What is RADIUS Accounting and How it Works (Explained)
What is RADIUS Accounting and How it Works (Explained). In this post, we explain what is RADIUS accounting and how it works in detail. Should we use it on your network? We also see the advantages and disadvantages of implementing a RADIUS server. Also should you opt for a cloud or on-premises installation.
Shall we start with What is RADIUS Accounting and How it Works (Explained)?
So, let’s get right into it.
What is RADIUS?
RADIUS is an acronym for Remote Authentication Dial in User Service. For remote users, who need to connect and utilize a network service, it is a networking protocol. Primarily, it offers centralized authentication, authorization, and accounting (AAA) administration.
Primarily, RADIUS is a client server protocol that runs in the application layer of the OSI communication model. It is possible to configure it to use either TCP or UDP protocols. Hence, Network Access Servers (NAS), usually switches which control access to a network. And that contains a RADIUS client component that communicates with the RADIUS server.
Secondly, RADIUS is often the back end of choice for 802.1X authentication, whilst a RADIUS server is usually a background process running on UNIX or Microsoft Windows.
What is a RADIUS server?
Importantly, a RADIUS server is one which the RADIUS server runs from. It works in collaboration with the NAS which becomes its client.
When remote users seek for a connection to access a network’s services, they are sent to the NAS. In turn, that uses Radius server’s authentication capabilities. The image below demonstrates this architecture:
Image source: Wiki Commons
What is RADIUS accounting?
So, Radius accounting is based on a client server model in which the switch, operating as the NAS, is the client. After, the NAS is responsible for sending user accounting statistics to the designated RADIUS accounting server.
Meanwhile, the Radius accounting server collects data for statistical purposes and network monitoring. Additionally, it is used to facilitate correct user billing.
In the image below, a Radius server has been set up in tandem with a dedicated database server (right bottom corner) for the user accounting part of “RADIUS accounting.”
In above image, Radius utilizes the client and server model to authenticate and authorize users to log in to a network. It works by sending client requests for access to the RADIUS server for verification via the NAS client. These requests are in the form of packages and include clients’ usernames, passwords, IP addresses, and ports. Accordingly, this information is then queried in the database for potential matches. Depending on the information received, and whether it is correct, the server replies with an action to accept, reject or challenge the access.
How does RADIUS accounting work?
Mainly, the Radius accounting process begins when a user gain access to the server. The NAS then sends a RADIUS Accounting Request packet to signify that the user’s access to the network has started.
Image source: Wiki Commons
Here’s a step by step breakdown of how Radius accounting works:
- Accounting Start – when a user is granted access by the NAS, an Accounting Start packet is sent out to the RADIUS server. All in all, that signals the start of the user’s network access. An Acct Status Type attribute with the value “start” is present in the packet that the NAS transmits. Afterwards, it also contains other details like the user’s identification, network address, point of attachment, and a unique session identifier.
- Accounting Request – these are Interim Update records that are sent out periodically by the NAS to the Radius server. These packets contain an Acct-Status-Type attribute that holds an “interim-update” value. Also, the purpose is to update the server on the status of an active session and convey the current session duration and information on current data usage.
- Accounting Stop – once the user is done and the access is closed, the NAS sends out an “Accounting Stop” record. Basically, this packet contains an Acct-Status-Type attribute with a “stop” value. It includes information on the final usage. For example: time elapsed, packets transferred, the reason for the disconnect, and other information about the user’s network access. The RADIUS server securely stores all the information related to the session.
Also Read
RADIUS verification
Apart from the communication between the RADIUS and NAS servers. There are also times when secondary verification may be needed. Examples could be suspicious IP addresses or unusual traffic. When this happens, the server issues an Access-Challenge to verify that the user is who they claim to be. This communication can be in the form of “Please enter the verification code sent to your phone,” as is common in multi factor authentication (MFA).
What is interesting about the Access-Challenge packet is that there are only two standard attributes that can be included in a packet. They are the State attribute and the Reply-Message attribute.
The Reply-Message attribute indicates the text that needs to be displayed to the user via the RADIUS server. It can also be included in user files. However, there is a maximum limit of 16 Reply-Messages per profile.
Meanwhile, the State attribute, which allows state information to be maintained between the NAS and the RADIUS server, can only be included once in a single instance. This attribute gets copied, unchanged, into the Access-Request that is returned to the challenging server. Any necessary vendor-specific attributes are also included with it.
