RadSec

RadSec is a protocol for transporting RADIUS datagrams over TCP and TLS.

The RADIUS protocol is a widely deployed authentication and authorization protocol. The supplementary RADIUS Accounting specification^[1] also provides accounting mechanisms, thus delivering a full AAA protocol solution. However, RADIUS has two substantial shortcomings. Essentially all data is sent "in the clear", which has privacy implications. MAC addresses and user names can be leaked, and users can potentially be geolocated. The data which is obfuscated is protected via "ad hoc" constructions which use the MD5 algorithm, which has been proven to be insecure. All packet authentication is also based on MD5.

In order to address these privacy and security issues, the "RADIUS Extensions" working group^[2] of the Internet Engineering Task Force (IETF) specified TLS transport for RADIUS, as RADIUS/TLS in RFC 6614.

The use of RadSec goes back to preliminary vendor implementations. The standard name for RADIUS over TLS as defined in RFC 6614 is RADIUS/TLS. There is also RADIUS/DTLS which was defined in RFC 7360.

The main focus of RADIUS/TLS is to provide a means to secure the communication between RADIUS peers on the transport layer. The most important use of RADIUS/TLS lies in roaming environments where RADIUS packets need to be transferred through different administrative domains and untrusted, potentially hostile networks. An example for a world-wide roaming environment that uses RADIUS/TLS to secure communication is eduroam.^[3]