2
RADIUS
RADIUS is a distributed information interaction protocol that uses a client/server model. It can protect
networks against unauthorized access and is often used in network environments where both high
security and remote user access are required.
RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port
1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, such as Ethernet and ADSL. RADIUS
provides access authentication and authorization services, and its accounting function collects and
records network resource usage information.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
designated RADIUS servers and acts on the responses (for example, it rejects or accepts user access
requests).
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network service access. It listens to connection requests, authenticates
users, and returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary. See
.
Figure 2
RADIUS server components
•
Users
—Stores user information, such as usernames, passwords, applied protocols, and IP
addresses.
•
Clients
—Stores information about RADIUS clients, such as shared keys and IP addresses.
•
Dictionary
—Stores RADIUS protocol attributes and their values.
Security and authentication mechanisms
RADIUS uses a shared key that is never transmitted over the network to authenticate information
exchanged between a RADIUS client and the RADIUS server. This enhances information exchange
security. In addition, to prevent user passwords from being intercepted on insecure networks, RADIUS
encrypts passwords before transmitting them.
A RADIUS server supports multiple user authentication methods, such as PAP and CHAP of the PPP
protocol. A RADIUS server can also act as the client of another AAA server to provide authentication
proxy services.
Basic RADIUS message exchange process
illustrates the interactions between the host, the RADIUS client, and the RADIUS server.