SlideShare a Scribd company logo

RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure

Radiator Software
Radiator Software

RADIUS Conference 2025 (https://radiusconference.org/) presentation RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure by Radiator Software founder Karri Huhtanen. In today’s increasingly connected and complex environments, securing network infrastructure goes far beyond just using passwords. This presentation explores how RADIUS-based solutions—enhanced with certificates, 802.1X, RadSec, and multi-factor authentication—can effectively protect, monitor, and manage access to both wired and wireless networks. We’ll walk through real-world strategies for strengthening authentication, segmenting access, securing management traffic, and ensuring resilience even in the face of cloud or internet outages. This talk presented practical and future-ready approaches for securing and managing network infrastructure with RADIUS in action: Stronger authentication through certificate-based access and MFA. Controlled access using 802.1X and VLAN segmentation. Secured communication via RadSec (RADIUS over TLS). Protected infrastructure using RADIUS, TACACS+, and centralised AAA. Resilient design through hybrid and local authentication strategies. Enhanced visibility from leveraging RADIUS logs for monitoring and anomaly detection. Together, these tools and techniques enable robust, scalable, and resilient network security—without relying solely on cloud services.

1 of 15
Download to read offline
RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure Karri Huhtanen (Radiator Software) RADIUS Conference 2025, 13th of March 2025, Tampere, Finland
Contents ● Introduction ● Certificate-Based Authentication: Replacing Usernames and Passwords ● Securing Network Port Access with 802.1X and VLANs ● Enhancing Management Traffic Security with RadSec (RADIUS over TLS) ● Protecting Network Infrastructure Access with RADIUS, TACACS+, and Multi-Factor Authentication ● Ensuring Network Resilience without Internet or Cloud Dependency ● Improving Network Monitoring with RADIUS Authentication and Accounting Logs ● Conclusion
Introduction ● Usernames and passwords are getting harder to secure and harder to use – for the better or worse. ● Non-authenticated ports and non-segmented networks enable attackers to both gain access and move laterally in the network with minimal resistance and risk of detection. ● Unprotected RADIUS traffic can be captured, modified and tracked. ● Multi-Factor Authentication (MFA) and RADIUS/Tacacs+ Authorisation helps to secure network device access, but what happens when your MFA service or Active Directory is down? ● In addition to control, RADIUS can also provide information to monitor network better, detect and locate anomalies.
Certificate-Based Authentication: Replacing Usernames and Passwords ● Usernames and passwords can be guessed, phished, copied or stolen. ● MFA adds some protection, but the user can be tricked to bypass it. It is not also very useful for repeating network authentications. ● Certificate-Based Authentication (EAP-TLS) has been around since 1999 and updated several times (2008, 2022) on include new TLS versions and other enhancements. ● With EAP-TLS and trusted platform modules (TPMs) in modern devices, both the credentials and the network access in wired and wireless networks can be secured. ● For provisioning of the certificates there are multiple services and solutions available especially for managed devices, but for non-managed devices the certificate and configuration provisioning is still harder.
Securing Network Port Access with 802.1X and VLANs So in 2003 in Terena Networking Conference in Zagreb (Croatia) was this guy from Netherlands presenting 802.1X, dynamic VLAN allocation and roaming ...
