From Wikipedia, the free encyclopedia

Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization, and accounting) protocol for controlling access to network resources. RADIUS is commonly used by ISPs and corporations managing access to Internet or internal networks across an array of access technologies including modem, DSL, wireless and VPNs.

RADIUS servers use the AAA concept to manage network access in the following three step process also known as an "AAA transaction".

• Authentication - The user or machine requests access to network resources via a Network Access Server (NAS). In turn the NAS issues a RADIUS Access Request message to the RADIUS Server requesting authorization to grant access. This request includes a form of identification and a proof of identification typically in the form of username and password provided by the user. Additionally the request contains information provided by the NAS it knows about the user such as its network address or phone number and information regarding the users physical point of attachment to the NAS.

• Authorization - Having requested access the users request is processed by the RADIUS server. The RADIUS server will then lookup the users account in an internal list of accounts or query a remote database for information on the user. The users proof of identification is verified and optionally other information related to the request such as the users network address or phone number, account status and type of network services to which they are authorized. The RADIUS server will issue one of three responses a Yea (Access Accept), Nay (Access Reject) or Challenge (Access Challenge) message to the NAS responsible for enforcing the access decision of the RADIUS server.
  • Access Challenge - Requests additional information from the user such as a secondary password, PIN, token card challenge response.
  • Access Reject - The user is unconditionally denied access to all requested network resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account.
  • Access Accept - The user is granted access. Authorization attributes are conveyed to the NAS stipulating terms of access to be granted. These terms may include limits on duration of time access is to be granted, limits on amounts of data or bandwidth available, security access control restrictions and assigned network address.

• Accounting - When network access is granted to the user by the NAS an Accounting Start request is sent by the NAS to the RADIUS Server to signal the start of the users network access. Start records typically contain the users identification, network address, point of attachment and unique session-id used to uniquely reference the users session. Periodically Interim Accounting records may be sent by the NAS to the RADIUS Server to update it on the status of an active session. Interim records typically convey the current session duration and information on current data usage. Finally when the uses network access is closed the NAS issues a final Accounting Stop record to the RADIUS server providing information on the final usage in terms of time, data, reason for disconnect and other information releated to the users network access.

Many networks services (including corporate networks and public ISPs using modem, DSL, or 802.11 wireless technologies) require you to present security credentials (such as a username and password or security certificate) in order to connect to the network. Before access to the network is granted, this information is passed to a Network Access Server (NAS) device via the link-layer protocol - for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers - then to a RADIUS server via the RADIUS protocol. The RADIUS server checks that the information is correct using authentication schemes like PAP, CHAP or EAP. Historically, RADIUS servers checked the user's information against a locally stored flat file database. Modern RADIUS servers can do this, or can refer to external sources - commonly SQL, Kerberos, LDAP, or Active Directory servers - to verify the user's credentials.

Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested. A given user may be allowed to use a company's wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server, or may be looked up in an external source like LDAP or Active Directory.

Finally, if the user is both successfully authenticated and authorized, RADIUS can supply the NAS with additional parameters, such as

• The specific IP address to be assigned to the user
• The address pool from which the user's IP should be chosen
• The maximum length that the user may remain connected
• An access list, priority queue or other restrictions on a user's access
• L2TP parameters
• VLAN parameters
• Quality of Service (QoS) parameters

RADIUS is also commonly used for accounting purposes. The NAS can use RADIUS accounting packets to notify the RADIUS server of events such as

• The user's session start
• The user's session end
• Total packets transferred during the session
• Volume of data transferred during the session
• Reason for session ending

The primary purpose of this data is that the user can be billed accordingly; the data is also commonly used for statistical purposes and for general network monitoring.

The RADIUS protocol does not transmit passwords in cleartext between the NAS and RADIUS server (not even with PAP protocol). Rather, a shared secret is used along with the MD5 hashing algorithm to obfuscate passwords. NOTE: This is not considered to be very strong protection of the user's credentials. If possible, additional protection - such as IPSEC tunnels - should be used to further encrypt the RADIUS traffic, especially considering that the user's credentials are the ONLY part protected by RADIUS itself, even though other user-specific attributes passed by RADIUS may be considered sensitive or private information. Please refer to the references for more details on this subject.

RADIUS is a common authentication protocol utilized by the IEEE 802.1X security standard (often used in wireless networks). Although RADIUS was not initially intended to be a wireless security authentication method, it improves the WEP encryption key standard, in conjunction with other security methods such as EAP-PEAP.

RADIUS is extensible; many vendors of RADIUS hardware and software implement their own variants using Vendor-Specific Attributes (VSAs).

RADIUS has been officially assigned UDP ports 1812 for RADIUS Authentication and 1813 for RADIUS Accounting by the Internet Assigned Number Authority (IANA) however before IANA allocation ports 1645 - Authentication and 1646 - Accounting were used unofficially and became the default ports assigned by many RADIUS Client/Server implementations of the time. The tradition of using 1645 and 1646 for backwards compatibility continues to this day. For this reason many RADIUS Server implementations monitor both sets of UDP ports for RADIUS requests. Microsoft RADIUS servers default to 1812 and 1813 but Cisco devices default to the traditional 1645 and 1646 ports. Juniper Networks' RADIUS servers also defaults to 1645 and 1646.

