Radius

Shahrukh AhmadShahrukh Ahmad
5 min read

RADIUS (Remote Authentication Dial-In User Service) is a network protocol that implements AAA. It helps manage and secure user access to network services — like Wi-Fi, VPNs, and network devices — using centralized authentication.

What is AAA?

  1. Authentication – Who are you? (e.g., username + password)

  2. Authorization – What are you allowed to do? (e.g., access VLAN, firewall rules)

  3. Accounting – What did you do? (e.g., session logs, data usage, connection time)

RADIUS implements AAA, mostly in enterprise networks for secure access control.

Why Do We Need to Use RADIUS?

RADIUS helped us manage users centrally, scale securely, monitor activity, and control access precisely—all essential for enterprise-grade network security

  • Centralized authentication using AD or LDAP

  • Secure Wi-Fi or VPN access

  • Role-based access control

  • Detailed audit logs of user activity

  • Scalable and manageable user base

1. Centralized Authentication

"Instead of storing usernames and passwords on every router, switch, or firewall, all authentication requests are sent to a central RADIUS server. This simplifies management and enhances security."

Example:

"In a company with 200 Wi-Fi access points, we don’t configure users on each device. Instead, all devices forward login requests to a central RADIUS server, which checks credentials from Active Directory."


2. Scalable User Management

"Managing hundreds of users from a single RADIUS server ensures consistency and simplifies onboarding/offboarding."

Example:

"When a new employee joins, I just add them to Active Directory. They can then access Wi-Fi, VPN, and other services immediately—no need to touch network devices."


3. Accounting & Monitoring

"RADIUS logs who connected, when, for how long, and what services they accessed. This helps with auditing and compliance."

Example:

"In our VPN setup, RADIUS tracks session durations. So if there's a security incident, we can review logs to see who connected and what time."


4. Secure Access Control

"It enforces policies, ensures credentials are encrypted, and integrates with AD to control user access securely."

Example:

"In my last project, we integrated RADIUS with Wi-Fi and Active Directory, so only domain users with strong passwords and MFA could access the network."


5. Role-Based Access

"With RADIUS, you can enforce access levels based on group membership or role."

Example:

"We gave admins full switch access via SSH, employees had limited internet access, and guests could only use a captive Wi-Fi portal. RADIUS enforced these based on their AD group."

Where Can RADIUS Be Used?

Use CaseExample Description
🌐 Wi-Fi AccessEmployees use domain credentials to connect to Wi-Fi securely.
🔐 VPN AccessOnly verified AD users can establish VPN.
📟 Switches/RoutersControl who can log in to network devices (Cisco, Juniper, etc.)
🏢 Corporate AccessAllow/deny access to internal applications based on user/group.
🧑‍💼 Guest PortalSet up time-limited access for visitors (e.g., hotels, cafes).

Real-Life Example: Enterprise Wi-Fi with RADIUS + AD Integration

Goal: Only domain users can connect to corporate Wi-Fi securely.

Real-Life Use Case: Company VPN Access with RADIUS

Use Case:

Company wants to allow only authenticated employees to access the VPN using their AD credentials, and log the connection duration.

Steps:

  1. Set up VPN server (e.g., OpenVPN or Windows RRAS).

  2. Configure RADIUS (NPS) as backend.

  3. Connect NPS to Active Directory.

  4. Enable logging (Accounting).

  5. Assign roles (e.g., IT can access all, interns limited).

Environment:

  • RADIUS Server: Windows Server with NPS (Network Policy Server)

  • Directory: Active Directory

  • Client: Wi-Fi Router/Access Point

  • Users: Domain Users (e.g., HR, IT)

Practice Approach in Lab (Home or Virtual Lab)

Tools You Need:

  • Windows Server (2019 or later) – NPS Role Installed

  • Windows 10 client joined to domain

  • Wi-Fi Access Point or simulate with FreeRADIUS + VM + Cisco Packet Tracer


🔧 Step-by-Step Project Setup (Say this in the interview):

✅ Step 1: Environment Setup

  • Installed Windows Server 2019

  • Installed Active Directory Domain Services

  • Created user accounts like user1, admin1

✅ Step 2: Installed and Configured NPS (Network Policy Server)

  • Added the NPS Role to the server

  • Registered NPS in Active Directory

  • Created Security Groups in AD (like "WiFi Users")

✅ Step 3: Configured RADIUS in NPS

  • Added Access Point IP as a RADIUS Client with a shared secret

  • Created Connection Request Policy

  • Created Network Policy to allow only users in "WiFi Users" group

✅ Step 4: Configured Wi-Fi Access Point

  • Configured WPA2-Enterprise mode

  • Set RADIUS server IP and shared secret in AP settings

✅ Step 5: Testing

  • Connected a domain-joined Windows 10 laptop to Wi-Fi

  • Entered AD credentials

  • Verified connection success in NPS Event Viewer

✅ Step 6: Accounting (Optional)

  • Enabled Accounting logs

  • Monitored session time, username, success/fail status

  • Real-Life Mini Project / Use Case for Interview

    "I set up a small lab project where I used Windows Server with Active Directory and NPS (Network Policy Server) as the RADIUS server. I configured an Access Point (or simulated one) to use RADIUS authentication for Wi-Fi.

0
Subscribe to my newsletter

Read articles from Shahrukh Ahmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Shahrukh Ahmad
Shahrukh Ahmad

Passionate about coding and the limitless possibilities of cloud technology. I thrive on turning ideas into scalable, efficient solutions. Let's connect and explore the exciting synergy between code and the cloud! 🤖 AI / ML🧠| 📊 - Data Science |Azure☁️AWS | Linux🐧| Windows🖥️| Python | JAVA | 🐳 Docker | Git | Gitlab | ⚓️Kubernetes | 🚀 Jenkins CI/CD | 🏗️ terraform | SQL.