Securing Network Port Access with 802.1X and VLANs ● 802.1X and dynamic VLAN selection worked then and works now – both in wired and wireless networks. ● VLANs are used for network/device segmentation, 802.1X is used for port/VLAN authentication. ● Single port or single Wi-Fi network, but what VLAN is selected for the device, is determined by RADIUS. ● RADIUS can utilise and combine multiple sources of information for the decision, for example: ○ Device registry / directory services ○ Device identification/classification by network devices (e.g. Wi-Fi controllers) ○ Device security assessment information ○ Even AI if not now, then probably in the future Office VLAN IoT/OT VLAN(s) Any 802.1X / WPAx Enterprise capable device RADIUS
Enhancing Management Traffic Security with RadSec (RADIUS over TLS) Internet Organisation network(s) VPN/FW Wi-Fi controll er / APs Wi-Fi Auth. MFA Auth. for VPN Service providers’ RADIUS servers Non-encrypted RADIUS over Internet ● Sending non-encrypted RADIUS traffic over untrusted networks without a VPN or TLS is nowadays even worse idea because of BlastRADIUS vulnerability. ● Both RADIUS authentication and accounting requests have by default in them plain-text attributes, which may contain sensitive information about the users, devices and even organisation network settings. ● The larger the distance between RADIUS clients and servers is, the larger is the risk of leaking information or to be vulnerable to BlastRADIUS.
Enhancing Management Traffic Security with RadSec (RADIUS over TLS) Internet Organisation network(s) VPN/FW Wi-Fi controll er / APs Wi-Fi Auth. MFA Auth. for VPN Service providers’ RADIUS servers RadSec (RADIUS over TLS) or RADIUS over VPN ● With RadSec not only the RADIUS traffic is secured but also the RADIUS clients are more securely identified with certificates. ● The service providers’ RADIUS server can now better verify multiple RadSec clients even behind Network Address Translation (NAT) and dynamic addresses. ● We have even measured better authentication/accounting throughput with RadSec than with RADIUS over UDP with our RADIUS servers.
Protecting Network Infrastructure Access with RADIUS, TACACS+, and Multi-Factor Authentication enterprise network Internet VPN, FW Routers, switches, servers ... Infrastructure devices, intra-WWW services ... mobile workers, VPN users ... Two-factor RADIUS / TACACS / TACACS+ AAA service AD / LDAP Additional AAA information Additional 3rd party two-factor services
Protecting Network Infrastructure Access with RADIUS, TACACS+, and Multi-Factor Authentication ● The network devices authenticate and authorise the users accessing them via RADIUS or TACACS+ server => no common user accounts ● The Multi-Factor Authentication replaces passwords with more secure authentication => no weak passwords ● The RADIUS/TACACS+ server can then combine information from multiple sources (e.g. LDAP, Active Directory, Entra Id, SQL, 3rd party services) to authenticate and authorise particular user to access the network device. ● All this works with most enterprise, operator and even operational technology (OT) network devices. ● There is also increasing support for securing also these connections with TLS for added security.
But what happens to your network when your Internet connection(s) or cloud services are down? Internet Organisation network(s) VPN/FW Wi-Fi controllers, APs Entra ID, LDAP, RADIUS … MFA Service … Cloud services Switches, Routers Services using cloud identities for AAA Workstations, servers X X X X ● Are you able to access your wired and wireless network? ● Can you log into your workstations, servers and network devices to do diagnostics? ● Do you have sealed emergency support accounts written down, stored securely and configured into network devices? ● What happens if ransomware or faulty updates hit your directory and other servers? OT networks and devices
Adding local or hybrid AAA improves resiliency Fault-Tolerant Distributed AAA Architecture Supporting Connectivity Disruption https://urn.fi/URN:NBN:fi:tuni-202209197126 ● Redundant local AAA ensures that the site continues to function. ● Cloud services can be used as primary or backup option for local AAA. ● By using technologies such as EAP-TLS, which do not require a constant access to outside services, services such as network connectivity can be ensured. ● MFA can also be implemented without cloud services with a local or hybrid AAA model.
