Tuesday, November 21, 2023

RADIUS news from IETF118

Practically all current Wi-Fi controllers and APs for enterprise and carriers support RADIUS. Mobile network APN and DNN authentication, fixed line fiber-to-the-home gateways and other broadband equipment depend on RADIUS authentication. The industry that uses RADIUS is growing and the standardisation work is active proving RADIUS is in rude health.

The latest Internet Engineering Task Force (IETF) meeting was held earlier this month in Prague, Czechia - with the Radiator team in attendance. RADIUS work is mainly done by the RADIUS EXTensions (radext) working group. The current radext draft documents are related to security enhancements, protocol extensions, maintenance and best practices.


TLS-PSK for RADIUS over TLS and DTLS (also known as RadSec) draft is moving towards the publication phase. The draft has completed its development within the working group. The intended status for the draft is to become an Informational RFC. TLS-PSK greatly eases the configuration of RadSec by using Pre-Shared Keys with TLS instead of certificates.

Closely following the TLS-PSK draft is the draft for RADIUS Version 1.1. This draft is currently in the working group last call phase before it moves on towards publication. With RADIUS Version 1.1, the obsolete methods for RADIUS integrity and authentication are replaced by TLS and DTLS.

RadSec update and depreciation of insecure methods

Other work still in the draft development phase includes an update to RadSec. The update obsoletes the current RFCs for RADIUS over TLS (RFC 6614) and RADIUS over DTLS (RFC 7360) by merging them into a single specification. The draft obsoletes TLS 1.1 and earlier versions, requires TLS-PSK for servers, clarifies the use of DTLS, TLS session resumption, certificate verification and other topics.

Security of RADIUS is updated by a draft that deprecates insecure transport and authentication methods. The draft discusses the problems with unencrypted UDP and TCP transports and common RADIUS authentication methods, such as CHAP. The draft formally deprecates a number of ways these are currently insecurely used. Use of TLS or IPsec transport is now mandated and scope of UDP and TCP transports is reduced.These unsecured transports can be used in secure networks only.

RadSec CoA and Roaming support enhancements

RADIUS dynamic authorisation is updated by a draft that defines how to use existing RadSec connections to send change of authorization (CoA) requests. This allows easier CoA deployments in environments where firewalls, routing or other reasons make it hard to send requests towards a RADIUS client. This specification documents the existing usage that is already implemented by a number of server and client vendors.

Roaming support enhancements are defined in a draft that is currently in working group adoption phase. These enhancements include RADIUS request routing loop detection, remote realm status check and RADIUS request path discovery. This draft is likely approved as a working group draft before the end of the year.

The radext working group is also helping other IETF working groups with draft reviews, liaison work with other organisations, such as Wireless Broadband Alliance (WBA). The working group may continue to work on other documents after the current ones are finished.

What do I gain as a Radiator user?

The new functionality becomes available in Radiator when the drafts are nearing completion. For example TLS-PSK support is made available with the existing RadSec support allowing the Radiator customers to choose between PSK and certificate authentication. As a Radiator user, you will directly benefit from the work we do in the IETF. This will ensure your authentication service stays current and secure and follows the latest standards.

Want to know more?

For status of all current drafts and the working group in general, see https://datatracker.ietf.org/wg/radext/documents/

If you want to know more about Radiator team’s involvement in standardisation or discuss Radiator roadmap items from these drafts, please contact info@radiatorsoftware.com