radsec

What is RadSec?

Patrick Grubbs Education

What is RadSec?

RadSec, also known as RADIUS over TLS, is an 802.11x protocol for transporting RADIUS datagrams through TCP (Transmission Control Protocol) and TLS (Transport Layer Security), which themselves are protocols.

RADIUS has historically relied on the MD5 message digest algorithm to create a 128-bit hash value for security, but that has had known vulnerabilities for many years. While that weakness could be overlooked by compensating with strong security in other network layers, the increase in network roaming has necessitated strict security on the transport layer, so MD5 is no longer sufficient.

How Does RadSec Work?

The simple explanation of RadSec is that it allows you to transfer RADIUS packets through public networks while still enjoying end-to-end security through the transport layer using TLS.

This configuration is particularly useful because it allows dynamic establishment of connection. Normally, when a network connects to peers it must either use an IP address and shared secret to identify them, but RadSec can do it securely and on the fly because both servers are equipped with x.509 digital certificates.

RADIUS – Courtesy of Radiator Software

RadSec – Courtesy of Radiator Software

Can you make RadSec Proxy Servers?

Yes! RadSec operates like RADIUS in most every way, including the ability to make and use proxy servers. This is particularly helpful if you want to make local RADIUS servers for specific access points.

Furthermore, it’s possible to customize your RadSec proxy server to form connections via TLS instead of the default TCP.

Benefits of RadSec

Utilizing digital certificates in the TCP/IP RADIUS streams adds several layers of security hard to achieve otherwise.

  • Normal RADIUS requests are sent in plaintext. RadSec encrypts the transmission packets, so zero information can be sniffed or intercepted.
  • Even if the RADIUS requests were intercepted, it would be impossible to tamper with them without the recipient being aware because of the intrinsic mutual authentication between the client and server. You are always certain of the identity of both parties.
  • Random packet loss is trackable, so data won’t go missing without anyone being aware of it.

RadSec Use Cases

Who is RadSec for? It’s commonly implemented in one field: roaming environments. When a device transitions between mobile or cellular data to a local Wi-Fi hotspot, it either has to disconnect and reconnect to the internet, or be “handed off” by the networks.

The hand-off situations, also known as device offloading, are becoming increasingly common. Between Passpoint and OpenRoaming, we can expect seamless, automated roaming for mobile devices to become the norm within the next few years. However, there is vulnerability any time you switch networks as it’s an opportunity for a man-in-the-middle attack. RadSec can eliminate the vulnerability by facilitating the switch on the transport layer (one of the key features of OpenRoaming).

Perhaps the most widely used implementation of RadSec is eduroam – a roaming service that allows students and staff to easily access the internet while visiting member institutions. The users can safely access the internet without the hassle of sign-ins or onboarding, thanks in part to RadSec.

While it’s mostly used in roaming scenarios today, everyone could potentially benefit from RadSec. The historical hassle of deploying TLS is what has kept it from being widespread, but SecureW2’s TLS solution is plug-and-play with your existing infrastructure.

Easily Deploy RadSec with SecureW2

That’s right – we can improve your existing network infrastructure to support WPA2-Enterprise EAP-TLS authentication, enabling the use of digital certificates and RadSec, without any forklift upgrades. Our solution cleanly integrates into every major vendor, both hardware and software, to fill in the missing pieces. We can even build you a custom PKI from the ground up in just a couple hours.

Whether your organization utilizes roaming right now is a moot point. Sometime soon, within the next few years perhaps, everyone will be using these federated directories to allow their employees, customers, contractors, and guests easy, secure access to Wi-Fi.

You can benefit from the enhanced user experience and vastly improved security right now! We have affordable options for organizations of all sizes. Click here to see our pricing.


Learn About This Author

Patrick Grubbs

Patrick is the SEO guy at SecureW2, but he enjoys writing a little too much to give it up entirely. He got his start blogging about his ever-expanding collection of succulents and cacti. His hobbies include running, gardening, playing video games, and buying tools he will never use. Special skills: 5th grade chess champion, ultra-specific color identification, clapping with one hand