Improving Network Monitoring with RADIUS Authentication and Accounting Logs ● Network devices can provide detailed information about the devices connecting to the network via RADIUS. ● This information is often included in the RADIUS authentication and accounting requests, and can then be utilised for AAA decisions or logged for further analysis. ● SIEMs, XDR solutions and AI analysis can benefit from this complementing information provided by RADIUS clients and servers. { "Backend-Server": [ "fi-proxy-1.auth.fi" ], "Called-Station-Id": "D8-B1-90-DB-F8-C0:eduroam", "Calling-Station-Id": "BE-57-64-BA-85-CA", "Chargeable-User-Identity-Request": "00", "Client-IP-Address": "10.255.255.247", "Client-Identifier": "CLIENT-IPV4-CISCO-WLC-MGMT", "Context-Id": "5f89b13fc9affb50", "Elapsed-Time": 0.170439395, "Framed-IP-Address": "192.168.172.252", "Handler": "proxy_to_eduroam", "NAS-IP-Address": "10.255.255.247", "NAS-Identifier": "172.16.172.52:D8-B1-90-DB-F8-C0:eduroam", "Policy": "default", "Result": "accept", "Service-Type": "framed-user", "Timestamp": "2025-03-11T18:55:15.809544+00:00", "User-Name": "anonymous@radiatorsoftware.fi", "cisco-avpair": [ "service-type=Framed", "audit-session-id=F7FFFF0A000121A5845714C3", "method=dot1x", "addrv6=fe80::c8d:cc5:9f1:ae86", "client-iif-id=2550141079", "vlan-id=145", "cisco-wlan-ssid=eduroam", "wlan-profile-name=eduroam" ], }
Improving Network Monitoring with RADIUS Authentication and Accounting Logs ● For RADIUS Authentication and Accounting data to be useful, its quality from different vendors needs to be assured and attributes to be standardised. ● Including the useful data within vendor specific RADIUS attributes hinders their general use across vendors. ● Protecting privacy makes even legitimate tracking of sessions harder (e.g. MAC address randomisation and anonymous identities) ● Solutions such as Chargeable-User-Identity are needed to combine RADIUS authentication and accounting requests into sessions. ● IPv4 and IPv6 address information from DHCP or network devices needs to be combined with RADIUS authentication and accounting for improved network monitoring and auditing. e86bff00 Thu Feb 23 14:50:10 2023 594131: DEBUG: Packet dump: e86bff00 *** Received from 10.255.255.245 port 61503 .... e86bff00 Code: Accounting-Request e86bff00 Identifier: 1 e86bff00 Authentic: <167>[<8>i+<250><208><242><12>A<179><226>d<183><183>S e86bff00 Attributes: e86bff00 Acct-Status-Type = Start e86bff00 NAS-IP-Address = 10.255.255.245 e86bff00 User-Name = "0001012014020013@wlan.mnc001.mcc001.3gppnetwork.org" e86bff00 NAS-Port = 0 e86bff00 NAS-Port-Type = Wireless-IEEE-802-11 e86bff00 Calling-Station-Id = "aa2b0b553528" e86bff00 Called-Station-Id = "6026efcdcdc4" e86bff00 Framed-IP-Address = 172.16.145.111 e86bff00 Acct-Multi-Session-Id = "AA2B0B553528-1677156607" e86bff00 Acct-Session-Id = "6026EF5CDC55-AA2B0B553528-63F76102-8F448" e86bff00 Acct-Delay-Time = 0 e86bff00 Aruba-Essid-Name = "RS-TEST" e86bff00 Aruba-Location-Id = "rs-aruba-ap-1" e86bff00 Aruba-User-Vlan = 145 e86bff00 Aruba-User-Role = "RS-TEST" e86bff00 Aruba-Device-Type = "NOFP" e86bff00 Acct-Authentic = RADIUS e86bff00 Service-Type = Login-User e86bff00 NAS-Identifier = "rs-aruba-ap-1" e86bff00
Conclusion: RADIUS in Action 1. Stronger Authentication: Replacing passwords with certificate-based authentication enhances security and usability. 2. Network Access Control: 802.1X and VLANs effectively segment and secure network access, preventing unauthorized lateral movement. 3. Management Traffic Security: RadSec (RADIUS over TLS) protects sensitive RADIUS communications from interception and modification. 4. Infrastructure Protection: Combining RADIUS, TACACS+, and Multi-Factor Authentication ensures secure and accountable access to critical network devices. 5. Resilient Network Operations: Local and hybrid AAA solutions help maintain network access even when cloud services or Internet connectivity fail. 6. Improved Monitoring & Visibility: Leveraging RADIUS authentication and accounting logs enhances network monitoring, security insights, and anomaly detection.
Ad

