RADIUS configuration
Introduction to RADIUS
The Remote Authentication Dial-In User Service (RADIUS) protocol implements Authentication, Authorization, and Accounting (AAA). For more information, see the chapter “AAA configuration”.
RADIUS uses the client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. RADIUS defines the packet format and message transfer mechanism, and uses UDP as the transport layer protocol for encapsulating RADIUS packets. It uses UDP port 1812 for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods, RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL. RADIUS provides access authentication and authorization services, and its accounting function collects and records network resource usage information.
Client/server model
∙Client—Generally, the RADIUS client runs on the NASs located throughout the network. It passes user information to designated RADIUS servers and acts on the responses (for example, rejects or accepts user access requests).
∙Server—Generally, the RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access. It listens to connection requests, authenticates users, and returns the processing results (for example, rejecting or accepting the user access request) to the clients.
In general, the RADIUS server maintains the databases: Users, Clients, and Dictionary, as shown in a.
a.RADIUS server components
∙Users—Stores user information such as the usernames, passwords, applied protocols, and IP addresses.
∙Clients—Stores information about RADIUS clients, such as the shared keys and IP addresses.
∙Dictionary—Stores RADIUS protocol attributes and their values.
Security and authentication mechanisms
Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared key, which is never transmitted over the network. This enhances the information exchange security. In addition,
