RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required.
RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods, RADIUS has been extended to support additional access methods, such as Ethernet and ADSL. RADIUS provides access authentication and authorization services, and its accounting function collects and records network resource usage information.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to designated RADIUS servers and acts on the responses (for example, rejects or accepts user access requests).
The RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access. It listens to connection requests, authenticates users, and returns user access control information (for example, rejecting or accepting the user access request) to the clients.
In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary.
Figure 2: RADIUS server components
Users—Stores user information, such as usernames, passwords, applied protocols, and IP addresses.
Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
Dictionary—Stores RADIUS protocol attributes and their values.
Security and authentication mechanisms
A RADIUS client and the RADIUS server use the shared key to authenticate RADIUS packets and encrypt user passwords that are exchanged between them. The keys are never transmitted over the network. This security mechanism improves the security of RADIUS communication and prevents user passwords from being intercepted on insecure networks.
A RADIUS server supports multiple user authentication methods. A RADIUS server can also act as the client of another AAA server to provide authentication proxy services.
Basic RADIUS message exchange process
Figure 3 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.
Figure 3: Basic RADIUS message exchange process
RADIUS operates in the following manner:
The host initiates a connection request that carries the user's username and password to the RADIUS client.
Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.
The RADIUS server authenticates the username and password. If the authentication succeeds, the server sends back an Access-Accept message containing the user's authorization information. If the authentication fails, the server returns an Access-Reject message.
The RADIUS client permits or denies the user according to the returned authentication result. If it permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.
The RADIUS server returns a start-accounting response (Accounting-Response) and starts accounting.
The user accesses the network resources.
The host requests the RADIUS client to tear down the connection and the RADIUS client sends a stop-accounting request (Accounting-Request) to the RADIUS server.
The RADIUS server returns a stop-accounting response (Accounting-Response) and stops accounting for the user.
RADIUS packet format
RADIUS uses UDP to transmit messages. To ensure smooth message exchange between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer management mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.
Figure 4: RADIUS packet format
Descriptions of the fields are as follows:
The Code field (1 byte long) indicates the type of the RADIUS packet. Table 1 gives the possible values and their meanings.
Table 1: Main values of the Code field
Code | Packet type | Description |
---|---|---|
1 | Access-Request | From the client to the server. A packet of this type carries user information for the server to authenticate the user. It must contain the User-Name attribute and can optionally contain the attributes of NAS-IP-Address, User-Password, and NAS-Port. |
2 | Access-Accept | From the server to the client. If all the attribute values carried in the Access-Request are acceptable, the authentication succeeds, and the server sends an Access-Accept response. |
3 | Access-Reject | From the server to the client. If any attribute value carried in the Access-Request is unacceptable, the authentication fails and the server sends an Access-Reject response. |
4 | Accounting-Request | From the client to the server. A packet of this type carries user information for the server to start or stop accounting for the user. The Acct-Status-Type attribute in the packet indicates whether to start or stop accounting. |
5 | Accounting-Response | From the server to the client. The server sends a packet of this type to notify the client that it has received the Accounting-Request and has successfully recorded the accounting information. |
The Identifier field (1 byte long) is used to match request and response packets and to detect duplicate request packets. Request and response packets of the same type have the same identifier.
The Length field (2 bytes long) indicates the length of the entire packet, including the Code, Identifier, Length, Authenticator, and Attribute fields. Bytes beyond this length are considered padding and are ignored at the receiver. If the length of a received packet is less than this length, the packet is dropped. The value of this field is in the range of 20 to 4096.
The Authenticator field (16 bytes long) is used to authenticate replies from the RADIUS server and to encrypt user passwords. There are two types of authenticators: request authenticator and response authenticator.
The Attributes field (variable in length) carries the specific authentication, authorization, and accounting information that defines the configuration details of the request or response. This field may contain multiple attributes, each with three sub-fields:
Type—(1 byte long) Type of the attribute. It is in the range of 1 to 255. Commonly used RADIUS attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. Table 2shows a list of the attributes. For more information about commonly used standard RADIUS attributes, see "Commonly used standard RADIUS attributes."