Recommended

AAA server
AAA serverAAA server
AAA server
hetvi naik
 
EAP-TLS (extended version)
EAP-TLS (extended version)EAP-TLS (extended version)
EAP-TLS (extended version)
Karri Huhtanen
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
Netwax Lab
 
Wi-Fi Roaming Security and Privacy
Wi-Fi Roaming Security and PrivacyWi-Fi Roaming Security and Privacy
Wi-Fi Roaming Security and Privacy
Karri Huhtanen
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
dkaya
 
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and PrivacyDisobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Disobey 2024: Karri Huhtanen: Wi-Fi Roaming Security and Privacy
Karri Huhtanen
 
Radiojungle AAA RADIUS introduction
Radiojungle AAA RADIUS introductionRadiojungle AAA RADIUS introduction
Radiojungle AAA RADIUS introduction
smoscato
 
RADIUS
RADIUSRADIUS
RADIUS
amogh_ubale
 
Radius1
Radius1Radius1
Radius1
balamurugan.k Kalibalamurugan
 
08 WLAN Network Admission Control (NAC).pptx
08 WLAN Network Admission Control (NAC).pptx08 WLAN Network Admission Control (NAC).pptx
08 WLAN Network Admission Control (NAC).pptx
VannakSovannroth
 
EAP-TLS
EAP-TLSEAP-TLS
EAP-TLS
Karri Huhtanen
 
AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best Practices
Sagar Gor
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAA
Karri Huhtanen
 
Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Citrix NetScaler SD-WAN - What’s New, What’s Hot?Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Digital Transformation EXPO Event Series
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
European Collaboration Summit
 
Aerohive BR100 Branch Router
Aerohive BR100 Branch RouterAerohive BR100 Branch Router
Aerohive BR100 Branch Router
Aerohive Networks
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshell
Mohamed Daif
 
NetScaler 11 Update
NetScaler 11 UpdateNetScaler 11 Update
NetScaler 11 Update
MarketingArrowECS_CZ
 
2500 controller
2500 controller2500 controller
2500 controller
MansoorAhmed57263
 
Towards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization InfrastructuresTowards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization Infrastructures
Diego Kreutz
 
Colubris Basic Customer Presentation
Colubris Basic Customer PresentationColubris Basic Customer Presentation
Colubris Basic Customer Presentation
daten
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+
Netwax Lab
 
WiFi Hotspot Password
WiFi Hotspot PasswordWiFi Hotspot Password
WiFi Hotspot Password
Maryam Namira
 
Ruckus brief customer_Medley
Ruckus brief customer_MedleyRuckus brief customer_Medley
Ruckus brief customer_Medley
Medley India Infosolution Pvt Ltd
 
TekRADIUS applications
TekRADIUS applicationsTekRADIUS applications
TekRADIUS applications
Yasin KAPLAN
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005
FNian
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 
SIM Authentication Architectures and Interfaces
SIM Authentication Architectures and InterfacesSIM Authentication Architectures and Interfaces
SIM Authentication Architectures and Interfaces
Radiator Software
 
openroaming-and-capport-2023-01-30.pdf
openroaming-and-capport-2023-01-30.pdfopenroaming-and-capport-2023-01-30.pdf
openroaming-and-capport-2023-01-30.pdf
Radiator Software
 
Ad

More Related Content

Similar to RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure (20)

Radius1
Radius1Radius1
Radius1
balamurugan.k Kalibalamurugan
 
08 WLAN Network Admission Control (NAC).pptx
08 WLAN Network Admission Control (NAC).pptx08 WLAN Network Admission Control (NAC).pptx
08 WLAN Network Admission Control (NAC).pptx
VannakSovannroth
 
EAP-TLS
EAP-TLSEAP-TLS
EAP-TLS
Karri Huhtanen
 
AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best Practices
Sagar Gor
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAA
Karri Huhtanen
 
Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Citrix NetScaler SD-WAN - What’s New, What’s Hot?Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Digital Transformation EXPO Event Series
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
European Collaboration Summit
 
Aerohive BR100 Branch Router
Aerohive BR100 Branch RouterAerohive BR100 Branch Router
Aerohive BR100 Branch Router
Aerohive Networks
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshell
Mohamed Daif
 
NetScaler 11 Update
NetScaler 11 UpdateNetScaler 11 Update
NetScaler 11 Update
MarketingArrowECS_CZ
 
2500 controller
2500 controller2500 controller
2500 controller
MansoorAhmed57263
 
Towards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization InfrastructuresTowards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization Infrastructures
Diego Kreutz
 
Colubris Basic Customer Presentation
Colubris Basic Customer PresentationColubris Basic Customer Presentation
Colubris Basic Customer Presentation
daten
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+
Netwax Lab
 
WiFi Hotspot Password
WiFi Hotspot PasswordWiFi Hotspot Password
WiFi Hotspot Password
Maryam Namira
 
Ruckus brief customer_Medley
Ruckus brief customer_MedleyRuckus brief customer_Medley
Ruckus brief customer_Medley
Medley India Infosolution Pvt Ltd
 
TekRADIUS applications
TekRADIUS applicationsTekRADIUS applications
TekRADIUS applications
Yasin KAPLAN
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005
FNian
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 
Radius1
Radius1Radius1
Radius1
balamurugan.k Kalibalamurugan
 
08 WLAN Network Admission Control (NAC).pptx
08 WLAN Network Admission Control (NAC).pptx08 WLAN Network Admission Control (NAC).pptx
08 WLAN Network Admission Control (NAC).pptx
VannakSovannroth
 
