Enhancing Security with Encrypted RADIUS Communications
Ensure RADIUS server communications are encrypted for increased security.
Plain language
This control requires using encryption to protect information sent between devices that verify user identities (called authenticators) and your central RADIUS server, which handles user logins. It's important because, without this encryption, sensitive information like passwords could be intercepted by hackers while in transit, putting your network at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Wireless networksOfficial control statement
Communications between authenticators and a RADIUS server are encapsulated with an additional layer of encryption using RADIUS over Internet Protocol Security or RADIUS over Transport Layer Security.
Why it matters
Without RADIUS over IPsec/TLS, RADIUS packets can be intercepted, exposing credentials and enabling unauthorised network access and compromise.
Operational notes
Configure and verify RADIUS over TLS (RadSec) or IPsec between authenticators and the RADIUS server; regularly validate certificates, cipher suites and trust chains.
Implementation tips
- The IT team should ensure all RADIUS traffic is encrypted. They can do this by configuring RADIUS over Transport Layer Security (TLS) or Internet Protocol Security (IPSec) to add an additional layer of security to communications.
- The network administrator should ensure the RADIUS server and all authenticators are capable of supporting the chosen encryption method. This involves checking and, if necessary, updating the devices' firmware or software.
- The security manager should establish protocols for using strong, up-to-date encryption standards. They can consult guidelines from the Australian Cyber Security Centre (ACSC) for recommended encryption practices.
- The IT team should conduct regular testing of the encryption setup. They should simulate network communications to verify that encryption is working effectively and inspecting logs to ensure no unencrypted data is being transmitted.
- The procurement team should work with the IT team when acquiring new network hardware to ensure that all equipment supports RADIUS encryption as required by your security policy.
Audit / evidence tips
-
Askthe network configuration documentation: Request documents detailing the RADIUS server settings and encryption configurations from the IT department
Goodshows specific configurations and encryption protocols
-
Asktesting records: Request records of recent encryption tests from the IT team
Goodwould include dates and clear evidence of successful encryption tests
-
Askdevice compatibility reports: Request a list of devices confirmed to be compatible with TLS or IPSec by the network administrator
Goodincludes confirmation that all devices are compatible with the encryption used
-
Askencryption protocol standards: Request the security policy documents outlining encryption protocols
Goodincludes clearly defined and acceptable encryption standards that align with national guidelines
-
Aska review meeting record: Request notes or minutes from recent review meetings where encryption practices were discussed
Goodincludes recorded dates and actions from these meetings
Cross-framework mappings
How ISM-1454 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1454 requires encrypting RADIUS communications using RADIUS over TLS or RADIUS over IPsec to protect authentication/authorisation tra... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.14 | ISM-1454 requires communications between authenticators and a RADIUS server to be protected by an additional encryption layer (RadSec/IPs... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.