RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required.

RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813 for accounting.

RADIUS was originally designed for dial-in user access. With the addition of new access methods, RADIUS has been extended to support additional access methods, such as Ethernet and ADSL. RADIUS provides access authentication and authorization services, and its accounting function collects and records network resource usage information.

Client/server model

The RADIUS client runs on the NASs located throughout the network. It passes user information to designated RADIUS servers and acts on the responses (for example, rejects or accepts user access requests).

The RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access. It listens to connection requests, authenticates users, and returns user access control information (for example, rejecting or accepting the user access request) to the clients.

In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary.

Figure 2: RADIUS server components

Security and authentication mechanisms

A RADIUS client and the RADIUS server use the shared key to authenticate RADIUS packets and encrypt user passwords that are exchanged between them. The keys are never transmitted over the network. This security mechanism improves the security of RADIUS communication and prevents user passwords from being intercepted on insecure networks.

A RADIUS server supports multiple user authentication methods. A RADIUS server can also act as the client of another AAA server to provide authentication proxy services.

Basic RADIUS message exchange process

Figure 3 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.

Figure 3: Basic RADIUS message exchange process

RADIUS operates in the following manner:

  • The host initiates a connection request that carries the user's username and password to the RADIUS client.

  • Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.

  • The RADIUS server authenticates the username and password. If the authentication succeeds, the server sends back an Access-Accept message containing the user's authorization information. If the authentication fails, the server returns an Access-Reject message.

  • The RADIUS client permits or denies the user according to the returned authentication result. If it permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.

  • The RADIUS server returns a start-accounting response (Accounting-Response) and starts accounting.

  • The user accesses the network resources.

  • The host requests the RADIUS client to tear down the connection and the RADIUS client sends a stop-accounting request (Accounting-Request) to the RADIUS server.

  • The RADIUS server returns a stop-accounting response (Accounting-Response) and stops accounting for the user.

  • RADIUS packet format

    RADIUS uses UDP to transmit messages. To ensure smooth message exchange between the RADIUS server and the client, RADIUS uses a series of mechanisms, including the timer management mechanism, the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet format.

    Figure 4: RADIUS packet format

    Descriptions of the fields are as follows:

    Table 1: Main values of the Code field

    Code

    Packet type

    Description

    1

    Access-Request

    From the client to the server. A packet of this type carries user information for the server to authenticate the user. It must contain the User-Name attribute and can optionally contain the attributes of NAS-IP-Address, User-Password, and NAS-Port.

    2

    Access-Accept

    From the server to the client. If all the attribute values carried in the Access-Request are acceptable, the authentication succeeds, and the server sends an Access-Accept response.

    3

    Access-Reject

    From the server to the client. If any attribute value carried in the Access-Request is unacceptable, the authentication fails and the server sends an Access-Reject response.

    4

    Accounting-Request

    From the client to the server. A packet of this type carries user information for the server to start or stop accounting for the user. The Acct-Status-Type attribute in the packet indicates whether to start or stop accounting.

    5

    Accounting-Response

    From the server to the client. The server sends a packet of this type to notify the client that it has received the Accounting-Request and has successfully recorded the accounting information.

    Table 2: Commonly used RADIUS attributes

    No.

    Attribute

    No.

    Attribute

    1

    User-Name

    45

    Acct-Authentic

    2

    User-Password

    46

    Acct-Session-Time

    3

    CHAP-Password

    47

    Acct-Input-Packets

    4

    NAS-IP-Address

    48

    Acct-Output-Packets

    5

    NAS-Port

    49

    Acct-Terminate-Cause

    6

    Service-Type

    50

    Acct-Multi-Session-Id

    7

    Framed-Protocol

    51

    Acct-Link-Count

    8

    Framed-IP-Address

    52

    Acct-Input-Gigawords

    9

    Framed-IP-Netmask

    53

    Acct-Output-Gigawords

    10

    Framed-Routing

    54

    (unassigned)

    11

    Filter-ID

    55

    Event-Timestamp

    12

    Framed-MTU

    56-59

    (unassigned)

    13

    Framed-Compression

    60

    CHAP-Challenge

    14

    Login-IP-Host

    61

    NAS-Port-Type

    15

    Login-Service

    62

    Port-Limit

    16

    Login-TCP-Port

    63

    Login-LAT-Port

    17

    (unassigned)

    64

    Tunnel-Type

    18

    Reply-Message

    65

    Tunnel-Medium-Type

    19

    Callback-Number

    66

    Tunnel-Client-Endpoint

    20

    Callback-ID

    67

    Tunnel-Server-Endpoint

    21

    (unassigned)

    68

    Acct-Tunnel-Connection

    22

    Framed-Route

    69

    Tunnel-Password

    23

    Framed-IPX-Network

    70

    ARAP-Password

    24

    State

    71

    ARAP-Features

    25

    Class

    72

    ARAP-Zone-Access

    26

    Vendor-Specific

    73

    ARAP-Security

    27

    Session-Timeout

    74

    ARAP-Security-Data

    28

    Idle-Timeout

    75

    Password-Retry

    29

    Termination-Action

    76

    Prompt

    30

    Called-Station-Id

    77

    Connect-Info

    31

    Calling-Station-Id

    78

    Configuration-Token

    32

    NAS-Identifier

    79

    EAP-Message

    33

    Proxy-State

    80

    Message-Authenticator

    34

    Login-LAT-Service

    81

    Tunnel-Private-Group-id

    35

    Login-LAT-Node

    82

    Tunnel-Assignment-id

    36

    Login-LAT-Group

    83

    Tunnel-Preference

    37

    Framed-AppleTalk-Link

    84

    ARAP-Challenge-Response

    38

    Framed-AppleTalk-Network

    85

    Acct-Interim-Interval

    39

    Framed-AppleTalk-Zone

    86

    Acct-Tunnel-Packets-Lost

    40

    Acct-Status-Type

    87

    NAS-Port-Id

    41

    Acct-Delay-Time

    88

    Framed-Pool

    42

    Acct-Input-Octets

    89

    (unassigned)

    43

    Acct-Output-Octets

    90

    Tunnel-Client-Auth-id

    44

    Acct-Session-Id

    91

    Tunnel-Server-Auth-id

    Extended RADIUS attributes

    The RADIUS protocol features excellent extensibility. Attribute 26 (Vendor-Specific), an attribute defined by RFC 2865, allows a vendor to define extended attributes to implement functions that the standard RADIUS protocol does not provide.

    A vendor can encapsulate multiple sub-attributes in the type-length-value (TLV) format in RADIUS packets for extension of applications. As shown in Figure 5, a sub-attribute encapsulated in Attribute 26 consists of the following parts:

    Figure 5: Segment of a RADIUS packet containing an extended attribute