RADIUS

Expanded Definition

RADIUS is a client-server protocol for centralising authentication, authorisation, and accounting when a user, device, or NHI requests network access. In modern NHI operations, it commonly sits in front of Wi-Fi, VPN, and remote access gateways, where policy decisions must happen fast and consistently. The protocol is mature and widely deployed, but definitions vary across vendors in how RADIUS is extended, proxied, or paired with federation and MFA controls. For that reason, RADIUS should be treated as an access decision and telemetry layer, not as a complete identity governance system. NHI Management Group views it as one part of a larger control stack that also includes secret lifecycle management, policy enforcement, and continuous monitoring, as discussed in the Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0. The most common misapplication is using RADIUS as a proxy for strong identity assurance, which occurs when organisations assume network admission equals verified trust in the underlying account or secret.

Examples and Use Cases

Implementing RADIUS rigorously often introduces operational dependency on an always-on policy tier, requiring organisations to weigh access continuity against centralised control and logging fidelity.

• A corporate VPN checks credentials through RADIUS before admitting remote employees and contractor workstations, then records session accounting for audit review.
• A campus or enterprise Wi-Fi controller uses RADIUS to enforce per-group network access, which helps separate managed laptops from guest and IoT devices.
• An NHI-backed service account authenticates to a network appliance through RADIUS when legacy infrastructure cannot yet support modern token-based federation.
• A security team correlates RADIUS logs with secret rotation events in the Ultimate Guide to NHIs to detect stale credentials that still grant access.
• An organisation aligns RADIUS enforcement with guidance from the NIST Cybersecurity Framework 2.0 so network admission supports least privilege and traceable accountability.

Why It Matters in NHI Security

RADIUS often becomes a security concern because it can quietly amplify the blast radius of compromised secrets. When a service account, VPN credential, or shared network login is accepted by the RADIUS tier, the resulting access may appear legitimate even if the underlying secret is stale, overprivileged, or embedded in automation. That is why NHI governance has to examine both the protocol path and the identity behind it. NHI Management Group notes that 97% of NHIs carry excessive privileges, a condition that turns network access control into a high-impact enforcement point rather than a routine gateway decision, and the Ultimate Guide to NHIs shows that 71% of NHIs are not rotated within recommended time frames. Those conditions matter because RADIUS may continue to trust credentials long after operational owners have lost track of them. For broader governance alignment, the NIST Cybersecurity Framework 2.0 reinforces access control and monitoring as recurring duties, not one-time setup tasks. Organisations typically encounter the significance of RADIUS only after a VPN account, Wi-Fi credential, or service secret is abused in an incident, at which point RADIUS becomes operationally unavoidable to investigate and contain.

Related resources from NHI Mgmt Group

• What is the difference between patching a vulnerability and reducing identity blast radius?
• How can organisations reduce the blast radius of compromised agent identities?
• Why can a single SaaS app create such a large blast radius?
• Why do generative AI credentials increase the blast radius of a leak?