VPN Gateway - Why is the Radius secret in plain text?

Yes, this is by design in the Azure Portal UI. When configuring Point-to-Site (P2S) VPN Gateway with RADIUS authentication, the RADIUS shared secret is stored as a plain text field in the portal interface. Even after saving, it remains visible when you revisit the configuration.

This behavior is intended to make it easier to manage and update the secret, but it does raise concerns about security hygiene, especially in shared or audited environments.

 

Plus this is unfortunately that you cannot directly reference Azure Key Vault for the RADIUS secret in the VPN Gateway configuration. The portal and underlying API do not currently support pulling secrets from Key Vault for this field.

However, here are a few workarounds and best practices:

 

• Use Role-Based Access Control (RBAC) to restrict who can view/edit the VPN Gateway settings.
• Audit access to the portal and configuration changes using Azure Activity Logs.
• Store the secret in Azure Key Vault for internal use, and manually copy it into the portal when needed.
• If you're automating deployments, consider using Azure PowerShell or ARM templates and pull the secret from Key Vault during deployment, but this still results in the secret being stored in plain text in the resource config.

 

Alternative Authentication Options

If you're looking for a more secure and scalable solution, consider switching to:

• Azure AD authentication for P2S VPN (no shared secret required)
• Certificate-based authentication, which avoids shared secrets entirely