How RADIUS works
RADIUS follows a three-party model. The user connects to a network access server (NAS) such as a VPN gateway, wireless controller, firewall, or switch. The NAS does not verify credentials itself; it forwards them to a RADIUS server in an Access-Request packet, secured by a shared secret configured on both sides. The RADIUS server checks the credentials against its user store and policy, then replies with Access-Accept, Access-Reject, or Access-Challenge.
The Access-Challenge response is what enables multi-factor authentication over RADIUS: the server can demand a one-time code or trigger a push notification before accepting. Accept responses also carry attributes, such as a VLAN assignment or a session timeout, that tell the NAS what kind of access to grant. RADIUS additionally defines accounting messages that record when sessions start and stop, which is where the protocol's AAA description (authentication, authorization, accounting) comes from.
Why RADIUS matters
RADIUS is how network infrastructure participates in identity. Enterprise Wi-Fi with WPA2/WPA3-Enterprise, remote-access VPNs, firewall administrator logins, and switch port authentication via 802.1X all rely on it. Without a central RADIUS server, each of these devices keeps local accounts, which quickly become unmanaged, shared, and forgotten during offboarding.
The protocol is also a frequent gap in MFA coverage. Organizations that enforce strong authentication on web applications often still have VPNs and network gear checking only a password over RADIUS. Because VPN access typically lands a user inside the corporate network, attackers actively target these password-only entry points, and closing them is one of the highest-impact identity hardening moves available.
RADIUS in practice
A modern deployment points network devices at a RADIUS server that is backed by the central identity platform rather than a standalone user file. Users then sign into the VPN or Wi-Fi with the same credentials as everywhere else, MFA is enforced through the challenge flow, and disabling one account cuts network access along with application access.
Practical steps: configure each NAS with a unique shared secret, prefer challenge-based MFA over appending OTP codes to passwords where devices allow it, and send accounting data to the SIEM for session visibility. Monosign ships a built-in RADIUS server validated with FortiGate, Palo Alto, and Pulse Secure class NAS devices, so VPNs and firewalls authenticate against the same identities and MFA policies as SaaS applications.