What is RADIUS?
If you work in I.T you would have heard of something called a Radius server. In most networks, users are authenticated using LDAP and Active directory. A RADIUS server is another method similar to LDAP that utilizes a central database to authenticate remote users. RADIUS (Remote Authentication Dial-In User Service) is a client-server networking protocol that runs at the application layer of the OSI model. RADIUS being an AAA protocol that manages network access provides centralized Authentication, Authorization, and Accounting for users who use network services. The most common application where Radius is used is when a user dials into the ISP. The process where the users enter a username and password to authenticate with an ISP is typically using the Radius protocol. This information is passed to the ISPs RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system.
What is AAA?
RADIUS servers often get the nickname of a AAA server because it uses the AAA (Authentication, Authorization, and Accounting) process to authenticate and authorize users.
Authentication involves the process of verifying a user’s identity. Usually, a user provides a password, which is used as a form of authentication.
Authorisation refers to the granting of specific types of services or resources based on the authentication process of the user. It is a collection of templates and sets of rules that dictate what a user can do on a network. These will include restrictions that may be based on the physical location, IP address, or time of access.
Accounting is the process of monitoring, documenting, and measuring what a user does on a network. This feature can be used independently of RADIUS authentication or authorization. This may be used for management, planning, billing, etc.
To utilize the RADIUS protocol successfully, you’ll just need a couple of components:
- A RADIUS server
- A directory of user/device information (also called an Identity Provider or IDP) for the RADIUS to reference
- A RADIUS Client
You may think it is strange that there are three components involved in the Radius Protocol and that the directory is separate from the server. The RADIUS server itself does not store user credentials and certificates. It needs a directory of some sort to reference. Common IDPs for use alongside RADIUS include Active Directory, Azure AD, Google, and Okta
How RADIUS Server Authentication Works?
- Initially, the RADIUS Client tries to authenticate to the RADIUS server using the username and password i.e. user credentials.
- The Client then sends an Access-Request message to the RADIUS Server. The Access-Request message has a username and password (which is always encrypted) in it.
- The RADIUS Server reads the information from the request received and authenticates it against the User Store(can be Active Directory or any other Database).
- If a match is found, the RADIUS Server extracts additional details of the user from the user database.
- The RADIUS server checks if there is an access policy or a profile that matches the user credentials.
- If there is no matching access policy or invalid response, then the server will send an Access-Reject message. The RADIUS transaction will end, and the user will be denied access to the system.
- if the Client is authorized, the Server reads the authentication method and matches the user’s username and password against the user database.
- With a match, the Server sends an Access-Accept message to the Client. The message contains a Filter ID attribute and a shared secret. The shared secret needs to match before the Client reads the Filter ID attribute.
- The RADIUS Client then connects the user to a particular RADIUS Group using this Filter ID.
- The user is finally authenticated and authorized and will obtain access to the RADIUS Client.
RADIUS Server authentication follows the AAA process, which allows for safe authentication through a single source. Additionally, with Accounting, businesses can take advantage of user access data. They can identify threats to their networks or determine prices for customers who use their networks.