RADIUS has become established as the standard for server-based authentication, authorization and billing. RADIUS is now being used for applications outside of its original design purpose, for example in combination with EAP/802.1X, and a number of deficits have become apparent:
- RADIUS operates via UDP and thus offers no native procedure for packet-loss detection. Although this is no problem in a LAN environment, it is becoming increasingly important over WAN connections or on the Internet.
- RADIUS is equipped only with simple procedures for authentication by means of a "shared secret" and a low level of confidentiality.
RADSEC is an alternative protocol that transmits RADIUS packets through a TLS-encrypted tunnel. TLS is based on TCP, thus providing a proven mechanism for monitoring packet loss. Furthermore, TLS is highly secure and it features a method of mutual authentication by means of X.509 certificates.
