Email This Page

Radius: Remote Authentication Dial In User Service

Radius is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. RADIUS also carriesaccounting information between a Network Access Server and a shared Accounting Server.Radius uses UDP as the transport protocol.

Key features of RADIUS are:

  • Client/Server Model: A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response which is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.
  • Network Security: Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecure network could determine a user's password.
  • Flexible Authentication Mechanisms: The RADIUS server can support a variety of methods to authenticate a user. When it is provided with the user name and original password given by the user, it can support PPP PAP or CHAP, UNIX login, and other authentication mechanisms.
  • Extensible Protocol: All transactions are comprised of variable length Attribute-Length-Value 3-tuples. New attribute values can be added without disturbing existing implementations of the protocol.



Protocol Structure - RADIUS Remote Authentication Dial In User Service

8

16

32 bit

Code

Identifier

Length

Authenticator(16 bytes)

  • Code - The message type as described as follows:
    • 1Access-Request
    • 2Access-Accept
    • 3Access-Reject
    • 4Accounting-Request
    • 5Accounting-Response
    • 11  Access-Challenge
    • 12  Status-Server (experimental)
    • 13  Status-Client (experimental)
    • 255 Reserved
  • Identifier - The identifier matches requests and replies.
  • Length - The message length including the header.
  • Authenticator - A field used to authenticate the reply from the radius server and in the password hiding algorithm.
   

Related Protocols
UDP , CHAP , RAP

Sponsor Source

RADIUS is defined by IETF (http://www.ietf.org ) RFC 2865 an RFC 2866.



Reference
http://www.javvin.com/protocol/rfc2865.pdf : Remote Authentication Dial In User Service (RADIUS).
http://www.javvin.com/protocol/rfc2866.pdf : RADIUS Accounting