Length—(1 byte long) Length of the attribute in bytes, including the Type, Length, and Value fields.
Value—(Up to 253 bytes) Value of the attribute. Its format and content depend on the Type and Length fields.
Table 2: Commonly used RADIUS attributes
No. | Attribute | No. | Attribute |
---|---|---|---|
1 | User-Name | 45 | Acct-Authentic |
2 | User-Password | 46 | Acct-Session-Time |
3 | CHAP-Password | 47 | Acct-Input-Packets |
4 | NAS-IP-Address | 48 | Acct-Output-Packets |
5 | NAS-Port | 49 | Acct-Terminate-Cause |
6 | Service-Type | 50 | Acct-Multi-Session-Id |
7 | Framed-Protocol | 51 | Acct-Link-Count |
8 | Framed-IP-Address | 52 | Acct-Input-Gigawords |
9 | Framed-IP-Netmask | 53 | Acct-Output-Gigawords |
10 | Framed-Routing | 54 | (unassigned) |
11 | Filter-ID | 55 | Event-Timestamp |
12 | Framed-MTU | 56-59 | (unassigned) |
13 | Framed-Compression | 60 | CHAP-Challenge |
14 | Login-IP-Host | 61 | NAS-Port-Type |
15 | Login-Service | 62 | Port-Limit |
16 | Login-TCP-Port | 63 | Login-LAT-Port |
17 | (unassigned) | 64 | Tunnel-Type |
18 | Reply-Message | 65 | Tunnel-Medium-Type |
19 | Callback-Number | 66 | Tunnel-Client-Endpoint |
20 | Callback-ID | 67 | Tunnel-Server-Endpoint |
21 | (unassigned) | 68 | Acct-Tunnel-Connection |
22 | Framed-Route | 69 | Tunnel-Password |
23 | Framed-IPX-Network | 70 | ARAP-Password |
24 | State | 71 | ARAP-Features |
25 | Class | 72 | ARAP-Zone-Access |
26 | Vendor-Specific | 73 | ARAP-Security |
27 | Session-Timeout | 74 | ARAP-Security-Data |
28 | Idle-Timeout | 75 | Password-Retry |
29 | Termination-Action | 76 | Prompt |
30 | Called-Station-Id | 77 | Connect-Info |
31 | Calling-Station-Id | 78 | Configuration-Token |
32 | NAS-Identifier | 79 | EAP-Message |
33 | Proxy-State | 80 | Message-Authenticator |
34 | Login-LAT-Service | 81 | Tunnel-Private-Group-id |
35 | Login-LAT-Node | 82 | Tunnel-Assignment-id |
36 | Login-LAT-Group | 83 | Tunnel-Preference |
37 | Framed-AppleTalk-Link | 84 | ARAP-Challenge-Response |
38 | Framed-AppleTalk-Network | 85 | Acct-Interim-Interval |
39 | Framed-AppleTalk-Zone | 86 | Acct-Tunnel-Packets-Lost |
40 | Acct-Status-Type | 87 | NAS-Port-Id |
41 | Acct-Delay-Time | 88 | Framed-Pool |
42 | Acct-Input-Octets | 89 | (unassigned) |
43 | Acct-Output-Octets | 90 | Tunnel-Client-Auth-id |
44 | Acct-Session-Id | 91 | Tunnel-Server-Auth-id |
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. Attribute 26 (Vendor-Specific), an attribute defined by RFC 2865, allows a vendor to define extended attributes to implement functions that the standard RADIUS protocol does not provide.
A vendor can encapsulate multiple sub-attributes in the type-length-value (TLV) format in RADIUS packets for extension of applications. As shown in Figure 5, a sub-attribute encapsulated in Attribute 26 consists of the following parts:
Vendor-ID—Indicates the ID of the vendor. Its most significant byte is 0, and the other three bytes contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS sub-attributes of HPE, see "HPE proprietary RADIUS sub-attributes."
Vendor-Type—Indicates the type of the sub-attribute.
Vendor-Length—Indicates the length of the sub-attribute.
Vendor-Data—Indicates the contents of the sub-attribute.
Figure 5: Segment of a RADIUS packet containing an extended attribute