"Is RADIUS secure?" We get this question a lot. And the answer is "it can be", depending on which "flavor" of RADIUS you choose.
The first incarnation of RADIUS is called PAP. It uses a combination of techniques to hash the user's password. Unfortunately this relies on (among other outdated techniques) MD5, a hashing algorithm that is now quite weak.
As you can see in the article, PAP is not considered secure.
Despite the above, if you require PAP and are comfortable with the risks, please contact us.
Another popular RADIUS protocol is PEAP. Part of PEAP uses TLS encryption, which is a big improvement. However, the most common mechanism for comparing passwords with PEAP uses MSCHAPv2.
MSCHAPv2 requires storing NTLM password hashes on the server. These are unfortunately cryptographically very weak if a password does not have strong complexity requirements. Here's an overview: https://blog.varonis.com/closer-look-pass-hash-part-iii-ntlm-will-get-hacked/
Because it would mean storing NTLM password hashes, we don't consider PEAP highly secure. However, we will support it if you contact us.
Note: PEAP is incompatible with Delegated Authentication
Due to a limitation with the MSCHAPv2 protocol, if you enable PEAP you must use Foxpass as your authentication source.
EAP-TTLS-PAP is the most popular RADIUS mechanism our cloud RADIUS servers support. This protocol encapsulates a RADIUS PAP packet inside of a TLS encrypted stream. It's just as secure as using websites that offer "https". It also means we can use extremely strong password hashes in our database.
EAP-TLS uses no passwords at all, and is entirely certificate-based. It requires that our RADIUS servers have a CA cert from which all client certs are derived. Each client that wishes to connect must be installed with a certificate (and matching key) that is presented at connect-time. Because the client certificate contains the user's email address, Foxpass's RADIUS servers can do a final check to make sure the user is still in the "active" state in our database.