RadSec Setup Guides

Foxpass supports RadSec (RADIUS over TLS) for secure communication between your network devices and Foxpass Cloud RADIUS.

RadSec adds a TLS layer to standard RADIUS, providing:

• Encrypted transport for all authentication traffic
• Certificate-based authentication between your network device and Foxpass
• Improved security for cloud-managed network environments

Standard RADIUS uses UDP and does not provide transport encryption. RadSec addresses this by running RADIUS over a secure TLS connection.

When to Use RadSec

RadSec is recommended for most deployments, especially when:

• Your network infrastructure is cloud-managed (e.g., Meraki, UniFi, Aruba Central, Mist)
• You want to encrypt RADIUS traffic in transit
• You are implementing certificate-based authentication (EAP-TLS)
• Your environment requires stronger security controls aligned with zero-trust principles

How RadSec Works

RadSec establishes a secure TLS connection between your network device and Foxpass:

Client Device → Access Point → RadSec (TLS) → Foxpass Cloud RADIUS

• Uses TCP (port 2083) instead of UDP (1812/1813)
• Requires certificates to establish a secure TLS connection between your network device (e.g. access point, switch, VPN gateway) and Foxpass Cloud RADIUS. RadSec uses two certificates: a Server CA (for your network device to trust Foxpass) and a client certificate (to authenticate your network device to Foxpass Cloud RADIUS). These establish mutual TLS between your network device and Foxpass and are separate from any client authentication certificates (EAP-TLS).
• Protects authentication traffic from interception or tampering