Blog

Get the inside scoop with LoginTC and learn about relevant security news and insights.

← Back to Blog

RadSec Support (RADIUS over TLS) in LoginTC MFA

October 23, 2025Thomas Sydorowski

radsec mfa

Last year, a significant vulnerability known as Blast-RADIUS exposed a critical flaw in the RADIUS authentication protocol that many organizations still rely on to connect their VPNs, firewalls, and network devices. The issue highlighted the inherent weaknesses in traditional RADIUS traffic, which, by default, does not encrypt all communications.

At LoginTC, our immediate response to Blast-RADIUS included a comprehensive review of our RADIUS Connector and clear guidance to customers on mitigating risks. Now, we’re proud to take that one step further.

We’ve added RadSec (also known as RADIUS over TLS) support to the LoginTC RADIUS Connector, introducing full TLS encryption for RADIUS traffic. This marks a major step toward modernizing RADIUS-based authentication and helping organizations stay secure against both current and emerging network threats.

What is RadSec (RADIUS over TLS)?

RadSec, short for “RADIUS over TLS,” is a modern extension to the RADIUS protocol that wraps all RADIUS communications in Transport Layer Security (TLS). Unlike traditional RADIUS, which typically uses UDP and only protects credentials with a shared secret, RadSec encrypts the entire communication channel, protecting user data, authentication requests, and responses from eavesdropping or tampering.

This upgrade ensures that all authentication messages between your RADIUS client (such as a VPN, firewall, or switch) and the LoginTC RADIUS Connector are fully encrypted, mutually authenticated, and integrity-checked.

Why RadSec matters after Blast-RADIUS

The Blast-RADIUS vulnerability, disclosed in 2024, demonstrated that an attacker could exploit weaknesses in traditional RADIUS traffic to forge Access-Accept messages, essentially tricking a network device into granting access without proper credentials. The attack worked because RADIUS’s design assumed that only trusted, local networks would carry its traffic, an assumption that no longer holds true in today’s distributed environments.

While LoginTC’s RADIUS Connector and multi-factor authentication (MFA) already provided strong protection against unauthorized access, the underlying issue with RADIUS traffic encryption remained an industry-wide concern.

The introduction of RadSec support closes that gap.

With RadSec, all authentication traffic between your network devices and the LoginTC RADIUS Connector is encrypted using TLS, ensuring:

  • Confidentiality: Attackers cannot read RADIUS messages in transit.
  • Integrity: Messages cannot be modified or forged without detection.
  • Authentication: Both client and server identities are verified using certificates.

These protections align directly with the recommendations issued after the Blast-RADIUS disclosure, effectively neutralizing the vulnerability and providing a more resilient foundation for secure authentication.

How LoginTC implements RadSec

The LoginTC RADIUS Connector now supports RadSec (RADIUS over TLS) alongside traditional RADIUS, offering administrators flexibility and compatibility as they transition to more secure configurations.

Organizations using compatible VPNs, firewalls, and other RADIUS-speaking devices, such as those from Cisco, Fortinet, Palo Alto Networks, and others, can now configure them to use TLS-encrypted RADIUS connections.

LoginTC’s RadSec support allows you to:

  • Use TLS certificates to authenticate both ends of the connection.
  • Continue using your existing MFA workflows, including push, passcode, and offline authentication.
  • Maintain interoperability with standard RADIUS infrastructure during phased rollouts.

The update requires minimal configuration changes for most environments and is available immediately for customers running the latest version of the LoginTC RADIUS Connector.

A step forward for secure RADIUS authentication

For many organizations, RADIUS remains a central part of secure network access. It’s how VPNs authenticate remote workers, how firewalls control administrative logins, and how switches and Wi-Fi controllers enforce access policies. But its age has left it lagging behind modern encryption expectations.

By integrating RadSec (RADIUS over TLS) support, LoginTC is helping to bring RADIUS into alignment with contemporary security standards, ensuring that:

  • Sensitive authentication traffic stays encrypted end-to-end.
  • Organizations remain protected from protocol-level exploits like Blast-RADIUS.
  • Administrators can continue using MFA without compromising performance or compatibility.

It’s a change that underscores our ongoing commitment to evolving LoginTC to meet the highest standards of authentication security, not just in response to new threats, but as part of a proactive vision for safer network access.

Get Started

RadSec support is available now in the LoginTC RADIUS Connector. For setup instructions, compatibility notes, or to upgrade your deployment, visit our LoginTC documentation or contact our support team.




← Back to Blog

See LoginTC MFA in action.

Start protecting your enterprise assets.

Learn How

Discover LoginTC products for all your MFA needs.

Explore

Start your free trial today. No credit card required.

Sign up and Go

By continuing to use our website, you acknowledge the use of cookies. Privacy Policy Close