We have been involved in the Internet Engineering Task Force (IETF) for a few decades now. During that time, we have written many of the RADIUS standards. We are still involved in the standards process, and this post explains how the new standards will affect you.
The IETF is meeting in Bangkok for IETF 122. We are working on a number of standards in different groups.
RADIUS Extensions (RADEXT)
The bulk of our work is in the RADIUS extensions (RADEXT) working group. The documents we are working on are:
- RADIUS v1.1. Updating RADIUS for 2025 technology! This topic is covered in more detail in our other article, Introducing RADIUS 1.1
- TLS-PSK The original RADIUS/TLS specifications did not describe how to use TLS-PSK with RADIUS. This document corrects that mistake. In many cases, it can be simpler to use pre-shared keys with RADIUS, than configuring clients with certificates.
- Deprecating insecure transports. This document suggests that it’s a bad idea to use “bare” UDP or TCP transports across the Internet. We have more discussion on this topic in our RADIUS Insecurity article.
- Reverse CoA. When a NAS connects to a RADIUS server via TLS, it can be difficult (or impossible) to send CoA-Request or Disconnect-Request packets to the NAS. This document describes how to send CoA packets in “reverse” down that RADIUS/TLS connection. While it is not yet a working group document, we believe that it will be published shortly. It is most likely to be useful in OpenRoaming.
EAP Updates
We are working with the EAP Method Update (EMU) working group to update the TEAP RFC.
There is a strong demand for TEAP, in part because of its ability to do provisioning inside of the TLS tunnel. We have implemented TEAP in FreeRADIUS 3.2.3, and are working on updates and documentation.
We are also monitoring EAP-FIDO, which is a new proposed specification that uses Passkeys for 802.1X. The hope is that EAP configuration will become little more than “Use EAP-FIDO for network access”. It looks like this will not only work, but that it will not be too complicated to do.
If EAP-FIDO reaches its potential, then many Mobile Device Management (MDM) problems simply go away. That is a good thing for enterprises and universities.
DHCP
We are working with the DHCP working group to clarify implementation issues with DHCPv6.
Our customers have run into issues with DHCPv6. We are working on updates to clarify “best practices” around DHCPv6.
Madinas
MAC address randomization can make MAC authentication difficult. We are following the Madinas working group to ensure that new standards meet the markets needs, and are secure.
TACACS+
Now that the TACACS+ RFC has been published, the working group is updating the document for TACACS+ TLS. Many of our customers use TACACS+, and there is a strong need for a version of the protocol which uses modern cryptography.
How this affects people using FreeRADIUS
People using FreeRADIUS can rest assured that FreeRADIUS is compatible with all “up and coming” Internet standards. In fact, led by Alan DeKok, the team at Network RADIUS continues to lead the industry in defining and implementing these standards, as we have done for decades.
Your RADIUS systems will continue to get more secure, and more flexible.
We continue to follow these, and other standards. Our goal is to serve our customers, to improve the technology, and to make peoples' lives easer and more secure.
Need more help?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
Inaugural RADIUS Conference set for March 12-13, 2025
Ahead of the IETF 122 meeting in March 2025, RADIUS experts are coming together for the first global conference dedicated to this fundamental authentication protocol. Leading RADIUS implementors, users, and standards contributors will be collaborating to work toward the next generation of RADIUS solutions.
Making RADIUS more secure
We are currently working in the IETF (Internet Engineering Task Force) to close those gaps and improve security for everyone. This article outlines some of the current shortcomings of RADIUS, best practices for mitigating against them, and a roadmap for how these vulnerabilities will be addressed within the RADIUS standard.