| Internet-Draft | RADIUS over QUIC | October 2025 |
| Yue, et al. | Expires 23 April 2026 | [Page] |
The Remote Authentication Dial-In User Server (RADIUS) Protocol can use the User Datagram Protocol (UDP) and the Transport Control Protocol (TCP) as its underlying transport layer. But it permits TCP to be used as a transport protocol for RADIUS only when a transport layer such as TLS or IPsec provides confidentiality and security. QUIC inherently supports encryption (using TLS 1.3), which could provide a higher level of security. And QUIC supports multiple streams over a single connection, enhancing throughput and efficiency. This document defines RADIUS over the QUIC transport protocol, named RADIUSoQUIC.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 23 April 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized authentication, authorization, and accounting for users who connect and use a network service. It is typically used in environments such as Internet service providers (ISPs), corporate networks, and other places where secure access management is required.¶
The RADIUS protocol was originally defined in [RFC2865] as using the User Datagram Protocol (UDP) for the underlying transport layer. Since UDP has some limitations (such as unreliable transport, packet fragmentation, connectionless transport, and lack of congestion control), the TCP transport is recommended to be used [RFC6613] when another method such as IPsec [RFC4301] or RADIUS/TLS [RFC6614] is used to provide additional confidentiality and security of RADIUS in inter-server communications scenarios, such as inter-domain communication between proxies.¶
QUIC is developed based on the UDP protocol and aims to address certain limitations of TCP. Compared with the traditional TCP/UDP protocol used by RADIUS, QUIC provides the following enhancements:¶
Improved Security. QUIC inherently supports encryption (using TLS 1.3), which could provide a higher level of security for RADIUS communications compared to the standard RADIUS protocol that relies heavily on IPsec or TLS over TCP for encryption. This can also greatly simplify security-related configurations.¶
Enhanced Performance. QUIC reduces connection establishment time with its zero-round-trip setup for repeat connections, potentially speeding up the authentication process significantly.¶
Reliability and Robustness. QUIC's congestion control, loss recovery, and reduced latency features could make RADIUS communications more reliable, especially over less-stable network connections.¶
Connection Migration. The ability of QUIC to handle connection migrations seamlessly could enhance RADIUS network mobility between client (running on Network Access Server) and server, allowing client to change networks (e.g., moving from Wi-Fi to cellular) without disrupting authentication sessions.¶
Multiplexing. QUIC's support for multiple streams over a single connection could enable multiple RADIUS transactions to be processed simultaneously, enhancing throughput and efficiency. This can alleviate the congestion problem of large-scale authentication messages and provide users with faster authentication services and higher authentication success rate via fewer connections.¶
Therefore, for inter-server communication scenarios that require secure connections and reliable data transmission, QUIC is a competitive transport protocol for the message transmission mechanism of RADIUS Protocol. This document specifies how to use QUIC as the transport protocol for RADIUS Protocol, named RADIUSoQUIC.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
In this document, the terms "client" and "server" are used to refer to the two ends of the QUIC connection. The client actively initiates the QUIC connection. The terms "RADIUS client" and "RADIUS server" are used to refer to the two ends of the RADIUS Protocol session. Generally, an "RADIUS client" provides an access service for a user to a network, meanwhile a "RADIUS server" provides one or more of authentication, authorization, and/or accounting (AAA) services to a Network Access Server (NAS). In addition, A RADIUS Proxy acts as a RADIUS server to the NAS, and a RADIUS client to the RADIUS server.¶
QUIC connection establishment is described in [RFC9000]. During establishing connection, RADIUSoQUIC support is indicated by selecting the Application-Layer Protocol Negotiation (ALPN) [RFC7301] token as listed in the IANA Section 7 in the TLS handshake.¶
The RADIUS Client or Proxy as client should be the initiator of the QUIC connection to the RADIUS Server meanwhile the RADIUS Server or Proxy as server acts as a connection acceptor.¶
The typical QUIC connection termination process is described in [RFC9000].¶
When an RADIUS session is implemented based on a QUIC connection, the idle timeout should be disabled or the QUIC max_idle_timeout should be set appropriately in order to keep the QUIC connection persistent even if the RADIUS session is idle.¶
If the QUIC connection is broken or closed, retransmissions over new connections are permissible. RADIUS request packets that have not yet received a response MAY be transmitted by a RADIUS client over a new QUIC connection. Since this procedure involves using a new source port, the ID of the packet MAY change. If the ID changes, any security attributes such as Message-Authenticator MUST be recalculated.¶
If a QUIC connection is broken or closed, any cached RADIUS response packets ([RFC5080], Section 2.2.2) associated with that connection MUST be discarded. A RADIUS server SHOULD stop the processing of any requests associated with that QUIC connection. No response to these requests can be sent over the QUIC connection, so any further processing is pointless. This requirement applies not only to RADIUS servers, but also to proxies. When a client's connection to a proxy server is closed, there may be responses from a home server that were supposed to be sent by the proxy back over that connection to the client. Since the client connection is closed, those responses from the home server to the proxy server SHOULD be silently discarded by the proxy.¶
