Enhancing Security with Encrypted RADIUS Communications
Ensure RADIUS server communications are encrypted for increased security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2021
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Wireless networksCommunications between authenticators and a RADIUS server are encapsulated with an additional layer of encryption using RADIUS over Internet Protocol Security or RADIUS over Transport Layer Security.
Source: ASD Information Security Manual (ISM)
Plain language
This control requires using encryption to protect information sent between devices that verify user identities (called authenticators) and your central RADIUS server, which handles user logins. It's important because, without this encryption, sensitive information like passwords could be intercepted by hackers while in transit, putting your network at risk.
Why it matters
Without RADIUS over IPsec/TLS, RADIUS packets can be intercepted, exposing credentials and enabling unauthorised network access and compromise.
Operational notes
Configure and verify RADIUS over TLS (RadSec) or IPsec between authenticators and the RADIUS server; regularly validate certificates, cipher suites and trust chains.
Implementation tips
- The IT team should ensure all RADIUS traffic is encrypted. They can do this by configuring RADIUS over Transport Layer Security (TLS) or Internet Protocol Security (IPSec) to add an additional layer of security to communications.
- The network administrator should ensure the RADIUS server and all authenticators are capable of supporting the chosen encryption method. This involves checking and, if necessary, updating the devices' firmware or software.
- The security manager should establish protocols for using strong, up-to-date encryption standards. They can consult guidelines from the Australian Cyber Security Centre (ACSC) for recommended encryption practices.
- The IT team should conduct regular testing of the encryption setup. They should simulate network communications to verify that encryption is working effectively and inspecting logs to ensure no unencrypted data is being transmitted.
- The procurement team should work with the IT team when acquiring new network hardware to ensure that all equipment supports RADIUS encryption as required by your security policy.
Audit / evidence tips
-
Ask: the network configuration documentation: Request documents detailing the RADIUS server settings and encryption configurations from the IT department
Good: shows specific configurations and encryption protocols
-
Ask: testing records: Request records of recent encryption tests from the IT team
Good: would include dates and clear evidence of successful encryption tests
-
Ask: device compatibility reports: Request a list of devices confirmed to be compatible with TLS or IPSec by the network administrator
Good: includes confirmation that all devices are compatible with the encryption used
-
Ask: encryption protocol standards: Request the security policy documents outlining encryption protocols
Good: includes clearly defined and acceptable encryption standards that align with national guidelines
-
Ask: a review meeting record: Request notes or minutes from recent review meetings where encryption practices were discussed
Good: includes recorded dates and actions from these meetings
Cross-framework mappings
How ISM-1454 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.24 | ISM-1454 requires encrypting RADIUS communications using RADIUS over TLS or RADIUS over IPsec to protect authentication/authorisation tra... | |
| Supports (1) | ||
| Annex A 5.14 | ISM-1454 requires communications between authenticators and a RADIUS server to be protected by an additional encryption layer (RadSec/IPs... | |