When to enable RadSec
- Always, for eduroam. The national federation tier-1 servers require RadSec. Plain UDP either isn’t accepted or is being phased out.
- For any Internet-traversing upstream. RADIUS’s UDP authenticator-hash security doesn’t survive a modern threat model on open networks. TLS solves the problem.
- When the upstream operator offers it. Even for non-eduroam roaming partnerships, RadSec on the forwarding leg is a reasonable default.
Turning it on
Open the Context's Network Integration tab
This is where the RadSec master toggle lives (the setting is
shared with the Context-level RadSec terminator for incoming
traffic).
Upload the RadSec CA
The CA certificate the upstream server uses for its RadSec
session. For eduroam, the federation operator publishes this
as part of their RadSec onboarding instructions. Upload it
through the Upload CA control on the RadSec card.
Point the Remote Radius Server at the RadSec port
On Remote Radius Server, set the upstream port to the
federation’s RadSec port (standard: 2083). Save.
What RadSec actually does on the wire
- TCP, not UDP. RADIUS packets travel inside a TLS session over TCP. Firewalls and NAT that previously needed to pass UDP 1812 / 1813 now see a TCP session on 2083.
- Mutual TLS. Both sides authenticate with certificates. The upstream operator’s CA is what you upload to EntryPoint; your RADIUS-response certificate (managed by the platform) is what the upstream expects from you.
- Transport encryption. The entire RADIUS payload — credentials, attributes, accounting — is confidential between EntryPoint and the upstream. Passive observers can’t see anything.
eduroam RadSec — the usual onboarding dance
The federation operator’s onboarding typically looks like:- You contact the federation operator and ask to join.
- They send you their RadSec CA certificate and the hostname of their RadSec endpoint.
- They ask you for your outbound FQDN (shown on the Remote Radius Server card).
- They allow-list your FQDN on their side; you paste their hostname, port, and CA on your side.
- Run a test RADIUS authentication end-to-end (visiting user from a roaming institution joining an eduroam SSID on your campus). If it succeeds, you’re joined.
Operational notes
- The RadSec CA needs to be current. Federations rotate their CA on a multi-year cadence. When notified of a rotation, upload the new CA alongside the old one, verify authentications still work, then remove the old CA.
- RadSec port is TCP, not UDP. Firewalls allowing only UDP RADIUS will block RadSec. Re-check the path to the upstream after enabling.
- Accounting piggybacks on the same session. No separate accounting-port concern when RadSec is on.
- Inbound RadSec on the Context itself. EntryPoint also supports RadSec for the WLAN-controller side of the Context. See RADIUS clients. The two uses (inbound from your WLAN; outbound to the upstream) are independent toggles in the admin UI — you can run one or both.
Troubleshooting
- TLS handshake errors. The RadSec CA on your side doesn’t match the upstream’s RadSec certificate. Re-download the CA from the federation operator and re-upload.
- “Connection refused” / “Timeout”. The upstream hasn’t allow-listed your outbound FQDN yet, or a firewall between you and the upstream is dropping TCP 2083. Check with the federation operator.
- Authentications succeed but accounting rows don’t arrive. Rare — RadSec carries accounting on the same session. More likely a RADIUS-accounting issue on the WLAN controller side; see EntryPoint diagnostics.
Related
Remote Radius Server
Hostname, ports, secret — where RadSec is pointed.
Radius Proxy overview
The variant at a glance.
RADIUS clients
RadSec on the inbound side, from your WLAN to the Context.
Trusted certificates
CA management for EAP-TLS; separate from RadSec CAs but same mental model.