RADIUS Concepts

RADIUS (Remote Authentication Dial In User Service) is a standardized method of information exchange between a device that provides network access to users (the "RADIUS client") and a device that contains authentication information for those users (the "RADIUS server"). The RADIUS protocol is widely used in network environments to provide AAA services (authentication, authorization and accounting.) to both embedded routers, modem servers, firewalls, software, and wireless applications. It provides centralized authentication and administration (including configuration) for thousands and sometimes millions of entities. In addition it offers roaming and distributed authentication / accounting through it's ability to proxy requests to other servers regardless of the originating client's location.

The RADIUS protocol provides good protection against common attacks (sniffers and replay) better than LDAP (no protection against sniffers) and TACACS+ which has some subtle security flaws. The RADIUS protocol is the de-facto standard for authentication by hardware and is uniformly supported as a standard.

The RADIUS-based remote access environment has three major components: Access Client, Network Access Server, and RADIUS Server.

The Access Client may be a person dialing into a Service Provider network to connect to various Internet sites (the traditional User role). Alternatively, the Access Client may be a device; it may be an ISDN router or a dial-on-demand router that provides network access to multiple users at a small office/home office.

A Network Access Server (NAS) is a device that can recognize and handle connection requests from outside the network "edge". When the NAS receives a user's connection request, it may perform an initial access negotiation with the user. This negotiation will establish certain data (such as username, password, NAS device identifier, NAS port number, and so on). The NAS will then pass this data to the RADIUS server and request authentication. In wireless environments, a NAS is an Access Point.

The RADIUS server will authenticate the request, and will authorize services over the connection. The RADIUS server does this by matching data from the NAS's request with entries in some well-known, trusted database.

If a match can be found, the RADIUS server will accept the user. Otherwise, it will reject the user. Based on this response from the RADIUS server, the NAS will decide whether to establish the user's connection ("accept packet" or "accept user") or terminate the user's connection attempt ("reject packet" or "reject user"). Finally, the NAS issues accounting data to the RADIUS server to document the transaction; the RADIUS server may store or forward this data as needed to support billing for the services provided.

RADIUS Packets

A RADIUS client and RADIUS server communicate by means of RADIUS packets. RADIUS packets are formatted using conventions outlined in RFC 2865 "Remote Authentication Dial In User Service (RADIUS)" and RFC 2866 "RADIUS Accounting."

In order to configure ClearBox Server, the essential information you'll need about RADIUS packets is the following:

• They carry messages between the RADIUS client and RADIUS server.
• They follow a request/response convention: The client sends a request and expects a response from the server. If the response doesn't arrive, the client can retry the request periodically.
• Each packet supports a specific purpose: authentication or accounting. This purpose is defined by the "packet code" or "packet type" (e.g. Access-Request, Accounting-Response, etc.).
• A packet may contain values, called "attributes". See also list of standard RADIUS attributes.
• The specific attributes to be found in each packet depend upon the type of packet (authentication or accounting) and the device that sent it (for example, the specific make and model of NAS device).

RADIUS defines 6 standard packet types:

• Access-Request (are sent to a RADIUS server, and convey information used to determine whether a user is allowed access to a specific NAS, and any special services requested for that user).
• Access-Reject (are sent if user identity or any value of the received Attributes is not acceptable).
• Access-Accept (are sent by the RADIUS server, and provide specific configuration information necessary to begin delivery of service to the user).
• Access-Challenge (are sent if the RADIUS server desires to send the user a challenge requiring a response).
• Accounting-Request (are sent from a client - typically a Network Access Server or its proxy - to a RADIUS accounting server, and convey information used to provide accounting for a service provided to a user).
• Accounting-Response (are sent by the RADIUS accounting server to the client to acknowledge that the Accounting-Request has been received and recorded successfully).

Besides these types, ClearBox Server may support additional packet types not covered in RFC 2865 (such as Disconnect Request, Disconnect Ack, ... See RFC 2882 "Network Access Servers Requirements: Extended RADIUS Practices" for more info).

RADIUS Secrets

The RADIUS "shared secret" is used to validate RADIUS communications between two devices. The shared secret may be any alphanumeric string. Each shared secret must be configured on both client and server sides.

IMPORTANT: Upper- and lowercase letters make a difference!

During an authentication transaction, password information must be transmitted securely between the RADIUS client and the RADIUS server. Password security may be addressed using a variety of protocols such as PAP, CHAP, or MS-CHAP. When PAP is used, the password is encrypted and decrypted using the authentication shared secret.

No encryption is involved in transmitting accounting data between a RADIUS client and RADIUS server. However, the accounting shared secret is used by each device to verify that it can "trust" any RADIUS communications it receives from the other device. Accounting packets may be "signed" by a key different from the key used for authentication packets.

RADIUS Ports

When the RADIUS standard was first written, the standard ports to use for RADIUS authentication and accounting packets were 1645 and 1646, respectively. Then it emerged that these ports had been assigned to another standard. The RADIUS standards group responded by changing the port assignments to 1812 and 1813, but many organizations still use the old assignments.

As with the RADIUS shared secret, any two devices that exchange RADIUS packets must use compatible UDP port numbers. That is, if you are configuring a NAS to exchange authentication packets with a RADIUS server, you must find out which port the server uses to receive authentication packets from its clients (1812, for example). You must then configure the NAS to send authentication packets on the same port (1812). The same is true for RADIUS accounting.

ClearBox Server uses default port assignments of 1812 and 1813 for authentication and accounting, respectively. If you wish to reassign ports, you may do it with Server Manager utility.

See also Example of RADIUS packet transactions, Authentication, Authorization and Accounting concepts.