Need a Remote Authentication Dial-In User Service (RADIUS) server for your authentication, authorization, and accounting (AAA) needs? You can spend thousands on RADIUS solutions, but there are also a number of low-cost alternatives.
These solutions are especially useful for smaller organizations that may only be using it for a single purpose, such as to implement enterprise WiFi security with 802.1X authentication. Many, however, can also be used for other AAA purposes.
What Is a RADIUS Server?
The RADIUS protocol is especially valuable for those operating in organizations that have to deal with many different networking and infrastructure devices, or lack a central authentication mechanism to enable access to the network. It connects and authenticates user identities to the network or VPN.
If you’re running a Windows Server, you already have RADIUS capability.
These identities might be stored in Microsoft Active Directory (AD), OpenLDAP, a cloud directory, or within the RADIUS server. Not only does this improve network security, it also saves IT a lot of manual labor.
If you’re running a Windows Server, keep in mind you already have RADIUS capability. Before using a third-party server, look into the Internet Authentication Service (IAS) component in Windows Server 2003 R2 and earlier, or the Network Policy Server (NPS) component in Windows Server 2008 and later.
Read more: Best Server Security Tools
Best Low-Cost RADIUS Servers
For those without a Windows Server, or those who require more functionality and customization, consider these solutions:
FreeRADIUS
Value Proposition
This free and open source software is one of the most popular RADIUS servers. FreeRADIUS can be set up on an old desktop tower to serve anywhere from a dozen to a few hundred users. Alternatively, it can be installed on appropriate servers to support millions of users and requests. FreeRADIUS is designed for running on Unix, Linux, and other Unix-like operating systems.
You can find it in the repositories of most Linux distributions installed easily, or manually compiled on most others. By default, FreeRADIUS has a command-line interface, and setting changes are made via editing configuration files. It’s best suited for IT professionals with Unix/Linux experience. Because it’s open source, you can even make code changes to the software.
Key Differentiators
- Support for more authentication types than any other open source server
- Serves organizations ranging in size from 10 users to over a million users
- Used daily by more than 50 thousand sites
- Reportedly responsible for authenticating more than one third of users on the internet
- Other RADIUS-related products include a client library, module for Apache, and pluggable authentication module (PAM) for authentication and accounting
Jumpcloud
Value Proposition
Jumpcloud’s Cloud RADIUS is a way to deploy cloud RADIUS servers to provision and deprovision user access to VPN and WiFi networks from a browser.
It takes a cloud-based approach to implementing the RADIUS protocol without the need to build, maintain, or monitor physical servers. This enables IT to quickly roll out managed RADIUS to the organization and authenticate users to WiFi, VPNs, switches, and network devices securely.
Key Differentiators
- Secure with multifactor authentication and encryption
- Can be configured to use EAP-TTLS, PAP, or PEAP, as well as support WPA2 Enterprise and RADIUS encryption modes
- Supports access to VPNs, including Meraki, Palo Alto, and OpenVPN
- Segment user access through dynamic VLAN tagging and use VLANs to isolate network devices
- Enables users to access networks with the same core identities they use to access other resources
- Automatically generates complex passwords for authentication between WAPs and RADIUS servers
- $2 per user per month
- Free version available on a trial basis for up to 10 users
TekRADIUS
Value Proposition
KaplanSoft’s TekRADIUS runs on Windows. The basic features are offered for free; additional versions can be purchased.
The TekRADIUS Enterprise version ($149) adds support for EAP-TLS, dynamic self-signed certificate creation for PEAP sessions, NTLM authentication for MS-CHAP authentication methods, and regular expression-based attribute matching. The TekRADIUS SP version ($449) gives you VoIP billing in addition to the enterprise features.
Key Differentiators
- Built-in DHCP server to assign IP addresses to wired or wireless devices
- Tested on Microsoft Windows Vista, Windows 7-10 and Windows 2008-2019 servers
- Complies with RFC 2865 and RFC 2866
- Supports TCP and TLS transports
- TekRADIUS supports Microsoft SQL Server, and TekRADIUS LT supports SQLite.
- Runs as a Windows Service and comes with a Windows management interface
- Logs system messages, errors, and session information to a daily rotated log file and Windows Event log
- Creation of SQL database and tables through TekRADIUS Manager
- Can proxy RADIUS requests to other RADIUS servers
- IPv6 attribute support
- Authenticate users against Windows Domain or Active Directory
RouterOS
Value Proposition
RouterOS is the operating system MikroTik uses for its RouterBOARD products. It includes an embedded RADIUS server.
