RADIUS clients & RadSec
A RADIUS client is the network equipment — a wireless controller, switch, or VPN gateway — that sends authentication and accounting requests to EntryPoint. Each EntryPoint context exposes a RADIUS service that those clients point at. Because EntryPoint speaks standard RADIUS, it works with RADIUS-capable equipment from Cisco and other major vendors.
Connecting a client to the context
Section titled “Connecting a client to the context”Each context has its own RADIUS endpoint, identified to its clients by three things:
| Setting | Purpose |
|---|---|
| RADIUS hostname | The address the controller is configured to use for the context |
| Shared secret | The per-context secret that authenticates the client to the service |
| Client allow-list | Permitted source addresses in CIDR notation; an empty allow-list denies all clients |
The allow-list keeps the service reachable only from the organization’s own equipment. It can be opened to public access where required, but the default posture is to list only trusted ranges.
All RADIUS clients must include a valid Message-Authenticator attribute in their authentication requests. Requests that omit it or send it incorrectly are not accepted.
| Traffic | Transport | Port |
|---|---|---|
| RADIUS authentication | UDP | 1812 |
| RADIUS accounting | UDP | 1813 |
| RadSec (RADIUS over TLS) | TCP | 2083 |
RADIUS accounting can be enabled with interim update intervals so session records stay current. Firewalls between the clients and the service must allow the ports in use, and the clients must be able to reach the EntryPoint service.
RadSec — RADIUS over TLS
Section titled “RadSec — RADIUS over TLS”RadSec carries RADIUS inside a TLS tunnel, which both encrypts the traffic and verifies server identity — useful over public or semi-trusted networks. To use it:
- RadSec is enabled on the context, and a valid RadSec server certificate (PEM) is provided.
- The access points and switches must support RadSec and be configured to use EntryPoint as the RadSec RADIUS server.
- The trusted RadSec certificate is uploaded to the network controller or dashboard, for example the Cisco Meraki Dashboard.
Certificate formats and trust are covered in Certificates & PKI.
Private connectivity
Section titled “Private connectivity”Instead of reaching the service over the public internet, a context can be bound to the organization’s network privately over Service Connector (IPSec), so RADIUS and RadSec traffic travels through a tunnel rather than across the open internet.
Related sections
Section titled “Related sections”- Certificates & PKI: the RADIUS server certificate and RadSec certificate.
- Entra connection: identity for EAP-TLS.
- Network Requirements: platform-wide connectivity.