EAP-TLS
EAP-TLSEAP-TLS
EAP-TLS
Karri Huhtanen
 
AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best Practices
Sagar Gor
 
Security issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAASecurity issues in RADIUS based Wi-Fi AAA
Security issues in RADIUS based Wi-Fi AAA
Karri Huhtanen
 
Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Citrix NetScaler SD-WAN - What’s New, What’s Hot?Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Digital Transformation EXPO Event Series
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
European Collaboration Summit
 
Aerohive BR100 Branch Router
Aerohive BR100 Branch RouterAerohive BR100 Branch Router
Aerohive BR100 Branch Router
Aerohive Networks
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshell
Mohamed Daif
 
NetScaler 11 Update
NetScaler 11 UpdateNetScaler 11 Update
NetScaler 11 Update
MarketingArrowECS_CZ
 
2500 controller
2500 controller2500 controller
2500 controller
MansoorAhmed57263
 
Towards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization InfrastructuresTowards Secure and Dependable Authentication and Authorization Infrastructures
Towards Secure and Dependable Authentication and Authorization Infrastructures
Diego Kreutz
 
Colubris Basic Customer Presentation
Colubris Basic Customer PresentationColubris Basic Customer Presentation
Colubris Basic Customer Presentation
daten
 
Radius vs. Tacacs+
Radius vs. Tacacs+Radius vs. Tacacs+
Radius vs. Tacacs+
Netwax Lab
 
WiFi Hotspot Password
WiFi Hotspot PasswordWiFi Hotspot Password
WiFi Hotspot Password
Maryam Namira
 
Ruckus brief customer_Medley
Ruckus brief customer_MedleyRuckus brief customer_Medley
Ruckus brief customer_Medley
Medley India Infosolution Pvt Ltd
 
TekRADIUS applications
TekRADIUS applicationsTekRADIUS applications
TekRADIUS applications
Yasin KAPLAN
 
E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005E Snet Raf Essc Jan2005
E Snet Raf Essc Jan2005
FNian
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 

More from Radiator Software (10)

SIM Authentication Architectures and Interfaces
SIM Authentication Architectures and InterfacesSIM Authentication Architectures and Interfaces
SIM Authentication Architectures and Interfaces
Radiator Software
 
openroaming-and-capport-2023-01-30.pdf
openroaming-and-capport-2023-01-30.pdfopenroaming-and-capport-2023-01-30.pdf
openroaming-and-capport-2023-01-30.pdf
Radiator Software
 
Suomen eduroam-juuripalvelun uudistukset
Suomen eduroam-juuripalvelun uudistuksetSuomen eduroam-juuripalvelun uudistukset
Suomen eduroam-juuripalvelun uudistukset
Radiator Software
 
Adding OpenRoaming to existing IDP and roaming federation service
Adding OpenRoaming to existing IDP and roaming federation serviceAdding OpenRoaming to existing IDP and roaming federation service
Adding OpenRoaming to existing IDP and roaming federation service
Radiator Software
 
OpenRoaming -- Wi-Fi Roaming for All
OpenRoaming -- Wi-Fi Roaming for AllOpenRoaming -- Wi-Fi Roaming for All
OpenRoaming -- Wi-Fi Roaming for All
Radiator Software
 
Fault-tolerant distributed AAA architecture supporting connectivity disruption
Fault-tolerant distributed AAA architecture supporting connectivity disruptionFault-tolerant distributed AAA architecture supporting connectivity disruption
Fault-tolerant distributed AAA architecture supporting connectivity disruption
Radiator Software
 
Radiator Portfolio Updates webinar, 8th and 10th of March 2022
Radiator Portfolio Updates webinar, 8th and 10th of March 2022Radiator Portfolio Updates webinar, 8th and 10th of March 2022
Radiator Portfolio Updates webinar, 8th and 10th of March 2022
Radiator Software
 
Routing host certificates in eduroam
Routing host certificates in eduroamRouting host certificates in eduroam
Routing host certificates in eduroam
Radiator Software
 
TNC19 Radiator Technical Workshop -- Meet Radiator developers
TNC19 Radiator Technical Workshop -- Meet Radiator developersTNC19 Radiator Technical Workshop -- Meet Radiator developers
TNC19 Radiator Technical Workshop -- Meet Radiator developers
Radiator Software
 