RADIUS clients using QUIC MUST mark a connection DOWN if the network stack indicates that the connection is no longer active. If the network stack indicates that the connection is still active, clients MUST NOT decide that it is down until the application-layer watchdog algorithm has marked it DOWN ([RFC3539], Appendix A). RADIUS clients using QUIC MUST NOT decide that a RADIUS server is unresponsive until all QUIC connections to it have been marked DOWN.¶
A client should proactively close connections or mark a server as DOWN due to an administrative decision.¶
QUIC [RFC9000] uses multiple simultaneous streams to carry data in one direction. QUIC Streams provide a lightweight, ordered byte-stream abstraction to an application. Streams can be unidirectional or bidirectional meanwhile streams can be initiated by either the client or the server. Unidirectional streams carry data in one direction: from the initiator of the stream to its peer. Bidirectional streams allow for data to be sent in both directions.¶
QUIC uses Stream ID to identify the stream. The least significant bit (0x1) of the stream ID identifies the initiator of the stream (client with the bit set to 0). The second least significant bit (0x2) of the stream ID distinguishes between bidirectional streams (with the bit set to 0) and unidirectional streams [RFC9000].¶
RADIUS packets include request packets and response packets. RADIUS request packet is a packet originated by a RADIUS client to a RADIUS server. For example, Access-Request, Accounting-Request, CoA-Request, or Disconnect-Request. RADIUS response packet is a packet sent by a RADIUS server to a RADIUS client, in response to a RADIUS request packet. For example, Access-Accept, Access-Reject, Access-Challenge, Accounting-Response, or CoA-ACK [RFC6613].¶
If RADIUS request packets are carried via transport protocol from RADIUS client to RADIUS server, RADIUS response packet are needed to be sent from RADIUS server to RADIUS client in response to the RADIUS request packets. Therefore, the RADIUS connection should be bidirectional between Client and Server.¶
Based on the above description, The RADIUS request messages are initiated by the Client and the replies are needed from the Server. So the RADIUS messages MAY be mapped into one bidirectional stream whose stream type is 0x0 according to section 2.1 of [RFC9000].¶
To enhance transmission performance during large-scale processing of authentication, accounting, and authorization requests, RADIUS messages can be transmitted over multiple configurable bidirectional streams.¶
When using multiple streams, all messages belonging to the same RADIUS transaction must remain within a single stream to maintain protocol integrity. A RADIUS transaction refers to a complete protocol interaction process, including all message exchanges between the client (such as NAS) and the server (such as RADIUS server) from the request to the final response. RADIUS transactions can be divided into authentication transactions, accounting transactions, and dynamic authorization transactions.¶
RADIUSoQUIC uses QUIC which uses TLS version 1.3 or greater. Therefore, the TLS handshake process can be used for RADIUSoQUIC endpoint authentication. A third-party authentication mechanism can also be applied for RADIUSoQUIC endpoint authentication, such as a TLS client certificate.¶
The decision to use RADIUSoQUIC instead of the TCP-based/UDP-based mechanism is an operational decision, and an implementation MUST provide a configuration mechanism to enable RADIUSoQUIC on the RADIUS session.¶
As QUIC is a reliable transport, if there is no response to a RADIUS packet over one QUIC connection, implementations MUST NOT retransmit that packet over a different QUIC connection to the same destination IP address and port, while the first connection is in the OKAY state ([RFC3539], Appendix A).¶
The use of QUIC transport does not change the calculation of security-related fields (such as the Response-Authenticator) in RADIUS [RFC2865] or RADIUS Dynamic Authorization [RFC5176]. Calculation of attributes such as User-Password [RFC2865] or Message-Authenticator [RFC3579] also does not change. In addition, Clients and servers MUST be able to store and manage shared secrets based on the key described at the section 2.6 of [RFC3539] (i.e., IP address, port, transport protocol).¶
This document creates a new registration for the identification of RADIUSoQUIC in the "Application Layer Protocol Negotiation (ALPN) Protocol IDs" registry established in [RFC7301].¶
The "RADIUSoQ" string identifies RADIUSoQUIC:¶
Protocol: RADIUSoQUIC¶
Identification Sequence: 0x52 0x41 0x44 0x49 0x55 0x53 0x6f 0x51 ("RADIUSoQ")¶
Specification: This document¶
In addition, it is requested for IANA to reserve a UDP port TBD for 'RADIUS over QUIC'.¶
This document replaces the transport protocol layer of RADIUS from other transport protocols to QUIC. The basic protocol specification of RADIUS is not modified, and therefore the new security risks are not introduced to the basic RADIUS protocol. RADIUSoQUIC enhances transport-layer security for RADIUS session according to [RFC9000].¶
This document does not require to support third-party authentication (e.g., backend Authentication) due to the fact that TLS does not specify this way of authentication. If third-party authentication is needed, TLS client certificates are recommended to be used here.¶