By default, RADIUS DOES NOT secure the transmission of user credentials and sensitive data between the client and server. This lack of encryption exposes the authentication process to potential eavesdropping attacks. Attackers can exploit this vulnerability through man-in-the-middle (MITM) attacks, intercepting traffic to steal user information. The risk amplifies when the RADIUS server is hosted remotely, increasing the imperative for securing these communications

RadSec stands for RADIUS over TLS, a robust method of encryption designed for the RADIUS protocol. This security mechanism enables RADIUS clients or Network Access Servers (NAS)—typically found in the form of access points (AP) or switches within networks—to conduct authentication, authorization, and accounting exchanges securely within a TLS-encrypted tunnel. By leveraging TLS, RadSec ensures that these critical network communications are protected from interception and tampering

An example of WPA-Enterprise (802.1x)

The security of the connection between the client and the RADIUS server relies solely on the EAP method used. There is no change to the end-client authentication process.

To enable a secure tunnel from the client to the RADIUS server, navigate to Configure > SSID List > Captive Portal > Advanced Settings and enable HTTPS Login to secure the client tunnel

Global roaming networks like OpenRoaming and EduRoam use RadSec to secure communications between RADIUS servers globally. By implementing RadSec on EnGenius access points (APs), we ensure comprehensive security for these networks.

EduRoam is a secure, worldwide roaming access service developed for the international research and education community. It allows students, researchers, faculty, and staff from participating institutions to securely access the internet at other member institutions using their home institution's credentials

OpenRoaming is an initiative aimed at simplifying and enhancing Wi-Fi roaming capabilities across different networks and providers. Developed by the Wireless Broadband Alliance (WBA), OpenRoaming enables seamless and secure connectivity for users as they move between Wi-Fi networks, similar to how cellular roaming works

OpenRoaming now supports a solution that enables a unique Pre-Shared Key (PSK) to roam across different WiFi Managed Service Providers (MSPs) or sites. Pls refer to RoamingIQ introduction & configuration guide

To securely enhance your network's authentication, follow these steps to upload a RadSec certificate obtained from RADIUS servers

Ensure the certificate is in the correct format as specified by your RADIUS server documentation for a seamless upload process

To enable the RadSec function on your Access Points (APs) for enhanced security when using WPA2/3 Enterprise or Captive Portal access, follow these steps

Navigate to CONFIGURE > AP > SSID > Wireless > WPA2/3 Enterprise > Custom RADIUS

Navigate to CONFIGURE > AP > SSID > Captive Portal > Custom RADIUS

If Captive Portal > Custom Radius > Radius MAC-Auth is enabled, then an authorized MAC is required for the test

These settings activate RadSec, providing secure Radius communication

Upon enabling the RadSec feature, Access Points (APs) will automatically scan the organization's certificate repository to find and link suitable certificates with RADIUS servers