A RADIUS or Remote Authentication Dial-In User Service is a client-server networking protocol operating in an application layer. Livingston Enterprises, Inc. developed the RADIUS protocol was developed as an access server authentication and accounting protocol. Needless to say, the RADIUS protocol works with a RADIUS Server and RADIUS Clients.
As you might be aware, the communication between the Network Access Server (NAS) and the RADIUS server is centred on UDP or User Datagram Protocol. Normally, the RADIUS protocol is deemed a connectionless service. As such, issues related to the availability of server, re-transmission, and timeouts are managed by the RADIUS-enabled devices and not by the transmission protocol.
What are RADIUS Servers?
RADIUS is a client-server protocol. A RADIUS client is usually a NAS. The server is typically a phantom process running on a UNIX or Windows Server. The client relays user information to the authorized RADIUS servers and acts upon the response received. The servers receive various responses such as user connection requests, user authentication, and so on. It then comes back with the configuration information needed for the client to deliver the specific service to the user. A RADIUS server is capable of acting as a proxy client to other RADIUS servers and other types of authentication servers.
Network Access Server
The NAS or a RADIUS Client is one type of networking device just like a VPN concentrator, router, or switch used to authenticate users. The RADIUS Server is a background process, and it runs on a UNIX or Windows NPS Server. It allows you to keep user profiles in a central database. As such, if you get a RADIUS Server, you get control over who can connect with your network.
How does a RADIUS Server work?
Whenever users try to connect to a RADIUS Client, the Client sends these requests to the RADIUS Server. Users will be able to connect to the RADIUS Client only when the RADIUS Server authenticates and authorizes them.
The exact nature of the RADIUS ecosystem determines the working of the RADIUS Server. Nevertheless, all servers have AAA capabilities, which means they can Authenticate, Authorize, and Account the requests. However, in certain RADIUS ecosystems, a RADIUS Server will also act as a proxy client to other RADIUS Servers.
RADIUS Servers provides businesses with the enhanced ability to safeguard the privacy and security of both their system and their users. This in turn helps in better security management and the creation of better policies for server administration.
Communication between a dial-in user and the RADIUS client and server happens as under:
- The user begins PPP authentication to the NAS.
- NAS prompts for username and password in case of PAP (Password Authentication Protocol) or challenge in case of CHAP (Challenge Handshake Authentication Protocol).
- The user replies.
- RADIUS client sends username as well as an encrypted password to the RADIUS server.
- RADIUS server reacts with Accept, Reject, or Challenge.
- The RADIUS client performs actions on services and services parameters associated with Accept or Reject.
RADIUS Server Authentication and Authorization
As mentioned earlier, a RADIUS Server facilitates the usage of several methods to authenticate a user. As such, the authentication and authorization happens together. It usually begins with a user trying to connect to the RADIUS Client with a username and password.
How does Accounting for RADIUS Server or RADIUS Authentication work?
RADIUS Servers are used for accounting purposes too. RADIUS accounting gathers data for various purposes such as network monitoring, billing, or statistical functions. Typically, the accounting process will start when the user is given access to the RADIUS Server. Nevertheless, it must be noted that the RADIUS accounting can be used independently of RADIUS authentication and authorization.
Let us now look at a basic RADIUS accounting process and the steps involved in it:
- The accounting process begins when the user is approved and given access to the Server.
- The RADIUS Client will send the RADIUS Accounting-Request packet (commonly referred to as Accounting Start) to the Server. The request packet contains details such as the user ID, network address, session identifier, and the point of access, among others.
- During the session, the Client can send extra Accounting-Request packets referred to as Interim Update, to the RADIUS Server. The interim update packets contain details such as the current session duration and data usage. The purpose of this packet is to update the information on the user’s session to the RADIUS Server.
- Soon after the user access to the RADIUS Server ends, the RADIUS Client will send another Accounting-Request packet (Accounting Stop) to the RADIUS. This packet contains a range of information such as the total time, data, and packets transferred, the reason for termination, and other relevant information on the particular user’s session.
RADIUS Authentication and Authorization
You must bear in mind that the RADIUS servers can support a wide range of methods to authenticate a user. If a username and original password is provided by the user, it can provide for PPP, PAP or CHAP, UNIX login, and other authentication processes.
A typical user login involves a query or Access-Request from the NAS to the server and the corresponding response – Access-Accept or Access-Reject – from the server. The Access-Request packet includes information such as the username, encrypted password, NAS IP address, as well as port.
Earlier, RADIUS was deployed through UDP port number 1645. However, it conflicts with the data metrics service. Hence, RFC 2865 officially allocated port number 1812 for RADIUS. Nonetheless, several devices and applications offer support for either set of port numbers.
The request format also offers information on the type of session the user wants to initiate. For instance, if the query is presented in character form, the interpretation is “Service-Type = Exec-User.” However, if the request is presented in PPP packet form, the inference is “Service Type = Framed User” as well as “Framed Type = PPP.”
Once the RADIUS server obtains Access-Request from NAS, it searches the database for a listed username. If it does not exist in the database, the server loads a default profile, or it instantly sends an Access-Reject message. The Access-Reject message might be accompanied by a text message mentioning the reason for the refusal.
In RADIUS, authentication and authorization are connected. So, upon finding a username and accurate password, the server returns an Access-Accept response, which includes a list of attribute-value pairs that explain the parameters for the session. Classic parameters contain a type of service (shell or framed), protocol, IP address to assign the user (whether static or dynamic), access list to apply, or a static route for the NAS routing table. What will be installed on the NAS will be specified by the configuration information in the RADIUS server.
The accounting features of the RADIUS protocol can be independent of RADIUS authentication or authorization. The accounting functions allows the data to be forwarded at the start and end of sessions along with the resources. The resources include time, packets, bytes, and more that are used during the session. An ISP can RADIUS access control and accounting software to meet specific security and billing needs.
Transactions between the client and the RADIUS server are validated through a shared secret, which is never sent over the network. Furthermore, encrypted user passwords sent amongst the client and RADIUS server removes the chances of someone prying on an insecure network to obtain a user password.
The uses and advantages of RADIUS Servers are many. It protects your organization’s private information from snooping outsiders. It also facilitates easy depreciation capabilities and allows the allocation of unique network permissions to individual users. Moreover, RADIUS can integrate into your existing system without any significant changes.