Last updated on July 17, 2025
RADIUS and LDAP are two commonly used protocols for user authentication and authorization. While similar at first sight, they are distinct and have several significant differences. But what’s the difference between RADIUS and LDAP? Before starting the RADIUS vs. LDAP discussion, let’s learn what these two protocols are.
Fortify Your Network Access with Rublon MFA for RADIUS, LDAP & Active Directory
Elevate your authentication security by integrating Rublon’s Multi-Factor Authentication across RADIUS, LDAP, and Active Directory. Protect your enterprise network from unauthorized access with our seamless, user-friendly solution.
What Is RADIUS?
RADIUS (Remote Authentication Dial-In User Service) is a protocol that allows RADIUS clients to communicate with a RADIUS server to authenticate users and authorize their access to the requested service.
Let’s clear it up a bit.
The RADIUS client is a network access server (NAS) such as a virtual private network (VPN), router, or switch. Examples of RADIUS clients include Cisco AnyConnect VPN, OpenVPN, and SonicWall. Notably, a VPN client software installed locally on a user’s computer is not a RADIUS client. The RADIUS client is a remote access server these VPN client software programs connect to.
On the other hand, the RADIUS server is a process that runs in the background on a Windows or Linux server. The RADIUS server authenticates user credentials and checks user privileges against its central database. The central database can be an in-built database or an external identity provider such as Active Directory.
How Does the RADIUS Protocol Work?
Long story short, to authenticate a user:
A RADIUS client sends a RADIUS Access-Request message to the RADIUS server. User credentials are a part of the Access-Request message. Upon receiving the request, the RADIUS server verifies the received credentials against the user database and responds with one of these three messages:
- Access-Accept – Accepts the user sign-in attempt
- Access-Reject – Rejects the user sign-in attempt
- Access-Challenge – Sends an extra challenge to the user, e.g., a request to enter a TOTP code
Apart from authentication and authorization, RADIUS also supports accounting.
What Is LDAP?
LDAP (Lightweight Directory Access Protocol) is a protocol that allows LDAP clients to read and modify an LDAP server, such as Microsoft Active Directory, over a network.
The LDAP client is any application users sign in to that supports the LDAP protocol.
The LDAP server is a directory service, such as Microsoft Active Directory, OpenLDAP, or FreeIPA, that stores usernames and passwords in the form of an LDAP directory tree.
LDAP clients use the LDAP protocol to access the LDAP server. Most often, an LDAP client contacts the LDAP server to authenticate or authorize a user against the directory of users in an LDAP directory tree. You can also use the LDAP protocol to modify user information. For example, to change the user’s email address.
How Does the LDAP Protocol Work?
In a nutshell, to authenticate a user:
The LDAP client sends the entered user credentials to the LDAP server. Then, the server compares these credentials to the data stored in the directory service and either accepts or rejects the user’s log-in attempt.
Strengthen Enterprise Authentication with Rublon MFA
Secure your critical network services—RADIUS, LDAP, and Active Directory—with Rublon Multi-Factor Authentication (MFA). Ensure that only authorized users access your systems, boosting security without compromising user convenience.
RADIUS vs. LDAP: What’s the Difference?
Let’s take a look at the differences between LDAP and RADIUS. Here’s a handy RADIUS vs LDAP comparison table.
| RADIUS | LDAP |
| Open standard described in RFC 2865 | Open standard described in RFC 4511 |
| Uses UDP as the transport protocol | Uses TCP as the transport protocol (TLS/SSL for LDAPS) |
| Operates on ports 1812 and 1813 | Operates on port 389 (636 for LDAPS) |
| Used during Authentication, Authorization, and Accounting | Used during Authentication and Authorization. No Accounting support by default |
| No encryption of attributes except for the password | All attributes can be encrypted using TLS as a wrapper |
| Used to communicate with a RADIUS server such as FreeRADIUS | Used to communicate with an LDAP server such as Active Directory or OpenLDAP |
| Simple for one server but may be confusing and challenging to maintain when used with multiple RADIUS servers, RADIUS clients, and other protocols | Simple to implement and maintain, which can reduce overhead costs and workload of network administrators |
| A request-response protocol based on Access-Requests packets | A binary protocol based on entries and attributes |
| Increased speed of authentication transactions for large databases of users thanks to the simplicity | May require multiple transactions between the client and the server, which can produce delays |
| Supported by Rublon | Supported by Rublon |
Operation
RADIUS and LDAP are open standard protocols outlined in RFC documents. RADIUS uses UDP and operates on ports 1812 (for authentication) and 1813 (for accounting). On the contrary, LDAP uses TCP on port 389. You can wrap LDAP in TLS/SSL, and such wrapping is called LDAPS and works on port 646. Both RADIUS and LDAP support authentication and authorization. But only RADIUS fully supports accounting. Server-side accounting is possible in various degrees in some implementations of LDAP.
