to prevent user passwords from being intercepted on insecure networks, RADIUS encrypts passwords before transmitting them.

A RADIUS server supports multiple user authentication methods. Moreover, a RADIUS server can act as the client of another AAA server to provide authentication proxy services.

Basic message exchange process of RADIUS

a illustrates the interaction of the host, the RADIUS client, and the RADIUS server.

a.Basic message exchange process of RADIUS

RADIUS operates in the following manner:

Table 122 The host initiates a connection request that carries the user’s username and password to the RADIUS client.

Table 123 After receiving the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.

Table 124 The RADIUS server authenticates the username and password. If the authentication succeeds, the server sends back an Access-Accept message containing the user’s authorization information. If the authentication fails, the server returns an Access-Reject message.

Table 125 The RADIUS client permits or denies the user according to the returned authentication result. If it permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.

Table 126 The RADIUS server returns a start-accounting response (Accounting-Response) and starts accounting.

Table 127 The user accesses the network resources.

Table 128 The host requests the RADIUS client to tear down the connection and the RADIUS client sends a stop-accounting request (Accounting-Request) to the RADIUS server.