Skip to content
Setup & requirements

RADIUS clients & RadSec

A RADIUS client is the network equipment — a wireless controller, switch, or VPN gateway — that sends authentication and accounting requests to EntryPoint. Each EntryPoint context exposes a RADIUS service that those clients point at. Because EntryPoint speaks standard RADIUS, it works with RADIUS-capable equipment from Cisco and other major vendors.

Each context has its own RADIUS endpoint, identified to its clients by three things:

SettingPurpose
RADIUS hostnameThe address the controller is configured to use for the context
Shared secretThe per-context secret that authenticates the client to the service
Client allow-listPermitted source addresses in CIDR notation; an empty allow-list denies all clients

The allow-list keeps the service reachable only from the organization’s own equipment. It can be opened to public access where required, but the default posture is to list only trusted ranges.

All RADIUS clients must include a valid Message-Authenticator attribute in their authentication requests. Requests that omit it or send it incorrectly are not accepted.

TrafficTransportPort
RADIUS authenticationUDP1812
RADIUS accountingUDP1813
RadSec (RADIUS over TLS)TCP2083

RADIUS accounting can be enabled with interim update intervals so session records stay current. Firewalls between the clients and the service must allow the ports in use, and the clients must be able to reach the EntryPoint service.

RadSec carries RADIUS inside a TLS tunnel, which both encrypts the traffic and verifies server identity — useful over public or semi-trusted networks. To use it:

  • RadSec is enabled on the context, and a valid RadSec server certificate (PEM) is provided.
  • The access points and switches must support RadSec and be configured to use EntryPoint as the RadSec RADIUS server.
  • The trusted RadSec certificate is uploaded to the network controller or dashboard, for example the Cisco Meraki Dashboard.

Certificate formats and trust are covered in Certificates & PKI.

Instead of reaching the service over the public internet, a context can be bound to the organization’s network privately over Service Connector (IPSec), so RADIUS and RadSec traffic travels through a tunnel rather than across the open internet.

Next