUS and EAP-TLS secure client-server authentication with digital certificates.
  • However, RADIUS lacks inherent support for secure transmissions in Eduroam when used in conjunction with other EAP methods, such as PEAP and EAP-TTLS.
  • RadSec enhances Eduroam’s security by using TLS to secure transmission of data between roaming servers.

RADIUS over TLS, also known as RadSec, enhances roaming services like Eduroam by providing stronger encryption than the standard Remote Access Dial-In Service (RADIUS) protocol. RADIUS in Eduroam utilizes the User Datagram Protocol (UDP), which lacks built-in encryption, when sending authentication data. RadSec uses TLS and Transmission Control Protocol (TCP) to secure the transmission of data between Eduroam servers. 

What is Eduroam

Eduroam is a global roaming network that allows users from participating universities to access the internet at other member institutions using their home credentials. It acts as a bridge between the user’s home institution and the network access point (NAP) of the visited institution, enabling secure, seamless authentication across campuses. Here’s how it works:

  1. A user from University “A” attempts to connect to the eduroam Wi-Fi network at University B using their credentials. 
  2. The user’s device communicates with the local NAP (authenticator) at University B. The access point forwards the authentication request to University B’s RADIUS server.
  3. The authentication request is routed through the eduroam RADIUS proxy servers.
  4. University A’s RADIUS server verifies the user’s credentials against its internal user database.
  5. The authentication response (Access-Accept or Access-Reject) is sent back through the University B’s RADIUS server.  Based on the response, University B’s access point either grants the user access to the network or denies the connection.

Risks Of UDP-based RADIUS Authentication In Eduroam 

Eduroam relies on RADIUS over UDP to transmit authentication requests between institutions. However, UDP lacks built-in encryption and reliability features:

  • UDP provides no delivery guarantees, making it prone to packet loss. Firewall issues may block or delay UDP traffic between institutions.
  • Only passwords are hashed with an outdated MD5 algorithm, which has been proven to have vulnerabilities and is deemed unsafe for encryption. Other user credentials, like usernames and realms, are often sent in plaintext. 

The Blast-RADIUS vulnerability poses a significant risk in Eduroam networks that use RADIUS authentication over UDP.

Understanding the Risk Of Blast-RADIUS In Eduroam 

BlastRADIUS attacks exploit vulnerabilities in RADIUS over UDP, specifically its use of MD5 for message authentication. These attacks allow a man-in-the-middle (MITM) attacker to forge an “Access-Accept” message, even if the authentication should have failed. By abusing weaknesses in the MD5 hash function and the lack of transport-layer security in UDP, attackers can modify an “Access-Reject” response into an “Access-Accept,” potentially granting unauthorized network access..

This necessitates the implementation of the Message-Authenticator attribute. If the Message-Authenticator attribute is not enforced, attackers can modify RADIUS attributes, such as VLAN segmentation, access control enforcement, and role-based group policies. 

With RadSec, you can mitigate Blast-RADIUS by encapsulating the whole RADIUS exchange in TLS, making MD5-based manipulation impossible.

What is RadSec?

RadSec is an 802.1X protocol that utilizes TLS and TCP protocols to transmit RADIUS datagrams over a secure transport layer. It enables secure Accounting, Authorization, and Authentication (AAA) across untrusted networks. 

With RadSec, users can securely access Eduroam networks using an Eduroam SSID, eliminating the need for a lengthy onboarding process. In Eduroam, RADIUS communication is sent through multiple proxies and administrative domains. Unless the communication path is encrypted with Radsec, every point could increase BlastRADIUS and MITM vulnerabilities. RadSec is an additional layer of encryption between RADIUS servers, other servers, and clients, providing a shield to protect against the interception of communication across servers.

RadSec Secures The Gaps In Traditional RADIUS Communication

Even when EAP methods are used, traditional RADIUS-based Eduroam authentication remains vulnerable because it relies on UDP, which lacks built-in encryption and integrity protections. This means that RADIUS packets carrying user credentials and sensitive attributes are vulnerable to exposure during transmission. This makes the network susceptible to unauthorized access and attacks, such as BlastRADIUS.

RadSec addresses this risk by encrypting RADIUS traffic with TLS. It ensures secure transmission between RADIUS proxy servers, effectively mitigating threats such as BlastRADIUS.

Is RadSec Necessary for Eduroam?

It is a common practice to implement EAP-based authentication on Eduroam. But, is it sufficient to secure the entire Eduroam authentication process? In reality, it doesn’t protect the whole communication between RADIUS servers that relay the authentication request. 

Eduroam utilizes EAP methods, such as Protected Extensible Authentication Protocol (PEAP) and Extensible Authentication Protocol -Transport Layer Security (EAP-TLS), for client authentication. PEAP and EAP secure the client-server authentication process. It secures the identity information and credentials during the authentication process. TLS builds a secure, encrypted tunnel for mutual authentication between a client and server. 

RadSec, on the other hand, uses TLS to encrypt all the traffic between RADIUS servers. Where PEAP and EAP-TLS secure end-point authentication, RadSec secures RADIUS server-to-RADIUS server proxy authentication.

What’s At Risk Without RadSec

EAP-TLS significantly improves the security of authentication in roaming environments by encrypting the handshake and eliminating the risk of credential theft. However, traditional RADIUS over UDP still transmits some metadata, such as MAC addresses, SSIDs, VLAN tags, and proxy routing details, in clear text. 

That’s why we recommend pairing EAP-TLS with RadSec, which encrypts the full RADIUS packet in transit and protects sensitive metadata. It’s not about EAP-TLS being insecure; it’s about taking the extra step to close the remaining gaps.

Deploy TLS-Encrypted RadSec with SecureW2’s CloudRADIUS  

Traditional RADIUS with UDP has limitations. However, the risk is significantly reduced when organizations use EAP-TLS. Even if RADIUS packets are intercepted, they typically contain certificates that are unusable without the corresponding private key. The real concern arises with less secure methods, such as PEAP or MAC-based authentication, where credential exposure is more likely to occur. RadSec adds a layer of protection by encrypting the entire RADIUS transmission path, thereby fortifying certificate-based authentication.

With SecureW2’s Dynamic PKI and Cloud RADIUS, migration from PEAP to EAP-TLS doesn’t have to be complex — it can be a turnkey transformation toward a safer, more scalable Eduroam infrastructure. Our MultiOS lets BYOD student devices and guest devices self-enroll for certificates, enabling safe network access without the fear of infecting them with malware and leaving them vulnerable to malicious attacks. 

About the author
Anusha Harish

Anusha is a tech copywriter with a flair for storytelling and a background in law. She breaks down complex topics into informative and actionable insights to help readers make confident, informed decisions. When she’s not writing, Anusha is likely binge-watching films or lost in a book with a cup of coffee in hand.