As of End of 2023, there are several changes going on in the RADIUS specifications brought to us from the IETF. This page will document the different RADIUS standards.

(Disclaimer: This page is still Work In Progress)


This is the original RADIUS specification in RFC 2865 and RFC 2866.


RADIUS/TLS is specified in RFC 6614, RADIUS/DTLS in RFC 7360. Both standards are in the "experimental" status, but are already heavily in use, especially for connecting NROs to the eTLRs.


With the 10 year anniversary of RFC 6614, the IETF is now working on making RADIUS/(D)TLS a proposed standard, the new standard is currently in draft status.

The main changes to RFC 6614 and RFC 7360 are the mandatory-to-implement features on the server side.


RADIUS/1.1 is a new way of calculating RADIUS packets that does not rely on the legacy cryptographic methods based on the RADIUS shared secret. Instead, RADIUS/1.1 relies completely on the confidentiality and integrity provided by (D)TLS, so RADIUS/1.1 can only be used over RADIUS/(D)TLS.

The migration to RADIUS/1.1 is fairly easy, since it is negotiated using ALPN (Application Layer Protocol Negotiation) within the RADIUS/(D)TLS handshake. Whenever both ends of the (D)TLS connection are running a software capable of RADIUS/1.1, the connection will be upgraded to RADIUS/1.1.

Apart from the calculation of RADIUS attribute obfuscation and cryptographic elements of the RADIUS protocol, the RADIUS messages are not altered, so RADIUS/1.1 is just another transport profile and should not affect any RADIUS operations.

Mutual authentication in RADIUS/(D)TLS (Certificates or TLS-PSK)

With RADIUS/(D)TLS, the use of the RADIUS shared secret, as used in RADIUS/UDP, is no longer necessary, instead the peers do mutual authentication within the (D)TLS layer.

This mutual authentication can be done via different means, the two main methods are certificates or Pre-Shared Keys.

IMPORTANT: When upgrading from RADIUS/UDP to RADIUS/(D)TLS with PSK, the PSK MUST NOT be identical to the RADIUS shared secret used before.

  • No labels