When users connect to corporate Wi-Fi, sign in to a VPN, or log in to a switch, the network still has to answer a basic question: who are you, and what are you allowed to do? RADIUS (Remote Authentication Dial-In User Service) is one of the most common ways organizations answer that question at scale. In CompTIA A+ Core 2 (220-1202), Domain 2 (Operating Systems), Objective 2.3 (Authentication), RADIUS matters because it supports remote, centralized authentication for real networks, not just standalone PCs. This article explains how RADIUS works, what "AAA" means, and the core components (client, server, shared secret). It also covers the ports you should memorize, plus practical troubleshooting and security checks you can use on the job.
What RADIUS does and where you'll see it on the job
RADIUS is a centralized system for authentication, authorization, and accounting (AAA). In plain terms, it lets many network devices ask one trusted service, "Should I let this user in, and under what rules?" That design helps because local accounts don't scale well. If every access point, VPN gateway, and switch has its own user list, password changes become slow and errors become common.
You'll see RADIUS in several everyday environments:
- Enterprise Wi-Fi (802.1X): A user joins a secure SSID, then the Wi-Fi system checks identity through RADIUS before granting access.
- VPN remote access: The VPN device forwards the user's login attempt to RADIUS, then applies the decision.
- Network device login: Switches, routers, and firewalls can use RADIUS so admins sign in with directory-backed accounts instead of local ones.
- NAC-style access control: Networks can place devices into different VLANs or roles based on identity and policy.
To keep the terms straight, connect AAA to help desk work:
Authentication answers, "Is this person really Sam?" For example, a user types a password, or a laptop presents a certificate.
Authorization answers, "What can Sam do after sign-in?" For example, Sam may get access to internal apps, while a contractor gets internet only.
Accounting answers, "What happened during the session?" For example, logs show when Sam connected, from where, and for how long.
Centralized AAA reduces duplicate work and improves consistency. It also improves incident response because logs live in fewer places. Still, it adds dependencies, so you need to understand the moving parts.
RADIUS parts you need to know: client, server, and shared secret
RADIUS has a simple structure, even if the deployments feel large.
A RADIUS client is the network access device that sends requests. Many vendors call it a NAS (network access server), even when it is not a server. Common "clients" include a wireless access point controller, a VPN concentrator, a switch, or a firewall.
A RADIUS server is the service that checks identity and policy. In many Windows shops, that server is Network Policy Server (NPS). In larger networks, it may be Cisco ISE. In Linux-based systems, it might be FreeRADIUS. The server often ties into a directory such as Active Directory, because directories already store users and groups.
The shared secret is a pre-shared key that the client and server both know. It helps the server trust the device sending the request, and it helps protect parts of the exchange. If the secret doesn't match, the server often rejects the request before it even evaluates the user.
A short Wi-Fi flow looks like this: a user joins the secure SSID, the access point (or controller) asks for credentials through 802.1X, then it forwards an authentication request to the RADIUS server. After that, the server decides and sends the result back, and the access point enforces it.
Common RADIUS facts for the 220-1202 exam
For the exam, focus on a few items you can recall fast under time pressure.
RADIUS commonly uses these UDP ports:
| Purpose | Modern UDP port | Legacy UDP port (older systems) |
|---|---|---|
| Authentication | 1812 | 1645 |
| Accounting | 1813 | 1646 |
Memorize 1812 and 1813 first. Then remember that 1645 and 1646 can appear in older gear.
Also, understand the security limitation: RADIUS encrypts the password field, but it doesn't encrypt the entire packet by default. As a result, organizations typically pair RADIUS with secure authentication methods, such as 802.1X using EAP methods that provide strong protection (often with TLS).
Exam mindset: think "central auth for network access," remember UDP 1812 and 1813, and tie RADIUS to 802.1X Wi-Fi and VPNs.
How a RADIUS login works, step by step
A RADIUS login is easier to understand if you picture a "middleman" model. The user talks to the network device first, and that device asks the RADIUS server for a decision.
First, the user starts an action that requires controlled access. On Wi-Fi, they connect to a secured SSID. On a VPN, they open the VPN client and enter credentials. On a wired port, they plug into a switch port that uses 802.1X.
Next, the network device prompts for a credential exchange. Depending on the setup, the user may see a username and password prompt, a certificate prompt, or an SSO-style experience. Even when the user sees only one prompt, several checks can happen behind the scenes.
Then the network device sends an Access-Request message to the RADIUS server. This request includes the username and proof of identity (or an EAP exchange that carries that proof). It also includes context, such as the device identifier, the port, and sometimes the requested service type.
After that, the RADIUS server evaluates the request. This is where policy decisions happen. The server can check credentials against a local database, a directory, or another identity source.