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
Radiator Software
 
SIM Authentication Architectures and Interfaces
SIM Authentication Architectures and InterfacesSIM Authentication Architectures and Interfaces
SIM Authentication Architectures and Interfaces
Radiator Software
 
openroaming-and-capport-2023-01-30.pdf
openroaming-and-capport-2023-01-30.pdfopenroaming-and-capport-2023-01-30.pdf
openroaming-and-capport-2023-01-30.pdf
Radiator Software
 
Suomen eduroam-juuripalvelun uudistukset
Suomen eduroam-juuripalvelun uudistuksetSuomen eduroam-juuripalvelun uudistukset
Suomen eduroam-juuripalvelun uudistukset
Radiator Software
 
Adding OpenRoaming to existing IDP and roaming federation service
Adding OpenRoaming to existing IDP and roaming federation serviceAdding OpenRoaming to existing IDP and roaming federation service
Adding OpenRoaming to existing IDP and roaming federation service
Radiator Software
 
OpenRoaming -- Wi-Fi Roaming for All
OpenRoaming -- Wi-Fi Roaming for AllOpenRoaming -- Wi-Fi Roaming for All
OpenRoaming -- Wi-Fi Roaming for All
Radiator Software
 
Fault-tolerant distributed AAA architecture supporting connectivity disruption
Fault-tolerant distributed AAA architecture supporting connectivity disruptionFault-tolerant distributed AAA architecture supporting connectivity disruption
Fault-tolerant distributed AAA architecture supporting connectivity disruption
Radiator Software
 
Radiator Portfolio Updates webinar, 8th and 10th of March 2022
Radiator Portfolio Updates webinar, 8th and 10th of March 2022Radiator Portfolio Updates webinar, 8th and 10th of March 2022
Radiator Portfolio Updates webinar, 8th and 10th of March 2022
Radiator Software
 
Routing host certificates in eduroam
Routing host certificates in eduroamRouting host certificates in eduroam
Routing host certificates in eduroam
Radiator Software
 
TNC19 Radiator Technical Workshop -- Meet Radiator developers
TNC19 Radiator Technical Workshop -- Meet Radiator developersTNC19 Radiator Technical Workshop -- Meet Radiator developers
TNC19 Radiator Technical Workshop -- Meet Radiator developers
Radiator Software
 
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
TNC19 Radiator Technical Workshop -- Using Radiator to ensure better SP/IdP c...
Radiator Software
 
Ad

Recently uploaded (20)