Encryption
LDAP with TLS can encrypt all attributes. Contrarily, RADIUS only encrypts the password.
Use Cases
Unsurprisingly, the RADIUS protocol is a means of communication between the RADIUS client and the RADIUS server. Similarly, the LDAP protocol is a way for the LDAP client to communicate with the LDAP server. Even though you can configure your RADIUS server, such as FreeRADIUS, to communicate with Active Directory, this kind of configuration may be confusing and more difficult to maintain for administrators. In such a scenario, the client would first use the RADIUS protocol to connect to the RADIUS server. Then the RADIUS server would be using the LDAP protocol to connect to the Active Directory. Certainly, configuring your client to connect to the Active Directory directly would be a more straightforward solution. Simpler implementation usually means less overhead and less pressure on network administrators.
Secure RADIUS, LDAP & Active Directory – Try It Free for 30 Days →
Technical Differences
RADIUS is a request-response protocol that sends Access-Request packets for authentication and Accounting-Request packets for accounting. In contrast, LDAP is a binary protocol that uses entries and attributes.
Sometimes LDAP requires more than one transaction between the client and the server. The more transactions, the higher the likelihood of delays, which slows down authentication. Also, RADIUS is a better fit for massive user databases thanks to a simpler transport protocol and no need for complicated directory searches.
Multi-Factor Authentication (MFA)
You can use Rublon to deploy Multi-Factor Authentication (MFA) for services compatible with RADIUS and LDAP protocols to protect all your Active Directory and RADIUS users.
RADIUS vs. LDAP With MFA
Companies widely use RADIUS and LDAP protocols during Single-Factor Authentication (SFA). But how does Multi-Factor Authentication (MFA) work in conjunction with these protocols, and what changes do you have to make to your infrastructure after deploying MFA, if any?
Learn more about MFA for RADIUS and MFA for LDAP:
LDAP vs. RADIUS: Which One to Choose?
Choosing between LDAP and RADIUS is no trifling matter. But what this choice really entails is that you have to settle on your identity provider and not the protocol. The protocol (or protocols) is largely dependent on your IdP. If you choose Active Directory or OpenLDAP, you will be using the LDAP protocol. If you choose FreeRADIUS, you will be using the RADIUS protocol.
You can combine these protocols if you want, but the gist of it is this:
1. The RADIUS protocol is widely used for network access, so it makes sense to use it for VPN connections. In contrast, the LDAP protocol is widely used as a directory service. So, you can use LDAP during Remote Desktop Services (RDS) logons of users in the Active Directory domain.
2. Do you already have an identity provider deployed in your company?
- If yes, then you are probably already using either RADIUS or LDAP protocol; maybe both.
- If no, then look at the table in this article, but also think about which identity provider you want to use in your particular use case. If you have two or more cases, maybe you can separate them and use RADIUS or LDAP in each of these cases separately.
3. If you want to enable Multi-Factor Authentication (MFA), neither LDAP nor RADIUS is a blocker, as Rublon supports both.
Rublon Enables MFA For Your RADIUS and LDAP Users
Rublon can protect all your FreeRADIUS, OpenLDAP, Active Directory, and FreeIPA users who log in to applications and VPNs in your workforce. It also supports SAML-compatible applications and enables MFA on Remote Desktop Services and Linux SSH.
Jump straight ahead and start your Free 30-Day Rublon Trial:
