RadSec is a protocol for transporting RADIUS datagrams over TCP and TLS.
The RADIUS protocol is a widely deployed authentication and authorization protocol. The supplementary RADIUS Accounting specification[1] also provides accounting mechanisms, thus delivering a full AAA protocol solution. However, RADIUS is experiencing two major shortcomings as time passes since its initial design: its dependency on the unreliable transport protocol UDP and the lack of security for large parts of its packet payload. Specifically, for the latter, RADIUS security is based on the MD5 algorithm, which has been proven to be insecure.
The main focus of RadSec is to provide a means to secure the communication between RADIUS/TCP peers on the transport layer. The most important use of RadSec lies in roaming environments where RADIUS packets need to be transferred through different administrative domains and untrusted, potentially hostile networks. An example for a world-wide roaming environment that uses RadSec to secure communication is eduroam.[2]
The "RADIUS Extensions" working group[3] of the Internet Engineering Task Force (IETF) specified RadSec in RFC 6614.