How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Ad

RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure

  • 1. RADIUS in Action: Securing, Monitoring and Protecting Network Infrastructure Karri Huhtanen (Radiator Software) RADIUS Conference 2025, 13th of March 2025, Tampere, Finland
  • 2. Contents ● Introduction ● Certificate-Based Authentication: Replacing Usernames and Passwords ● Securing Network Port Access with 802.1X and VLANs ● Enhancing Management Traffic Security with RadSec (RADIUS over TLS) ● Protecting Network Infrastructure Access with RADIUS, TACACS+, and Multi-Factor Authentication ● Ensuring Network Resilience without Internet or Cloud Dependency ● Improving Network Monitoring with RADIUS Authentication and Accounting Logs ● Conclusion
  • 3. Introduction ● Usernames and passwords are getting harder to secure and harder to use – for the better or worse. ● Non-authenticated ports and non-segmented networks enable attackers to both gain access and move laterally in the network with minimal resistance and risk of detection. ● Unprotected RADIUS traffic can be captured, modified and tracked. ● Multi-Factor Authentication (MFA) and RADIUS/Tacacs+ Authorisation helps to secure network device access, but what happens when your MFA service or Active Directory is down? ● In addition to control, RADIUS can also provide information to monitor network better, detect and locate anomalies.
  • 4. Certificate-Based Authentication: Replacing Usernames and Passwords ● Usernames and passwords can be guessed, phished, copied or stolen. ● MFA adds some protection, but the user can be tricked to bypass it. It is not also very useful for repeating network authentications. ● Certificate-Based Authentication (EAP-TLS) has been around since 1999 and updated several times (2008, 2022) on include new TLS versions and other enhancements. ● With EAP-TLS and trusted platform modules (TPMs) in modern devices, both the credentials and the network access in wired and wireless networks can be secured. ● For provisioning of the certificates there are multiple services and solutions available especially for managed devices, but for non-managed devices the certificate and configuration provisioning is still harder.
  • 5. Securing Network Port Access with 802.1X and VLANs So in 2003 in Terena Networking Conference in Zagreb (Croatia) was this guy from Netherlands presenting 802.1X, dynamic VLAN allocation and roaming ...
  • 6. Securing Network Port Access with 802.1X and VLANs ● 802.1X and dynamic VLAN selection worked then and works now – both in wired and wireless networks. ● VLANs are used for network/device segmentation, 802.1X is used for port/VLAN authentication. ● Single port or single Wi-Fi network, but what VLAN is selected for the device, is determined by RADIUS. ● RADIUS can utilise and combine multiple sources of information for the decision, for example: ○ Device registry / directory services ○ Device identification/classification by network devices (e.g. Wi-Fi controllers) ○ Device security assessment information ○ Even AI if not now, then probably in the future Office VLAN IoT/OT VLAN(s) Any 802.1X / WPAx Enterprise capable device RADIUS
  • 7. Enhancing Management Traffic Security with RadSec (RADIUS over TLS) Internet Organisation network(s) VPN/FW Wi-Fi controll er / APs Wi-Fi Auth. MFA Auth. for VPN Service providers’ RADIUS servers Non-encrypted RADIUS over Internet ● Sending non-encrypted RADIUS traffic over untrusted networks without a VPN or TLS is nowadays even worse idea because of BlastRADIUS vulnerability. ● Both RADIUS authentication and accounting requests have by default in them plain-text attributes, which may contain sensitive information about the users, devices and even organisation network settings. ● The larger the distance between RADIUS clients and servers is, the larger is the risk of leaking information or to be vulnerable to BlastRADIUS.
  • 8. Enhancing Management Traffic Security with RadSec (RADIUS over TLS) Internet Organisation network(s) VPN/FW Wi-Fi controll er / APs Wi-Fi Auth. MFA Auth. for VPN Service providers’ RADIUS servers RadSec (RADIUS over TLS) or RADIUS over VPN ● With RadSec not only the RADIUS traffic is secured but also the RADIUS clients are more securely identified with certificates. ● The service providers’ RADIUS server can now better verify multiple RadSec clients even behind Network Address Translation (NAT) and dynamic addresses. ● We have even measured better authentication/accounting throughput with RadSec than with RADIUS over UDP with our RADIUS servers.
  • 9. Protecting Network Infrastructure Access with RADIUS, TACACS+, and Multi-Factor Authentication enterprise network Internet VPN, FW Routers, switches, servers ... Infrastructure devices, intra-WWW services ... mobile workers, VPN users ... Two-factor RADIUS / TACACS / TACACS+ AAA service AD / LDAP Additional AAA information Additional 3rd party two-factor services
  • 10. Protecting Network Infrastructure Access with RADIUS, TACACS+, and Multi-Factor Authentication ● The network devices authenticate and authorise the users accessing them via RADIUS or TACACS+ server => no common user accounts ● The Multi-Factor Authentication replaces passwords with more secure authentication => no weak passwords ● The RADIUS/TACACS+ server can then combine information from multiple sources (e.g. LDAP, Active Directory, Entra Id, SQL, 3rd party services) to authenticate and authorise particular user to access the network device. ● All this works with most enterprise, operator and even operational technology (OT) network devices. ● There is also increasing support for securing also these connections with TLS for added security.
