RADIUS can prove to be a boon for your organization due to its authentication, authorization, and accounting functionalities. It is the first step towards protecting your infrastructure from attacks. However, you can take it up a notch by using RADIUS with EAP-TLS (Extensible Authentication Protocol-Transport Layer Security). 

What is EAP-TLS?

EAP is an authentication framework that provides transport and usage of authentication methods that are called as EAP methods. EAP-TLS is one of the methods of EAP.

EAP-TLS is known to be one of the most secure EAP methods, as TLS offers strong security. EAP-TLS requires both server and client-side digital certificates for establishing a connection. The digital certificate must be signed by a Certificate Authority (CA) that is trusted by both the client and the server. This gives better security to the EAP-TLS method, as intruders would still be required to hack the client-side certificate even if the password is somehow compromised. 

EAP-TLS is a wireless authentication protocol, and is extensively used for authentication using WiFi.


What are the features of EAP-TLS?

  • Authentication is mutual: Both the 'server to client' as well as the 'client to server' authentication must be established for the communication to take place.

  • Keys are exchanged between the server and the client: To establish dynamic WEP (Wired Equivalent Privacy) or TKIP (Temporal Key Integrity Protocol) keys, the key exchange takes place between the server and the client.

  • Fragmentation and reassembly: When very long messages are to be sent between the client and the server, fragmentation of the information and reassembly occurs for better transmission of data.

  • Fast reconnect: If the connection drops, EAP-TLS connection can be quickly reinitiated.


There are several useful features of EAP-TLS that make it a protocol worth using to save your organization from being attacked by snooping outsiders. The question here is, why use EAP-TLS on top of the already existing RADIUS protocol?


Inherently speaking, RADIUS is a full-fledged, AAA (authentication, authorization, and accounting) solution. 


Be that as it may, as an ever increasing number of associations move towards RADIUS for their approval, validation, and bookkeeping needs, a few issues come up on a superficial level. While RADIUS is amazingly valuable, the absence of security is something that appears to be an inadequacy of the RADIUS protocol. 


RADIUS depends on UDP (User Datagram Protocol) to transmit data. When transmitting data using UDP, communication channels do not need to be set up. UDP has intrinsically been seen as less secure because of the absence of handshaking, correction, or error checking capabilities. Hence, UDP is only appropriate for time-delicate applications which do not require error checking mechanisms. In light of the use of UDP, RADIUS communications turn out to be less secure.


RADIUS protocol deploys the MD5 message-digest algorithm using which a 128 bit has value is generated. It has been known that MD5 experiences extraordinary vulnerabilities, that makes it insecure to be utilized with RADIUS.



To solve this problem, EAP-TLS can be used on top of the RADIUS protocol to offer RADIUS with the security that it lacks. The mutual authentication, key exchange, fragmentation, and fast reconnect capabilities of EAP-TLS makes it a perfect, advanced RADIUS solution that can take your organizational security to the next level.


How can Foxpass help with EAP-TLS?

Foxpass’s RADIUS solution effortlessly syncs with Office 365 and Office. It also has the SSO capabilities, and helps secure Wi-Fi access. With Foxpass RADIUS, you can also reap the benefits of MFA and optimize the visibility to your infrastructure using its logging services. RADIUS using Foxpass automates threat detection and response, and helps you debug threats with ease.  

As a first beginning, using RADIUS for your organization is a decent arrangement. However, owing to the insecurities associated with RADIUS, you can improve organizational security by using the EAP-TLS atop RADIUS.

Foxpass offers EAP-TLS or RadSec as an Advanced RADIUS solution. With Foxpass, you can connect devices over RADIUS with EAP-TLS, using 802.1X certificate-based authentication. You can simply upload the Certificate Authority (CA) to Foxpass. All devices with a certificate derived from this CA can then simply connect to a WiFi network without entering a username or password.


How Foxpass Works

Foxpass protects the most sensitive parts of your infrastructure