Remote Authentication Dial-In User Service (RADIUS) is an alternative to
TACACS+ and is important to network administrators. RADIUS is an access server
AAA protocol developed by Livingston Enterprises, Inc (now part of Lucent
Technologies). It is a system of distributed security that secures remote
access to networks and protects network services against unauthorized access.
RADIUS is comprised of three components:
- Protocol with a frame format that uses UDP/IP
- Server
- Client
The server runs on a central computer, typically at the customer’s
site, while the clients reside in the dialup access servers and can be
distributed throughout the network. Cisco incorporated the RADIUS client into
Cisco IOS, starting with IOS release 11.1.
Three major versions of RADIUS
are available today:
- IETF with approximately 63 attributes – Developed and proposed to IETF by
Livingston Enterprises, now a division of Lucent Technologies. The RADIUS
protocol is specified in RFC 2138, and RADIUS accounting in RFC 2139.
- Cisco implementation supporting approximately 58 attributes – Starting in
Cisco IOS release 11.2, an increasing number of attributes and functionality
are included in each release of Cisco IOS software and Cisco Secure ACS.
- Lucent supporting over 254 attributes – Lucent is constantly changing and
adding vendor-specific attributes such as token caching and password changing.
An Application Programming Interface (API) enables rapid development of new
extensions, making competing vendors work hard to keep up. Although Livingston
Enterprises developed RADIUS originally, it was championed by Ascend.
Client/server Model
A network access server (NAS) operates
as a client of RADIUS
. The client is
responsible for passing user information to designated RADIUS servers, and then
acting on the response that is returned. RADIUS servers are responsible for
receiving user connection requests, authenticating the user, and then returning
all configuration information necessary for the client to deliver service to
the user. The RADIUS servers can act as proxy clients to other kinds of
authentication servers.
The RADIUS server can either use a local user database or can be integrated
to use a Windows database or LDAP directory to validate the username and
password.
More information on the RADIUS protocol can be found in RFC2865
and 2868.
Network Security
Transactions between the client and
RADIUS server are authenticated using a shared secret, which is never sent over
the network. In addition, any user passwords are sent encrypted between the
client and RADIUS server, to eliminate the possibility that someone snooping on
an unsecured network could determine a user password.
Flexible Authentication Mechanisms
The RADIUS server supports a
variety of methods to authenticate a user. When it is provided with the
username and original password given by the user, it can support PPP, PAP,
CHAP, or MS-CHAP, UNIX login, and other authentication mechanisms.