How does RADIUS Server Authentication Work? Using NPS Server
With the number of network vulnerabilities and cyber-attacks increasing and intruders trying to hack into networks by many methods, organisations need to manage access to their networks more than ever. User authentication and authorization through networking protocols where all access requests go through a single server is the best way to safeguard a network and prevent unauthorized access. Out of the most commonly used authentication protocols, Remote Authentication Dial-In User Service or RADIUS Server is a client/server protocol that provides centralized Authentication, Authorization, and Accounting management for all the users. Here, the users can connect with their own unique login information and use the network safely.
What is RADIUS?
What is RADIUS Server? is a popular question, it was developed by Livingston Enterprises, Inc. and now owned by Lucent, RADIUS is a networking protocol that decides whether a user can access a network or not (Authentication), determines the type of privileges they are allowed to perform on that network (Authorization), and records and monitors the activity of the user while they are connected to create transparency within the network (Accounting).
The networking protocol needs a Supplicant or a software built-in or installed on a user’s operating system that passes information about a user, a RADIUS Client or NAS that is used to authenticate users and a RADIUS server that runs on a UNIX or Windows server and verifies the user’s identity and grants access to their requested service. Check out our RADIUS Server Windows solution.
How does Radius Server Authentication Work?
The process of RADIUS Server authentication and authorization commences when a user requests access to a network resource through the Remote Access Server (RAS) and tries to connect to the RADIUS Client.
Let us now look at a RADIUS server authentication process and the various steps involved in it:
- The user tries to connect to a RADIUS Server by submitting the essential user credentials – a username and a password. This could be through a browser-based HTTPS connection or via a Mobile VPN connection. Once the user credentials are entered, the device reads them.
- The RADIUS Client generates an Access-Request message which is sent to the RADIUS server. The user credentials are always encrypted by the RADIUS server before they are sent as a shared secret through the authentication process.
- The RADIUS server reads the encrypted message to make certain that the Access-Request message is from an authorized client. If the RADIUS server finds that the Access-Request is not from an authorized client, the server discards the Access-Request message and does not accept the user.
- If the RADIUS server finds that the Access-Request is from an authorized client and the shared secret is valid, the server reads the authentication method requested in the Access-Request message.
- If the validation process is found accurate, the RADIUS server gets the user credentials from the message and looks for a match in the user database. If the user credentials match with a record in the database, the RADIUS server may try to get further user information from the database. This could be information like functional group number, login hours and remote access approval.
- The RADIUS server checks to see whether the user has an access policy or a profile in the database that matches all the information it has about the user.
- If the information is inaccurate or if the RADIUS server has no matching policy, it sends an Access-Reject message that shows authentication failure. The RADIUS transaction ends here and the user is not allowed to gain access to the system.
- If an access policy exits and the Access-Request message matches the user credentials in its configuration and matches all the information it has about the user, the RADIUS server sends a response in the form of an Access-Accept message to the device which consists of a shared secret and a Filter ID attribute. The Filter ID attribute is basically a string of text.
- The RADIUS server checks the shared secret and if there is no match, the RADIUS Client rejects the message.
- If a match is found, the RADIUS Client reads the FilterID attribute. The RADIUS Client identifies the user to a specific RADIUS group by checking the FilterID attribute. A RADIUS Group is a group of users who have the same FilterID value which makes it easier to categorize users into different functional groups.
- Once the user is authenticated and authorized, they will obtain access to the RADIUS Client.
Network Policy Server (NPS)
Network Policy Server (NPS) is Microsoft’s application for enforcing company-wide access policies through a Remote Authentication Dial-In User Service (RADIUS) server and comes with centralized authentication, authorization and accounting abilities.
The authentication and authorization process is given below:
- The network access server (NAS) serves as a RADIUS client and sends all connection requests from users to a RADIUS server running NPS on Windows.
- The RADIUS server checks the user’s credentials and access rights against a database that is stored on a local file or external storage source such as SQL Server or Active Directory Server.
- If the RADIUS server finds the valid user credentials and their access rights in its database, it gives back that information to the NAS for further authentication and authorization of the user.
- The users are then allowed to connect to the network
- The NPS acts as a RADIUS Client and logs their activities as part of its RADIUS accounting role.
How to Setup an NPS Server as a RADIUS Server and a RADIUS Proxy?
An NPS (Network Policy Server) can be set up to manage network access, authentication, authorization, and forward connection requests to a server running NPS or other RADIUS servers.
Using NPS server as a RADIUS server
NPS can be used to authenticate, authorize, and account users for wireless, offer authentication through Windows Active Directory, dial-up and VPN services. To set up NPS as a RADIUS server, the first step is to configure network access servers like wireless access points and VPN servers as RADIUS clients. The second step is to configure the default connection network policy that NPS uses to authorize connection requests.
Using NPS as a RADIUS proxy
When NPS is used as a RADIUS proxy, the connection request policies need to be configured for two reasons. One, the NPS server should identify the connection requests that have to be forwarded to the other RADIUS servers and, two, to which RADIUS servers you want to forward the connection requests. After removing the default connection request policy, two connection request policies are newly created to forward the connection requests.
Using NPS as a Network Access Protection (NAP) policy server
When NPS is configured as NAP policy server, it executes the job of a RADIUS server, performing authentication and authorization for connection requests. Configuring the NAP policies and settings in NPS allows client computers to update their configuration and become compliant with the network policy.
NPS as RADIUS accounting
NPS can be set up to log events or accounting information to a log file on the local hard disk or to a remote Microsoft SQL Server database.
Related Posts:
- How to Setup AWS RADIUS Server (NPS) Cloud RADIUS for Wireless Authentication
- How Does PKI Authentication Work? With Authentication Flow Diagram
- What are RADIUS Groups in Windows NPS Server (Explained)
- What is SAML and how does SAML Authentication Work (Explained)
- How Does Nginx Reverse Proxy Work ? (Explained)
- How Does Remote Desktop Protocol Work? RDP Protocol Explained