Skip to content Skip to site navigation

RADIUS Access and Authentication

Remote Authentication Dial in User Service (RADIUS) is a protocol commonly used by remote-access equipment for authentication, authorization, and accounting.

Accessing the RADIUS service

The RADIUS authentication services use the standard access ports defined by RFC 2865 and 2866. Both the IANA-assigned port numbers and the unofficial legacy port numbers are supported.

Protocol Legacy Port IANA-Assigned Port
Authentication 1645 1812
Accounting 1646 1813

For a client to connect, a profile for that client must exist in the configuration of the RADIUS server. This profile contains the IP address of the client and a pre-defined shared secret for sending messages.

Supported authentication types

At this time, the following authentication types are supported:

Auth Type Description Note
PAP Password Authentication Protocol PAP should only be used on controlled/trusted networks.
MSCHAPv2 Microsoft Challenge-Handshake Authentication Protocol, version 2 Microsoft implementation of CHAP, not to be confused with NTLMv2.
EAP Extensible Authentication Protocol A framework for implementing additional protocols.

Standard CHAP protocol is not supported because it requires reversibly encrypted passwords in AD-DS. MSCHAPv1 is similarly not supported because it requires LAN Manager-compatible password hashes in AD-DS.

Extensible authentication protocol and protected extensible authentication protocol

Additional authentication protocols can be implemented using EAPHost API. There are two that come with the RADIUS server: EAP-MSCHAPv2 and EAP-TLS. Protected EAP means that the EAP traffic between the supplicant (client) and the authentication server is encapsulated in a TLS encrypted tunnel. The EAP-based authentication protocols are generally more secure than non-EAP methods and should be used if possible.

University IT provides more information on Stanford’s wireless networks and eduroam as well as the Stanford VPN.

Last modified August 10, 2018