Is RADIUS secure?

A brief overview of RADIUS security.

"Is RADIUS secure?" We get this question a lot. And the answer is "it can be", depending on which "flavor" of RADIUS you choose.

PAP

The first incarnation of RADIUS is called PAP. It uses a combination of techniques to hash the user's password. Unfortunately, this relies on (among other outdated techniques) MD5, a hashing algorithm that is now quite weak.

There is a great overview of it here or here.

As you can see in the article, PAP is not considered secure.

By default, Foxpass's cloud RADIUS does not support PAP directly. If you need to use PAP, we highly recommend you run either our RADIUS proxy or our RADIUS agent in your network as an intermediary.

Despite the above, if you require PAP and are comfortable with the risks, please contact us.

PEAP

Another popular RADIUS protocol is PEAP. Part of PEAP uses TLS encryption, which is a significant improvement. However, the most common mechanism for comparing passwords with PEAP uses MSCHAPv2.

MSCHAPv2 requires storing NTLM password hashes on the server. These are, unfortunately, cryptographically very weak if a password does not have substantial complexity requirements. Here's an overview: https://blog.varonis.com/closer-look-pass-hash-part-iii-ntlm-will-get-hacked/

Because it would mean storing NTLM password hashes, we don't consider PEAP highly secure. However, we will support it if you contact us.

🚧

Note: PEAP is incompatible with Delegated Authentication

Due to a limitation with the MSCHAPv2 protocol, if you enable PEAP you must use Foxpass as your authentication source.

EAP-TTLS-PAP

EAP-TTLS-PAP is the most popular RADIUS mechanism our cloud RADIUS servers support. This protocol encapsulates a RADIUS PAP packet inside of a TLS encrypted stream. It's just as secure as using websites that offer "HTTPS." It also means we can use extremely strong password hashes in our database.

EAP-TLS

EAP-TLS uses no passwords at all and is entirely certificate-based. It requires that our RADIUS servers have a CA cert from which all client certs are derived. Each client that wishes to connect must be installed with a certificate (and matching key) presented at connect-time. Because the client certificate contains the user's email address, Foxpass's RADIUS servers can do a final check to ensure the user is still in the "active" state in our database.