Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
RADIUS
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Protocol components== RADIUS is an [[AAA_(computer_security)|AAA]] (authentication, authorization, and accounting) protocol that manages network access. RADIUS uses two types of [[Network packet|packets]] to manage the full AAA process: Access-Request, which manages authentication and authorization; and Accounting-Request, which manages accounting. [[Authentication]] and [[authorization]] are defined in RFC 2865 while [[accounting]] is described by RFC 2866. ===Authentication and authorization=== The user or machine sends a request to a [[Network Access Server]] (NAS) to gain access to a particular network resource using access credentials. The credentials are passed to the NAS device via the [[link-layer]] protocol—for example, [[Point-to-Point Protocol]] (PPP) in the case of many [[dialup]] or [[DSL]] providers or posted in an [[HTTPS]] secure web form. In turn, the NAS sends a RADIUS ''Access Request'' message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.<ref name="rfc2865">RFC 2865 Remote Authentication Dial In User Service (RADIUS)</ref> This request includes access credentials, typically in the form of [[username]] and [[password]] or security certificate provided by the user. Additionally, the request may contain other information which the NAS knows about the user, such as its [[network address]] or phone number, and information regarding the user's physical point of attachment to the NAS. The RADIUS server checks that the information is correct using authentication schemes such as [[Password authentication protocol|PAP]], [[Challenge-handshake authentication protocol|CHAP]] or [[Extensible Authentication Protocol|EAP]]. The user's proof of identification is verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status, and specific network service access privileges. Historically, RADIUS servers checked the user's information against a locally stored flat file database. Modern RADIUS servers can do this, or can refer to external sources—commonly [[SQL]], [[Kerberos (protocol)|Kerberos]], [[LDAP]], or [[Active Directory]] servers—to verify the user's credentials. [[File:Drawing RADIUS 1812.svg|thumb|350px|RADIUS Authentication and Authorization Flow]] The RADIUS server then returns one of three responses to the NAS: 1) Access Reject, 2) Access Challenge, or 3) Access Accept. ; Access Reject: The user is unconditionally denied access to all requested network resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account. ; Access Challenge: Requests additional information from the user such as a secondary password, PIN, token, or card. Access Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the NAS. ; Access Accept: The user is granted access. Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested. A given user may be allowed to use a company's wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server, or may be looked up in an external source such as LDAP or Active Directory. Each of these three RADIUS responses may include a Reply-Message attribute which may give a reason for the rejection, the prompt for the challenge, or a welcome message for the accept. The text in the attribute can be passed on to the user in a return web page. Authorization [[Radius Values|attributes]] are conveyed to the NAS stipulating terms of access to be granted. For example, the following authorization attributes may be included in an Access-Accept: * The specific [[IP address]] to be assigned to the user * The address pool from which the user's IP address should be chosen * The maximum length of time that the user may remain connected * An access list, priority queue or other restrictions on a user's access * [[L2TP]] parameters * [[VLAN]] parameters * Quality of Service (QoS) parameters When a client is configured to use RADIUS, any user of the client presents authentication information to the client. This might be with a customizable login prompt, where the user is expected to enter their username and password. Alternatively, the user might use a link framing protocol such as the Point-to-Point Protocol (PPP), which has authentication packets which carry this information. Once the client has obtained such information, it may choose to authenticate using RADIUS. To do so, the client creates an "Access- Request" containing such Attributes as the user's name, the user's password, the ID of the client and the port ID which the user is accessing. When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5. ===Accounting=== [[File:Drawing RADIUS 1813.svg|thumb|350px|right|RADIUS Accounting Flow]] Accounting is described in RFC 2866. When network access is granted to the user by the [[Network access server|NAS]], an ''Accounting Start'' (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "start") is sent by the NAS to the RADIUS server to signal the start of the user's network access. "Start" records typically contain the user's identification, network address, point of attachment and a unique session identifier.<ref>RFC 2866 RADIUS Accounting</ref> Periodically, ''Interim Update'' records (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "interim-update") may be sent by the NAS to the RADIUS server, to update it on the status of an active session. "Interim" records typically convey the current session duration and information on current data usage. Finally, when the user's network access is closed, the NAS issues a final ''Accounting Stop'' record (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "stop") to the RADIUS server, providing information on the final usage in terms of time, packets transferred, data transferred, reason for disconnect and other information related to the user's network access. Typically, the client sends Accounting-Request packets until it receives an Accounting-Response acknowledgement, using some retry interval. The primary purpose of this data is that the user can be [[Bill (payment)|billed]] accordingly; the data is also commonly used for [[statistical]] purposes and for general network monitoring.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)