RADIUS is used by RSA SecurID to enable strong authentication for access control; products such as PhoneFactor add two-factor authentication to legacy RADIUS applications that typically only support username and password authentication.

RADIUS is widely used by VoIP service providers. It is used to pass login credentials of a SIP end point (like a broadband phone) to a SIP Registrar using digest authentication, and then to RADIUS server using RADIUS. Sometimes it is also used to collect call detail records (CDRs) later used, for instance, to bill customers for international long distance.

RADIUS was originally specified in an RFI by Merit Network in 1991 to control dial-in access to NSFnet. Livingston Enterprises responded to the RFI with a description of a RADIUS server. Merit Network awarded the contract to Livingston Enterprises that delivered their PortMaster series of Network Access Servers and the initial RADIUS server to Merit. RADIUS was later (1997) published as RFC 2058 and RFC 2059 (current versions are RFC 2865 and RFC 2866). Now, several commercial and open-source RADIUS servers exist. Features can vary, but most can look up the users in text files, LDAP servers, various databases, etc. Accounting records can be written to text files, various databases, forwarded to external servers, etc. SNMP is often used for remote monitoring. RADIUS proxy servers are used for centralized administration and can rewrite RADIUS packets on the fly (for security reasons, or to convert between vendor dialects).

The Diameter protocol is the planned replacement for RADIUS. Diameter uses SCTP or TCP while RADIUS uses UDP as the transport layer.

Contents 1 Roaming 1.1 Realms 1.2 Proxy operations 2 Standards 3 See also 4 External links

RADIUS is commonly used to facilitate roaming between ISPs, for example by companies which provide a single global set of credentials that are usable on many public networks. RADIUS facilitates this by the use of realms, which identify where the RADIUS server should forward the AAA requests for processing.

A realm is commonly appended to a user's username and delimited with an '@' sign, resembling an email address domain name. This is known a postfix notation for the realm. Another common usage is prefix notation, which involves prepending the realm to the username and using '\' as a delimiter.

Modern RADIUS servers allow any character to be used as a realm delimiter, although in practice '@' and '\' are usually used.

Realms can also be compounded using both prefix and postfix notation, to allow for complicated roaming scenarios; for example, somedomain.com\username@anotherdomain.com could be a valid username with two realms.

Although realms often resemble email domains, it is important to note that realms are in fact arbitrary text and need not contain real domain names.

When a RADIUS server receives a AAA request for a username containing a realm, the server will reference a table of configured realms. If the realm is known, the server will then proxy the request to the configured home server for that domain. The behaviour of the proxying server regarding the removal of the realm from the request ("stripping") is configuration-dependent on most servers. In addition, the proxying server can be configured to add, remove or rewrite AAA requests when they are proxied.

The RADIUS protocol is currently defined in:

• RFC 2865 Remote Authentication Dial In User Service (RADIUS)
• RFC 2866 RADIUS Accounting

Other relevant RFCs are:

• RFC 2548 Microsoft Vendor-specific RADIUS Attributes
• RFC 2607 Proxy Chaining and Policy Implementation in Roaming
• RFC 2618 RADIUS Authentication Client MIB
• RFC 4668 RADIUS Authentication Client MIB for IPv6 (Obsoletes: RFC 2618)
• RFC 2619 RADIUS Authentication Server MIB
• RFC 4669 RADIUS Authentication Server MIB for IPv6 (Obsoletes: RFC 2619)
• RFC 2620 RADIUS Accounting Client MIB
• RFC 4670 RADIUS Accounting Client MIB for IPv6 (Obsoletes: RFC 2620)
• RFC 2621 RADIUS Accounting Server MIB
• RFC 4671 RADIUS Accounting Server MIB for IPv6 (Obsoletes: RFC 2621)
• RFC 2809 Implementation of L2TP Compulsory Tunneling via RADIUS
• RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support
• RFC 2868 RADIUS Attributes for Tunnel Protocol Support
• RFC 2869 RADIUS Extensions
• RFC 2882 Network Access Servers Requirements: Extended RADIUS Practices
• RFC 3162 RADIUS and IPv6
• RFC 3575 IANA Considerations for RADIUS
• RFC 3576 Dynamic Authorization Extensions to RADIUS
• RFC 3579 RADIUS Support for EAP (Updates: RFC 2869)
• RFC 3580 IEEE 802.1X RADIUS Usage Guidelines
• RFC 4014 RADIUS Attributes Suboption for the DHCP Relay Agent Information Option
• RFC 4372 Chargeable User Identity
• RFC 4590 RADIUS Extension for Digest Authentication (new revision pending)
• RFC 4675 RADIUS Attributes for Virtual LAN and Priority Support
• RFC 4679 DSL Forum Vendor-Specific RADIUS Attributes
• RFC 4818 RADIUS Delegated-IPv6-Prefix Attribute
• RFC 4849 RADIUS Filter Rule Attribute

• List of RADIUS Servers
• Diameter (protocol)
• TACACS+

• An Analysis of the RADIUS Authentication Protocol
• List of RADIUS attributes
• Configure RADIUS for secure 802.1x wireless LANs
• Self-sign a RADIUS server for secure PEAP or EAP-TTLS authentication