Security and authentication mechanisms

The RADIUS client and the RADIUS server use a shared key to authenticate RADIUS packets and encrypt user passwords exchanged between them. For security, this key must be manually configured on the client and the server.

RADIUS servers support multiple authentication protocols, including PPP PAP and CHAP. A RADIUS server can act as the client of another AAA server to provide authentication proxy services.

Basic RADIUS message exchange process

Figure 347 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.

Figure 347 Basic RADIUS message exchange process

RADIUS operates in the following manner:

1.The host initiates a connection request that carries the user's username and password to the RADIUS client.

2.Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted using the MD5 algorithm and the shared key.

3.The RADIUS server authenticates the username and password. If the authentication succeeds, the server returns an Access-Accept message containing the user's authorization information. If the authentication fails, the server returns an Access-Reject message.

4.The RADIUS client permits or denies the user according to the returned authentication result. If it permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.

5.The RADIUS server returns an acknowledgement (Accounting-Response) and starts accounting.

6.The user accesses the network resources.

364