← All terms
RADIUS (Remote Authentication Dial-In User Service)

What is RADIUS?

RADIUS is the network protocol that VPNs, Wi-Fi, firewalls, and switches use to authenticate users against a central server and authorize their network access.

Last updated: 14 July 2026

How RADIUS works

RADIUS follows a three-party model. The user connects to a network access server (NAS) such as a VPN gateway, wireless controller, firewall, or switch. The NAS does not verify credentials itself; it forwards them to a RADIUS server in an Access-Request packet, secured by a shared secret configured on both sides. The RADIUS server checks the credentials against its user store and policy, then replies with Access-Accept, Access-Reject, or Access-Challenge.

The Access-Challenge response is what enables multi-factor authentication over RADIUS: the server can demand a one-time code or trigger a push notification before accepting. Accept responses also carry attributes, such as a VLAN assignment or a session timeout, that tell the NAS what kind of access to grant. RADIUS additionally defines accounting messages that record when sessions start and stop, which is where the protocol's AAA description (authentication, authorization, accounting) comes from.

Why RADIUS matters

RADIUS is how network infrastructure participates in identity. Enterprise Wi-Fi with WPA2/WPA3-Enterprise, remote-access VPNs, firewall administrator logins, and switch port authentication via 802.1X all rely on it. Without a central RADIUS server, each of these devices keeps local accounts, which quickly become unmanaged, shared, and forgotten during offboarding.

The protocol is also a frequent gap in MFA coverage. Organizations that enforce strong authentication on web applications often still have VPNs and network gear checking only a password over RADIUS. Because VPN access typically lands a user inside the corporate network, attackers actively target these password-only entry points, and closing them is one of the highest-impact identity hardening moves available.

RADIUS in practice

A modern deployment points network devices at a RADIUS server that is backed by the central identity platform rather than a standalone user file. Users then sign into the VPN or Wi-Fi with the same credentials as everywhere else, MFA is enforced through the challenge flow, and disabling one account cuts network access along with application access.

Practical steps: configure each NAS with a unique shared secret, prefer challenge-based MFA over appending OTP codes to passwords where devices allow it, and send accounting data to the SIEM for session visibility. Monosign ships a built-in RADIUS server validated with FortiGate, Palo Alto, and Pulse Secure class NAS devices, so VPNs and firewalls authenticate against the same identities and MFA policies as SaaS applications.

Frequently asked questions

What is the difference between RADIUS and LDAP?
LDAP is a directory protocol: applications use it to look up entries and verify passwords against a directory. RADIUS is a network access protocol: devices use it to ask a server whether to admit a user, with support for challenges, MFA, and accounting. A RADIUS server often uses LDAP or a directory behind the scenes as its user store.
Can I add MFA to a VPN with RADIUS?
Yes, and it is the standard way to do it. Point the VPN's authentication at a RADIUS server integrated with your identity platform; the server responds with an Access-Challenge that requires a one-time code or push approval before granting access. Most enterprise VPN and firewall vendors support this flow.
Is RADIUS still relevant in a zero trust world?
Yes. Zero trust changes where trust decisions are made, not the protocols hardware speaks. Wi-Fi controllers, switches, and many VPNs will speak RADIUS for years, so the realistic approach is to back RADIUS with the central identity platform and its MFA and risk policies rather than treating it as legacy to ignore.