IT OT Convergence

RADIUS

2 min read

What is RADIUS?

RADIUS stands for Remote Authentication Dial-In User Service and is a network protocol used for centralised authentication, authorisation and accounting (AAA) of users and devices. It is often used together with 802.1X for network access control.

In OT environments, RADIUS provides a way to centrally manage access to network equipment and segments, without each device having to be configured individually.

🧠 How does RADIUS work?

  1. A user or device tries to connect to the network via a Switch, Router or VPN gateway (the authenticator)
  2. The authenticator forwards the authentication request to the RADIUS server
  3. The server checks the credentials (e.g. username/password or certificate) against an internal database or external sources such as Active Directory
  4. On approval, the device is granted network access; on refusal, the connection is blocked
  5. Optionally, usage is logged for auditing (accounting)

Communication takes place over UDP ports 1812 (authentication) and 1813 (accounting).

🏭 Use of RADIUS in industrial networks

  • Authentication of users on 802.1X-enabled Switches
  • RBAC-based access to network equipment and configuration interfaces
  • Assignment of dynamic VLANs based on user role or device type
  • Logging of access attempts via Syslog or SIEM
  • Integration with existing identity systems such as Active Directory in IT/OT convergence

In OT networks, RADIUS prevents uncontrolled access to sensitive network zones and device configurations.

🔍 RADIUS vs. TACACS+

Aspect RADIUS TACACS+
Used for Network access (802.1X, VPN, Wi-Fi) Device access (CLI login on switches/firewalls)
Encryption Only the password is encrypted Full payload is encrypted
Port UDP 1812/1813 TCP 49
Standard Open IETF standard Cisco protocol
Use in OT Yes – particularly for 802.1X and VPN access Less common, unless extensive network management is needed

🔐 Security considerations

  • Use RADIUS together with 802.1X and strong authentication (e.g. EAP-TLS)
  • Encrypt communication between the authenticator and the RADIUS server
  • Restrict access to the RADIUS server using a Firewall and ACL
  • Integrate with SIEM to log and analyse access attempts
  • Segment the RADIUS infrastructure from the rest of the network in line with the Purdue Model

A vulnerable RADIUS server is a central attack target — protection and monitoring are essential.

📌 In summary

RADIUS is a powerful protocol for centralised access control in industrial networks. By centrally authenticating users and devices, the network becomes more secure, scalable and manageable.

Graph View

Backlinks