Since it offers all the main router functions, it could even be used as the main network router. It can be installed on a PC, turning it into a router.
Key Differentiators
- Features such as routing, bandwidth management, wireless access point, backhaul link
- Cloud Hosted Router is an approach made for VMs, available as a special installation image for free
- Available for free (limited functionality), with all features priced at a nominal fee ($45+)
- Provides functions such as NAT firewall, VPN server and hotspot gateway
- The OS is downloadable as an ISO image that you can burn on a CD to install
- Configuration changes can be made via command-line, web browser, and Windows WinBox utility
- A Windows utility is also offered to write RouterOS to a secondary drive that’s been attached, and the drive can be moved to a dedicated PC or server
AuthenticateMyWiFi
Value Proposition
AuthenticateMyWiFi by NoWiresSecurity is a hosted or cloud-based service priced from $13/month. It offers hosted server access specifically for 802.1X authentication.
It enables small and midsize organizations to easily use the enterprise mode of WPA or WPA2 security for their WiFi network. Since there’s no server to set up, it’s great for organizations without an IT staff. Since AuthenticateMyWiFi is cloud-based, it also makes securing WiFi networks at multiple offices easy.
Key Differentiators
- Use the Enterprise mode of WiFi Protected Access (WPA or WP2) security for a private WiFi network
- Provides access to a RADIUS server, which performs the required 802.1X authentication
- Password-based authentication using the PEAP protocol.
- Also works for wired connections when used with business or enterprise-level switches
- Use the cloud service on routers and APs at multiple locations
- Restrict user access during set times or days of the week
- Define a date and time a user account is automatically deactivated
- Windows, Mac OS X, and Linux are all supported
ClearBox
Value Proposition
ClearBox is an on-premise RADIUS server software running on any Windows for home, office and business.
Although it’s available only as a commercial offering, a 30-day evaluation is provided, and the $599 price after that is relatively low compared to other solutions. ClearBox is configured through a no-thrills GUI. It offers a configuration wizard to ease setup, and it’s flexible and customizable. ClearBox supports integration with several billing systems, as well.
Key Differentiators
- Wireless 801.x authentication
- SQL scripting for authentication, authorization, and accounting
- Active Directory, LDAP, SQL authentication
- Dynamic Authorization Extensions
- Multiple independent authentication backends are supported
- RADIUS requests may be authenticated against Active Directory/Windows domains, local Windows groups and accounts, LDAP directories, ClearBox internal user accounts database, and any SQL-compliant data sources
- SQL commands and stored procedures can be used to control authentication, logging authentication status, checking or adding RADIUS attributes in request or response
- Running in proxy mode allows IT to modify outgoing and incoming forwarded packets
Foxpass
Value Proposition
Foxpass is a RADIUS and LDAP server. It is often used to replace existing LDAP or AD servers as a way to save IT time. It functions as the primary user directory to secure access to WiFi and devices. It can be self-hosted or hosted in the cloud.
Key Differentiators
- Self-service SSH keys and password management for servers, WiFi, VPN, and machines
- Controls server access automatically with an API
- Cloud-hosted LDAP and RADIUS that syncs with Google, Office365, and more
- Orchestrates host access
- Sets minimum key strength requirements
- Enables multifactor authentication
Access Points
If you’re looking for a RADIUS solution for just 802.1X authentication so you can implement enterprise WiFi security, keep in mind some Access Points (APs) have an embedded RADIUS server. This includes those provided by HPE, ZyXEL, Cisco, Linksys, and D-Link.
These are great for organizations that don’t want to setup and maintain their own server. One of these could serve as the authentication server for all other APs, and they don’t even have to be of the same model or brand.
Examples include:
- Cisco Embedded Wireless Controller on Catalyst Access Points uses the approach of request and response transaction with a single RADIUS server, which combines both authentication and authorization. Authentication can be done using the Cisco ISE, Cisco DNAC, Free RADIUS, or any third-party RADIUS Server.
- You can configure up to four global IPv4 or IPv6 RADIUS servers on the Linksys LAPAC1750PRO Access Point. One of the servers always acts as primary, while the others act as backup servers. The network type (IPv4 or IPv6) and accounting mode are common across all configured RADIUS servers.
- The D-Link DAP-2695 provides wireless security by supporting both personal and enterprise versions of WPA and WPA2 (802.11i) with support for RADIUS server back end.
