Sign in Subscribe
Concepts

Modernizing Legacy RADIUS Authentication with OpenID Connect

Andrios Robert

1 min read

The request hit the network and the RADIUS server froze. The logs showed nothing new, but the user’s auth never came back. This is the gap between legacy authentication protocols and modern identity.

OpenID Connect (OIDC) with RADIUS isn’t a theory. It’s a bridge. It lets systems that still speak RADIUS authenticate against an OIDC identity provider. This means you can connect VPNs, Wi‑Fi controllers, and network appliances to cloud identity services without ripping out existing infrastructure.

RADIUS was built for dial‑up. It uses shared secrets and usernames, and it works in almost any network device. But password‑based RADIUS is brittle, and it can’t natively handle multifactor authentication, adaptive policies, or modern security claims. OIDC, built on OAuth 2.0, uses JWT tokens, scopes, and claims to carry rich identity data. It supports single sign‑on, MFA, and integrates with identity providers like Okta, Auth0, and Azure AD.

An OIDC‑RADIUS integration works by inserting a gateway or proxy. The RADIUS client sends an access request to the gateway. The gateway translates that request into an OIDC authorization flow. The user is directed to the identity provider, signs in, and the provider issues tokens. The gateway verifies the tokens and returns an Access‑Accept or Access‑Reject over RADIUS. This is low‑latency, supports MFA, and lets you enforce conditional access policies.

Key benefits of using OpenID Connect with RADIUS:

  • Centralized identity across legacy and modern systems
  • Stronger authentication with MFA and adaptive rules
  • Standard claims for role‑based access control
  • Easier compliance reporting through IDP logs
  • Reduced password exposure inside the network

Common use cases: VPN authentication, enterprise Wi‑Fi, and secure shell access to network gear. Any RADIUS‑speaking device can be brought under the same identity umbrella as your SaaS applications.

To deploy, choose a gateway that supports OIDC‑RADIUS translation. Configure the RADIUS clients with the gateway’s shared secret. In the gateway, set up the OIDC provider details, client ID, client secret, redirect URIs, and scopes. Test the token validation and claims mapping. Monitor both RADIUS and OIDC logs to catch configuration errors early.

Modernize authentication without replacing your network stack. See an OIDC‑RADIUS setup live in minutes at hoop.dev.