Remote Authentication Dial-In User Service (RADIUS) is a networking protocol, operating on ports UDP 1645 and UDP 1812 that provides centralized AAA (Authentication, Authorization, and Accounting) management for users who connect and use a NAS (network access server such as VPN concentrator, router, switch). This protocol is a client/server protocol and software that enables remote access servers to communicate with a central server to perform AAA operations for remote users. This protocol runs at application layer and can use either TCP or UDP as transport.
A RADIUS server utilizes a central database to authenticate remote users. RADIUS functions as a client-server protocol, authenticating each user with a unique encryption key when access is granted. In RADIUS mechanism, all passwords encrypt but the entire information packet not encrypt.
How Does Radius Work?
This mechanism is used to perform AAA operations for the following communications:
- Dial-Up Remote Access
- VPN Remote Access
- Wireless Access
- 1x Access
- Internet Access
- Extranet Access
RADIUS’s structure consists of three main components:
- Client: It is same NAS. A networking device that is used to authenticate users.
- Server: It is a background process that runs on a UNIX or Windows server.
This mechanism from start to finish includes the following steps:
1- The user or machine sends a request to a NAS to gain access to a particular network resource using access credentials (usually username and password or security certificate provided by the user).
How is credentials transmitted to NAS? These information are passed to the NAS device via the link-layer protocol (for example PPP or HTTPS secure web form).
2- When NAS received credentials, then sends a RADIUS Access Request message to the RADIUS server. This request includes access credentials.
3- In this step, RADIUS server checks that the information is correct. It uses authentication schemes (like PAP, CHAP or EAP) to do this. If the Access-Request is not from an authorized Client, then the message is discarded. Also, the RADIUS server checks to see if there is an access policy or a profile that matches the user credentials.
As mentioned earlier, Radius server is equipped with a database that contains information about the credentials of all users. So, this server checking the user’s information against a locally stored flat file database. If everything matches, the user will be authenticated.
We said locally. In fact, Radius server is able to have its own locally database. This local database can be internal (for example, WIB, of course, if Radius server component is installed on a Microsoft windows server computer) or it can be a Microsoft SQL server.
However, you should be aware that the database information is always synchronized with the Active Directory information, and Radius can use Microsoft Active Directory-related services such as Kerberos and LDAP to carry out its operations.
4- However, at this step, it becomes clear whether the above user is allowed to access the requested resources or not. (Authentication and Authorization are done).
5- Now, RADIUS server returns one of three responses to the NAS:
- Access Reject: The user is denied access to all requested network resources.
- Access Challenge: Requests additional information from the user such as a secondary password, PIN, token, or card.
- Access Accept: The user is granted access. Of course, Radius Server announces authorization attributes to the NAS stipulating terms of access to be granted. For example: The specific IP address to be assigned to the user, the address pool from which the user’s IP address should be chosen, the maximum length of time that the user may remain connected, an access list or L2TP parameters.
6- Now, network access is granted to the user by the NAS, an Accounting Start (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value “start”) is sent by the NAS to the server to signal the start of the user’s network access.
7- Finally, when the user’s network access (user session) is closed, the NAS issues a final accounting record to the server, providing information on the usage in terms of time, packets transferred, data transferred, reason for disconnect and other information related to the user’s network access. (Accounting is done).
The main advantage of the centralized AAA capabilities of a RADIUS server are heightened security and better efficiency. RADIUS servers provide the ability to preserve the privacy and security of both the system and each individual user.