Remote Authentication Dial-In User Service (RADIUS) is a client-server networking protocol that runs in the application layer. The RADIUS protocol uses a RADIUS Server and RADIUS Clients.
A RADIUS Client (or Network Access Server) is a networking device (like a VPN concentrator, router, switch) that is used to authenticate users.
A RADIUS Server is a background process that runs on a UNIX or Windows server. It lets you maintain user profiles in a central database. Hence, if you have a RADIUS Server, you have control over who can connect with your network.
When a user tries to connect to a RADIUS Client, the Client sends requests to the RADIUS Server. The user can connect to the RADIUS Client only if the RADIUS Server authenticates and authorizes the user.
The working of the RADIUS Server depends on the exact nature of the RADIUS ecosystem. However, all servers have AAA capabilities (Authentication, Authorization, and Accounting). In some RADIUS ecosystems, a RADIUS Server can also act as a proxy client to other RADIUS Servers.
RADIUS Servers offer businesses with the ability to preserve the privacy and security of their system and their users, thus helping in security management and in creating policies for server administration.
How does RADIUS Server authentication and authorization work?
A RADIUS Server supports a variety of methods to authenticate a user. RADIUS Server authentication and authorization goes hand in hand and usually starts when a user tries to connect to the RADIUS Client using a username and password. A basic RADIUS authentication and authorization process include the following steps:
- The RADIUS Client tries to authenticate to the RADIUS Server using user credentials (username and password).
- The Client sends an Access-Request message to the RADIUS Server. The message comprises a shared secret. Passwords are always encrypted in the Access-Request message.
- The RADIUS Server reads the shared secret and ensures that the Access-Request message is from an authorized Client. If the Access-Request is not from an authorized Client, then the message is discarded.
- If the Client is authorized, the RADIUS Server reads the authentication method requested.
- If the authentication method used is allowed, then the RADIUS Server reads the user credentials from the message. It matches the user credentials against the user database. If there is a match, the RADIUS Server extracts additional user details from the user database.
- The RADIUS server now checks to see if there is an access policy or a profile that matches the user credentials.
- If there is no matching policy, then the server sends an Access-Reject message. The RADIUS transaction ends, and the user is denied access to the system.
- If there is a matching policy, the RADIUS Server sends an Access-Accept message to the device.
- The Access-Accept message consists of a shared secret and a Filter ID attribute. If the shared secret does not match, the RADIUS Client rejects the message.
- If the shared secret matches, the Client reads the value of the Filter ID attribute. The Filter ID is a string of text. The RADIUS Client connects the user to a particular RADIUS Group using this Filter ID. A RADIUS Group is a group of users who have the same FilterID value. Practically, a RADIUS group makes it easier to categorize users in functional groups (like Sales, Networking, System, HR, IT, etc.).
- The user is finally authenticated and authorized and will obtain access to the RADIUS Client.
How does accounting for RADIUS Server / RADIUS Authentication work?
RADIUS Servers are also used for accounting purposes. RADIUS accounting collects data for network monitoring, billing, or statistical purposes. The accounting process typically starts when the user is granted access to the RADIUS Server. However, RADIUS accounting can also be used independently of RADIUS authentication and authorization.
A basic RADIUS accounting process includes the following steps:
- The process starts when the user is granted access to the RADIUS Server.
- The RADIUS Client sends a RADIUS Accounting-Request packet known as Accounting Start, to the RADIUS Server. The request packet comprises the user ID, network address, session identifier, and the point of access.
- During the session, the Client may send additional Accounting-Request packets known as Interim Update to the RADIUS Server. These packets include details like the current session duration and data usage. This packet serves the purpose of updating the information about the user's session to the RADIUS Server.
- Once the user’s access to the RADIUS Server ends, the RADIUS Client sends another Accounting-Request packet known as Accounting Stop, to the RADIUS Server. The packet includes information such as total time, data, and packets transferred the reason for disconnection, and other information relevant to the user's session.
A RADIUS Server prevents your organization's private information from being leaked to snooping outsiders. It also allows easy depreciation capabilities and enables individual users to be assigned with unique network permissions. It can integrate into your existing system without any significant changes.
The uses and benefits of RADIUS Servers are wide-reaching. Hence if you are looking to integrate a RADIUS ecosystem into your current system with ease, contact Foxpass today.