RadSec is a protocol using which RADIUS data packets are transferred securely over TLS (Transport Layer Security). TLS is a security protocol that offers privacy and data integrity over internet communications by encrypting the communication between two nodes.

Enabling RADIUS communication over TLS increases security as well as safe transmission of authentication, authorization, and accounting data. RadSec has hence extensively been used in environments where RADIUS packets are to be transferred through untrusted domains (domains that are blocked, lack security certificates, or those that are not a part of an organization), different administrative units, or hostile networks. 

Why RadSec?

The RADIUS protocol is widely used for authentication and authorization. It is also used for accounting mechanisms, thus, RadSec makes RADIUS a full-fledged, AAA (authentication, authorization, and accounting) solution. 

RADIUS requires a username and password to log into a network as opposed to insecure universal, shared passwords. This has made RADIUS stand out as one of the best authorization and authentication protocols that can benefit an organization and save it against the atrocities of malicious attacks.

However, as more and more organizations move towards RADIUS for their authorization, authentication, and accounting needs, they generally want even better security. While RADIUS is extremely useful, its security can always be taken up a notch.

RADIUS relies on UDP (User Datagram Protocol) to transfer information. With UDP, messages are sent without being required to set up communication channels. UDP has inherently been found to be less secure, has no handshaking, error checking, or correction. UDP is hence only suited for time-sensitive applications where package loss is not a big concern. Because of the usage of UDP, RADIUS communication becomes less secure and can potentially lose important data packets during communication. 

RADIUS security is also based on the MD5 message-digest algorithm which produces a 128-bit hash value. While initially designed to be used as a cryptographic hash function, MD5 suffers from extreme vulnerabilities, that makes it insecure to be used with RADIUS.  

The main focus of RadSec is to allow RADIUS communication to be secure in the transport layer. It allows authentication, authorization, and accounting to pass safely across untrusted networks. Hence, RadSec is the best way to take your security up a notch.

What are the features of RadSec?

RadSec uses TLS in combination with the TCP for secure transmission. The features of RadSec transmission are:

• RadSec secures and encrypts all RADIUS messages between the RADIUS client and server.
• RadSec ensures that all RADIUS messages are secured and encrypted not only when they are sent over the internet but also inside each operator’s network.
• RadSec ensures that the RADIUS client and server are mutually authenticated during the connection time, thus ensuring that a connection is trusted.
• RadSec chains the certificates between the server and the client to a Trusted Root Certificate. 
• RadSec eliminates unauthorized connections by revoking unauthorized certificates. 
• RadSec is flexible and scalable as the client or server IP addresses can be altered without the need to reconfigure the secure tunnel settings. It also allows the increment in the number of peering clients and servers. Hence, the need for additional work to establish new secure tunnels is removed.

How can Foxpass help?

Foxpass offers a cloud-hosted RADIUS solution that syncs with Google, Office 365, and offers a full SSO solution for all your needs. It also helps secure access to your Wi-fi and machines and enables MFA. Its logging services optimizes visibility, automates threat detection and response, and offers easy debugging in case of potential threats.

As a first start, deploying RADIUS for your company infrastructure is a good start to meet your security needs. However, to take it up a notch, Foxpass offers add-on features for RADIUS.

Foxpass offers RadSec as an advanced Advanced RADIUS solution. You can use it to transmit RADIUS requests over a TLS encrypted channel to remote RADIUS servers. This secure communication of RADIUS requests ensures that your communication is reliable, even across untrusted networks. With Foxpass, you do not have to worry about the hassle of having to configure and maintain RADIUS servers, and additionally having to configure RadSec.