RADIUS is an acronym used for Remote Authentication Dial-In User Service. It was developed by Livingston Enterprises in the year 1991.
Radius is a networking protocol known for providing AAA-
There are two types of packets (small segments of a larger message) which are used by RADIUS for managing the complete AAA process.
- Manages authentication and authorization
- A user or machine uses access credentials to send a request to a Network Access Server (NAS) to acquire access to a specific network resource.
- The link-layer protocol is used to send the credentials to the NAS device.
- A RADIUS Access-Request message is sent by Network Access Server (NAS) to the RADIUS server, requesting permission to provide access to the RADIUS protocol.
- The request comprises the user’s access credentials, such as a security certificate or username and password.
- Other information in the request could include the user’s network address or phone number, as well as information on the user’s physical attachment point to the NAS.
- With the help of schemes like CHAP (Challenge-Handshake Authentication Protocol), PAP (Password Authentication Protocol), or EAP (Extensible Authentication Protocol), the RADIUS server checks whether or not the information is correct.
- The proof of identification given by the user is checked. Other request-related information is also verified, such as the user’s network address or phone number, as well as the account status.
- The NAS will receive one of three responses from the RADIUS server:
ii) Access-Challenge, or
Each of these three RADIUS responses may have a reply-message
attribute that specifies the reason for the rejection, the challenge
prompt, or the accept message.
- The NAS receives authorization attributes that specify the terms of access to be given.
- Manages Accounting
- When the NAS grants the user network access, the NAS sends an ‘Accounting Start’ to the RADIUS server to notify the start of the user’s network access.
- The user’s identification, point of attachment, network address, and a unique session identifier are generally included in ‘start’ data.
- (acct status type = start)
- The current session duration and details on current data usage are often conveyed in interim records. The NAS may send Interim Update records periodically to the RADIUS server to keep it up to date on the status of an active session.
- The NAS sends a final Accounting Stop record to the RADIUS server when a user’s network access ends, specifying the user’s last network usage in terms of –
i) time taken, ii) packets and data transferred, iii) reason for disconnect, etc.
- RADIUS provides unique credentials for each user, which reduces the risk of hackers penetrating a network.
- When it comes to authentication, authorization, and password management, the IT professionals only have to deal with one point of contact i.e, it provides a central point for authentication
- There is no way to establish explicit command authorization.
- Only the passwords are encrypted by RADIUS. Other information, such as a username, is not protected.
The client/server model is used by RADIUS to authenticate and authorize users to access a network. A RADIUS Client, also known as a Network Access Server, is a network device that authenticates users. RADIUS Server allows keeping the user profiles in a central database.
RADIUS Servers assist in security management and in the creation of server administration policies enabling businesses and organizations to ensure the privacy and security of their systems and users.
1.What is meant by Access-Reject?
If any of the received Attributes is unacceptable, the RADIUS server will respond with an Access-Reject packet.
2. What is meant by Access-Challenge?
If the RADIUS server wants to send the user a challenge that requires a response, it will send an Access-Challenge packet in response to the Access-Request.