HP Access Control Client Software manual Radius

Access Control Concepts

Network Access Control Technologies

RADIUS

As mentioned earlier, RADIUS is an industry-standard protocol for providing

AAAservices. However, this section describes the RADIUS protocol in its most limited sense, as the standard for communications between PEPs (devices such as switches and APs that offer users network access) and RADIUS servers (the authentication and possibly accounting server).

RADIUS Messages. A PEP sends two types of messages:

■Access request—The PEP requests authentication and authorization for a user attempting to connect to the network.

■Accounting request—The PEP transmits accounting information to the RADIUS server. For example, the PEP sends an accounting message when it connects a user to the network. This message both acknowledges the message sent by the RADIUS server that allowed the user to connect and also provides more information about the connection.

The RADIUS server sends four types of messages:

■Access challenge—The server responds to access requests, necessary when it requires more information from the user, needs to resolve incom- plete or conflicting user information, or wants the user to retry authenti- cation.

■Access accept messages—The server responds to access requests, informing the PEP that the user is authenticated, and optionally specifying additional authorization instructions such as the user’s VLAN assignment.

■Access reject messages—The server responds to access requests, informing the PEP that the user failed authentication.

■Accounting responses—The server acknowledges accounting requests.

As a UDP protocol, RADIUS is stateless and connectionless. That is, servers and PEPs can send each other messages without first setting up the conver- sation. By default, PEPs send access requests on UDP port 1812 and account- ing messages on UDP port 1813, and RADIUS servers listen on these ports.

However, you can configure some devices to send and listen on private ports.

RADIUS Attribute-Value Pairs (AVPs). RADIUS messages consist of a header and zero or more AVPs, which contain various types of information. For example, AVPs in access-request messages specify users’ credentials and other information about where, when, and how the user is accessing the network. AVPs in access-accept messages, on the other hand, often commu- nicate authorization instructions.

1-28