NAC built-in RADIUS and VPN for Secure Remote Access

How RADIUS Authentication, Authorization, and Change of Authorization (CoA) Secures Remote Access

Remote Work / Work From Home has emerged as one of the hottest topics, primarily driven by the Covid-19 pandemic. According to Google, searches for these terms reached 100% of their popularity last year. Also, Gartner HR Survey found that 88% of business organizations all over the world mandated or encouraged all their employees to work from home as the virus started to spread at exponential rates. Furthermore, about 97% of the organizations immediately canceled all work-related travel.

ZTNA & SASE considered the gold standard for remote access

This resulted in many organizations struggling with how to secure their remote workforce with very little notice. Over time, technologies such as Zero Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) will likely be considered the gold standard for remote access, however, many businesses have yet to implement these emerging technologies. Instead, they must establish a remote access policy in the immediate or short term to ensure only authorized users are connecting remotely and that their devices are secure.

The most practical solution: NAC with RADIUS and VPN

With many organizations still reliant on traditional VPNs, a common solution is to integrate the VPN platform (Firewall, Concentrator, etc) with a RADIUS server. This allows for users to be authenticated before access is permitted, permissions to be assigned during authentication and for permissions to be changed if a security policy is violated. So how exactly does this work? Below we will discuss the basic concepts of RADIUS Authentication, Authorization and Change of Authorization (CoA).

RADIUS Authentication and Authorization

RADIUS Authentication and Authorization are covered under multiple RFCs, perhaps the most commonly referred to is RFC-2865. The RFC describes RADIUS as:

“A protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server.”

In other words, RADIUS-enabled network devices will authenticate users against RADIUS. On the back end of RADIUS is typically Active Directory / LDAP or sometimes just a local database.

RADIUS Change of Authorization (CoA)

RADIUS Change of Authorization (CoA) is also covered under multiple RFCs, but most notably under RFC-3576 and RFC-5176. It is described as:

“A currently deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, allowing dynamic changes to a user session, as implemented by network access server products. This includes support for disconnecting users and changing authorizations applicable to a user session.”

In short, RADIUS CoA allows permissions to be changed dynamically. This allows admins to ensure that when a device experiences a change in status, the permissions match the status of the device.

Remote Access Use Cases

There can be many use cases for securing remote access depending on the size, business model and nature of an organization. In this article we will focus on a few of the most common use cases. We will also discuss which use case can be fulfilled using the different RADIUS features and technologies mentioned above.

Use Cases



To satisfy this use case, RADIUS can be utilized to verify a user’s (or computer’s) identity against an authentication server such as Active Directory/LDAP. If the user/computer is successfully authenticated, access to the corporate/internal network is granted. If not, access is denied.


For the Authorization use case, RADIUS can optionally be configured to assign specific privileges to a user/computer during authentication based on the response from the authentication server. Not always, but most commonly, this is based on which group the user or computer is a member of in the database. This is not to be confused with Change of Authorization which occurs after authentication.

Change of Authorization (CoA)

In this use case, RADIUS can optionally be configured to perform a Change of Authorization, commonly referred to as CoA, if instructed to do so by an external server such as a Network Access Control (NAC) policy server. Most commonly, this is used to change the level of access/permissions because something has changed on the device such as a security setting. The status of these settings when compared to the policies defined in the policy server is often referred to as “posture”. If there is a change in posture of the device, typically a CoA is performed.

RADIUS Server Network Integration

In each of the use cases above, the RADIUS server is performing the actions as described, but the network device the user/computer is connecting through actually blocks or restricts access. This requires the network device to be configured to communicate with the RADIUS server and vice versa. Generally speaking, for remote workers, this device is typically the Firewall or a VPN Concentrator. The RADIUS server will send Accept, Reject or CoA with attributes such as downloadable ACLs (dACLs) to block or restrict access.Below are diagrams listed for each use case and RADIUS technology / feature.

Remote Access Enforcement by Genian NAC

Authentication: Genians VPN Enforcement Against Unauthorized User

Authorization: Genians VPN Enforcement for Privileged access

Change of Authorization by Genians VPN Enforcement

The Right Solution for remote access

Genian NAC Built-in RADIUS and VPN

RADIUS is a standards-based, vastly deployed solution across organizations of all sizes. Network Access Control combined with RADIUS and VPN infrastructure is a widely adopted solution for controlling network access for remote workforces while at the same time, ensuring only authorized users can access the internal network and validating the security posture of end user devices. The same privileges and security policies assigned while inside the physical boundaries of an organization should also be assigned when users are working remotely. A solution that ensures these policies can be configured and monitored within a single system is a critical component of any Cybersecurity plan.

The Genian NAC Built-In RADIUS Server is capable of performing Authentication, Authorization and Change of Authorization (CoA) functions. For more information, refer to this short 5 minute video covering RADIUS Authorization policies or, for more detailed configuration instructions, please view the documentation pages associated with this feature.

Why NAC? Why Genians?

Scroll to Top

We use cookies to help improve this website and enhance your browsing experience You can change your cookie settings at any time. • Privacy • Terms