  • 11. But what happens to your network when your Internet connection(s) or cloud services are down? Internet Organisation network(s) VPN/FW Wi-Fi controllers, APs Entra ID, LDAP, RADIUS … MFA Service … Cloud services Switches, Routers Services using cloud identities for AAA Workstations, servers X X X X ● Are you able to access your wired and wireless network? ● Can you log into your workstations, servers and network devices to do diagnostics? ● Do you have sealed emergency support accounts written down, stored securely and configured into network devices? ● What happens if ransomware or faulty updates hit your directory and other servers? OT networks and devices
  • 12. Adding local or hybrid AAA improves resiliency Fault-Tolerant Distributed AAA Architecture Supporting Connectivity Disruption https://urn.fi/URN:NBN:fi:tuni-202209197126 ● Redundant local AAA ensures that the site continues to function. ● Cloud services can be used as primary or backup option for local AAA. ● By using technologies such as EAP-TLS, which do not require a constant access to outside services, services such as network connectivity can be ensured. ● MFA can also be implemented without cloud services with a local or hybrid AAA model.
  • 13. Improving Network Monitoring with RADIUS Authentication and Accounting Logs ● Network devices can provide detailed information about the devices connecting to the network via RADIUS. ● This information is often included in the RADIUS authentication and accounting requests, and can then be utilised for AAA decisions or logged for further analysis. ● SIEMs, XDR solutions and AI analysis can benefit from this complementing information provided by RADIUS clients and servers. { "Backend-Server": [ "fi-proxy-1.auth.fi" ], "Called-Station-Id": "D8-B1-90-DB-F8-C0:eduroam", "Calling-Station-Id": "BE-57-64-BA-85-CA", "Chargeable-User-Identity-Request": "00", "Client-IP-Address": "10.255.255.247", "Client-Identifier": "CLIENT-IPV4-CISCO-WLC-MGMT", "Context-Id": "5f89b13fc9affb50", "Elapsed-Time": 0.170439395, "Framed-IP-Address": "192.168.172.252", "Handler": "proxy_to_eduroam", "NAS-IP-Address": "10.255.255.247", "NAS-Identifier": "172.16.172.52:D8-B1-90-DB-F8-C0:eduroam", "Policy": "default", "Result": "accept", "Service-Type": "framed-user", "Timestamp": "2025-03-11T18:55:15.809544+00:00", "User-Name": "[email protected]", "cisco-avpair": [ "service-type=Framed", "audit-session-id=F7FFFF0A000121A5845714C3", "method=dot1x", "addrv6=fe80::c8d:cc5:9f1:ae86", "client-iif-id=2550141079", "vlan-id=145", "cisco-wlan-ssid=eduroam", "wlan-profile-name=eduroam" ], }
  • 14. Improving Network Monitoring with RADIUS Authentication and Accounting Logs ● For RADIUS Authentication and Accounting data to be useful, its quality from different vendors needs to be assured and attributes to be standardised. ● Including the useful data within vendor specific RADIUS attributes hinders their general use across vendors. ● Protecting privacy makes even legitimate tracking of sessions harder (e.g. MAC address randomisation and anonymous identities) ● Solutions such as Chargeable-User-Identity are needed to combine RADIUS authentication and accounting requests into sessions. ● IPv4 and IPv6 address information from DHCP or network devices needs to be combined with RADIUS authentication and accounting for improved network monitoring and auditing. e86bff00 Thu Feb 23 14:50:10 2023 594131: DEBUG: Packet dump: e86bff00 *** Received from 10.255.255.245 port 61503 .... e86bff00 Code: Accounting-Request e86bff00 Identifier: 1 e86bff00 Authentic: <167>[<8>i+<250><208><242><12>A<179><226>d<183><183>S e86bff00 Attributes: e86bff00 Acct-Status-Type = Start e86bff00 NAS-IP-Address = 10.255.255.245 e86bff00 User-Name = "[email protected]" e86bff00 NAS-Port = 0 e86bff00 NAS-Port-Type = Wireless-IEEE-802-11 e86bff00 Calling-Station-Id = "aa2b0b553528" e86bff00 Called-Station-Id = "6026efcdcdc4" e86bff00 Framed-IP-Address = 172.16.145.111 e86bff00 Acct-Multi-Session-Id = "AA2B0B553528-1677156607" e86bff00 Acct-Session-Id = "6026EF5CDC55-AA2B0B553528-63F76102-8F448" e86bff00 Acct-Delay-Time = 0 e86bff00 Aruba-Essid-Name = "RS-TEST" e86bff00 Aruba-Location-Id = "rs-aruba-ap-1" e86bff00 Aruba-User-Vlan = 145 e86bff00 Aruba-User-Role = "RS-TEST" e86bff00 Aruba-Device-Type = "NOFP" e86bff00 Acct-Authentic = RADIUS e86bff00 Service-Type = Login-User e86bff00 NAS-Identifier = "rs-aruba-ap-1" e86bff00
  • 15. Conclusion: RADIUS in Action 1. Stronger Authentication: Replacing passwords with certificate-based authentication enhances security and usability. 2. Network Access Control: 802.1X and VLANs effectively segment and secure network access, preventing unauthorized lateral movement. 3. Management Traffic Security: RadSec (RADIUS over TLS) protects sensitive RADIUS communications from interception and modification. 4. Infrastructure Protection: Combining RADIUS, TACACS+, and Multi-Factor Authentication ensures secure and accountable access to critical network devices. 5. Resilient Network Operations: Local and hybrid AAA solutions help maintain network access even when cloud services or Internet connectivity fail. 6. Improved Monitoring & Visibility: Leveraging RADIUS authentication and accounting logs enhances network monitoring, security insights, and anomaly detection.