Editing RADIUS (section)

==Roaming==
[[File:Drawing Roaming RADIUS.png|thumb|350px|Roaming using a proxy RADIUS AAA server.]]

RADIUS is commonly used to facilitate [[roaming]] between [[internet service provider|ISP]]s, including by:
* Companies which provide a single global set of credentials that are usable on many public networks;
* Independent, but collaborating, institutions issuing their own credentials to their own users, that allow a visitor from one to another to be authenticated by their home institution, such as in [[eduroam]].

RADIUS facilitates this by the use of ''realms'', which identify where the RADIUS server should forward the AAA requests for processing.

===Realms===
A realm is commonly appended to a user's user name and delimited with an '@' sign, resembling an email address domain name. This is known as ''postfix'' notation for the realm. Another common usage is ''prefix'' notation, which involves prepending the realm to the username and using '\' as a delimiter.
Modern RADIUS servers allow any character to be used as a realm delimiter, although in practice '@' and '\' are usually used.

Realms can also be compounded using both prefix and postfix notation, to allow for complicated roaming scenarios; for example, somedomain.com\username@anotherdomain.com could be a valid username with two realms.

Although realms often resemble domains, it is important to note that realms are in fact arbitrary text and need not contain real domain names. Realm formats are standardized in RFC 4282, which defines a Network Access Identifier (NAI)  in the form of 'user@realm'. In that specification, the 'realm' portion is required to be a domain name. However, this practice is not always followed.  RFC 7542<ref>{{cite web |title=The Network Access Identifier |url=https://tools.ietf.org/html/rfc7542 |publisher=Internet Engineering Task Force (IETF) |access-date=8 May 2021 |date=May 2015|doi=10.17487/RFC7542 |last1=Dekok |first1=A. |doi-access=free }}</ref> replaced RFC 4282 in May 2015.

===Proxy operations===
When a RADIUS server receives an AAA request for a user name containing a realm, the server will reference a table of configured realms. If the realm is known, the server will then ''proxy'' the request to the configured home server for that domain. The behavior of the proxying server regarding the removal of the realm from the request ("stripping") is configuration-dependent on most servers. In addition, the proxying server can be configured to add, remove or rewrite AAA requests when they are proxied over time again.

Proxy Chaining is possible in RADIUS and authentication/authorization and accounting packets are usually routed between a NAS Device and a Home server through a series of proxies. Some of advantages of using proxy chains include scalability improvements, policy implementations and capability adjustments. But in roaming scenarios, the NAS, Proxies and Home Server could be typically managed by different administrative entities. Hence, the trust factor among the proxies gains more significance under such Inter-domain applications. Further, the absence of end to end security in RADIUS adds to the criticality of trust among the Proxies involved. Proxy Chains are explained in [[rfc:2607|RFC 2607]].

===Security===
Roaming with RADIUS exposes the users to various security and privacy concerns. More generally, some roaming partners establish a secure tunnel between the RADIUS servers to ensure that users' credentials cannot be intercepted while being proxied across the internet. This is a concern as the MD5 hash built into RADIUS is considered insecure.<ref>{{cite web |url=http://www.win.tue.nl/hashclash/rogue-ca/ |title=MD5 considered harmful today - Creating a rogue CA certificate |publisher=[[Technische Universiteit Eindhoven]] |author1=Alexander Sotirov |author2=Marc Stevens |author3=Jacob Appelbaum |author4=Arjen Lenstra |author5=David Molnar |author6=Dag Arne Osvik |author7=Benne de Weger |date=2008-12-08 |access-date=2009-04-19}}</ref>