MN700004 Rev 01
351
32. Remote Authentication Dial-In
User Service (RADIUS)
Introduction
RADIUS
(Remote Authentication Dial-In User Service) is a protocol for carrying
authentication, authorization, and configuration information between a Network Access
Server (switch), which requests to authenticate its links, and a shared Authentication Server.
The current BiNOS RADIUS client supports login-type authentication only.
RADIUS communication uses UDP (User Datagram Protocol) with an assigned port number
of 1812.
Figure 32-1 RADIUS Communication Example
Transactions between the switch and a RADIUS server are authenticated through the use of a
shared secret, which is never sent over the network. In addition, any user passwords sent
between the client and the RADIUS server are encrypted, to eliminate the possibility that
anyone snooping on an insecure network could determine a user's password (the password is
concealed by a method based on the RSA Message Digest Algorithm, MD5).
When the RADIUS server receives a request, it validates the sending client. If the RADIUS
server does not have a shared secret with the client that sent the request, RADIUS will silently
discard the request. Otherwise, the client is valid, and the RADIUS server consults a database
of users to find the user whose name matches the request. The user entry in the database
contains a list of requirements, which must be met to allow access for the user. This always
includes verification of the password, but can also specify the client(s) or port(s) to which the
user is allowed access.
BiNOS RADIUS Features
When a user attempts to log in and authenticate to an access server-using RADIUS, the
following steps occur:
1. The user is prompted for and enters a username and a password.
2. The username and encrypted password are sent over the network to the RADIUS server.
3. The user receives one of the following responses from the RADIUS server: