AAA
RADIUS

Remote Authentication Dial-In User Service (RADIUS) is an alternative to TACACS+ and is important to network administrators. RADIUS is an access server AAA protocol developed by Livingston Enterprises, Inc (now part of Lucent Technologies). It is a system of distributed security that secures remote access to networks and protects network services against unauthorized access. RADIUS is comprised of three components:

  • Protocol with a frame format that uses UDP/IP
  • Server
  • Client

The server runs on a central computer, typically at the customer’s site, while the clients reside in the dialup access servers and can be distributed throughout the network. Cisco incorporated the RADIUS client into Cisco IOS, starting with IOS release 11.1.

Three major versions of RADIUS are available today:

  • IETF with approximately 63 attributes – Developed and proposed to IETF by Livingston Enterprises, now a division of Lucent Technologies. The RADIUS protocol is specified in RFC 2138, and RADIUS accounting in RFC 2139.
  • Cisco implementation supporting approximately 58 attributes – Starting in Cisco IOS release 11.2, an increasing number of attributes and functionality are included in each release of Cisco IOS software and Cisco Secure ACS.
  • Lucent supporting over 254 attributes – Lucent is constantly changing and adding vendor-specific attributes such as token caching and password changing. An Application Programming Interface (API) enables rapid development of new extensions, making competing vendors work hard to keep up. Although Livingston Enterprises developed RADIUS originally, it was championed by Ascend.

Client/server Model
A network access server (NAS) operates as a client of RADIUS . The client is responsible for passing user information to designated RADIUS servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user. The RADIUS servers can act as proxy clients to other kinds of authentication servers.

The RADIUS server can either use a local user database or can be integrated to use a Windows database or LDAP directory to validate the username and password.

More information on the RADIUS protocol can be found in RFC2865 and 2868.

Network Security
Transactions between the client and RADIUS server are authenticated using a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecured network could determine a user password.

Flexible Authentication Mechanisms
The RADIUS server supports a variety of methods to authenticate a user. When it is provided with the username and original password given by the user, it can support PPP, PAP, CHAP, or MS-CHAP, UNIX login, and other authentication mechanisms.


Web Links