Why do we even need RADIUS accounting?
Until corresponding Accounting-Response acknowledgments are received, the Accounting-Request packets are sent out periodically. The main purpose of this back and forth is to help with the accurate billing of users depending on their usage. Besides, it also serves as a source of statistical data on resource usage as well as input for network performance monitoring (NPM) software.
For bigger, segmented networks run by numerous IT administrators, RADIUS is a great solution. Why? because it makes it simple to manage who has access and when. Certainly, it helps to keep track of, and enforce, the correct authorization of a large number of users. Something that is quite daunting when it comes to users in large corporate networks.
Apart from protecting unauthorized access to sensitive information, RADIUS also has VLAN segmentation features to prevent authorized users from accessing information that is beyond their scope.
More Radius Accounting Benefits
But, there are more reasons why businesses should adopt RADIUS accounting:
- Accountability – Radius accounting keeps track of the logon and off times of each user. This makes it possible to match network access with crashes, security issues, and other connectivity problems. RADIUS accounting is also used to determine which customers, local or distant, were logged on at the moment when something suspicious occurs on a network.
- Access control – also helps with ensuring clients only get access to the resources they have permission to. Administrators have easy depreciation capabilities to control the accounts as well as help with individual users being assigned to unique network permissions, all from a central point.
- Secure VPN access – RADIUS authentication is used to, not only secure connections for users on the WiFi, but also for those using VPNs. This helps boost productivity and flexibility to allow any user to connect to a network from anywhere in the world.
- Boosting current security – modern RADIUS solutions integrate easily with existing network security configurations. This helps boost security without the need for expensive and time costing changes in the infrastructure.
Are there advantages or disadvantages in using RADIUS accounting?
Well, there are both advantages and disadvantages to using RADIUS. Let’s have a look at them individually:
The advantages of RADIUS accounting
- Radius assigns unique credentials to each user. This prevents hackers and malicious users from penetrating the network. Regardless of the user numbers, there is no common password or account, which reduces unauthorized access.
- Administrators find that they don’t have to worry about password management. The users manage their credentials and there is no need to micro-manage accounts by enforcing password formats or expiry dates.
- Administrators have a single, central point of access when they need to work on user management. They can use the consolidated access point to perform management of authentication, authorization, and password policy enforcement.
- RADIUS comes with 802.1x, an Extensible Authentication Protocol (EAP) framework for transporting authentication packets between two devices. EAP enables uniquely encrypted user sessions to stop unauthorized access.
- Also has secure VPN authentication that allows remote users to connect to their home networks with ease.
- The solution is easy to use and integrates into any existing system with the need for costly upgrades or configuration enhancements.
The disadvantages of RADIUS accounting
- It must consequently be properly implemented, configured, and managed. This also means that, barring the usage of a cloud based architecture, where the responsibility for the task is delegated to a third party service provider. Here the network owners are responsible for paying for qualified staff who can oversee their on-premises RADIUS installation.
- The initial setup presents a challenge, where there is no adequate support by in-house know-how. Again, as RADIUS is a security feature, any lapses or misconfigurations makes the whole effort useless or even pose a gaping security hole that turns into a giant liability. Hence, the need for expertise.
- Even the most experienced administrators need to tread carefully as numerous configuration options make the initial setup and configuration a daunting task. Challenges they face include dealing with a wide range of protocols and handling compatibility issues.
So, should you use RADIUS accounting?
The answer, as we have seen, depends on how much the security of your network means to you. If you have sensitive data passing around on your network, and you want to make sure that it remains secure, then you will need to use a RADIUS server.
And then there is the fact that RADIUS accounting is the ideal solution for business networks that have a large number of users. Especially, if they allow remote users and workers to log in but a limited number of administrators to oversee their security. Being able to collaborate on user account management and control everything from a central point, makes it both an easy and effective solution.
Worth adding, that it also depends on whether you can afford an IT budget that covers the overall overhead that comes with this security tool. Perhaps, you may take into consideration implementing the cloud hosted version as opposed to an on-prem one.
Thank you for reading What is RADIUS Accounting and How it Works (Explained). We shall conclude.
What is RADIUS Accounting and How it Works (Explained)
The bottom line remains: you will need the expertise to implement, configure, and manage your RADIUS servers. And that is where we can help. Check out Radius content here to see how this can work towards securing your network.
