RADIUS stands for Remote Authentication Dial-In User Service and describes a service that authenticates and authorizes users in a dial-in network. RADIUS can also be used for the accounting of services. In companies, RADIUS is often used for user logon in WLAN networks.
How does RADIUS work?
RADIUS is a standard that is used in dial-in networks for so-called triple-A services (AAA). AAA services are the authentication, authorization and accounting of dial-in users.
RADIUS has become established as a kind of standard for dial-in services and is based on a client-server architecture. Many providers use RADIUS for dial-in to analog, ISDN, DSL, or even WLAN networks. The exact functionality and procedures of the RADIUS protocol are defined and described in RFCs 2865, 2866, 2867, 2868, and 2869.
The basic tasks of the RADIUS protocol
As explained earlier, the core tasks of the RADIUS protocol are authentication, authorization, and accounting, which are grouped under the acronym AAA.
During authentication, the service determines who the user dialing in is. Unique user names and passwords, for example, are used to verify that the user is actually who he or she claims to be. In addition, security tokens or other physical components can also be used.
Once the user has been uniquely identified, authorization takes over the allocation of user rights. Users are granted specific access rights to data, services, or benefits. Among other things, authorization can be used to assign a fixed IP address to the dial-in user.
Finally, accounting counts the use of the various services by the user. This can include dial-up minutes, transferred data volumes or access frequencies. This data is used by the service providers to create invoices. For this purpose, the accounting data is evaluated according to the respective rate model.
Important components and functionality of the RADIUS protocol
In order for a dial-in to occur using the RADIUS protocol, there are usually three different components involved. These components are:
- The RADIUS client
- The Authenticator (alternatively also called Network Access Server (NAS))
- The RADIUS server
The RADIUS client is installed on the dial-in device and initiates the dial-in request. This dial-in request is sent to an authenticator (for example, an access point) in the form of an access request packet. The authenticator has no information of its own about the dial-in users and forwards the packet over the network to the actual RADIUS server.
The RADIUS server has a connection to the user database with the user IDs, passwords, and user rights. It responds to the dial-in request with an Access-Accept (permission to dial-in) or with an Access-Reject (rejection of dial-in) and initiates the actual establishment of the connection to the network with all parameters required for the user. The RADIUS server performs the verification of the user name and password.
Since this server is a security-critical component, it is usually specially protected and located behind special firewall services that allow only the actual dial-up requests to pass through to the server.
The RADIUS server is usually managed via a specially partitioned administration network. The user data can be stored in a RADIUS database or can be determined by the RADIUS via queries to other directory services or databases. In addition to the access data, user-specific data such as the upload and download bandwidths of DSL accesses, IP addresses, service identifiers, or the number of B channels for ISDN dial-up are stored in these databases.
Advantages and disadvantages of the RADIUS protocol
The RADIUS protocol offers the advantage that, despite a distributed network infrastructure, the access data for dial-in users can be managed and kept available at a central location. They are available for dial-in at any time. The user himself does not need any information about the location of the RADIUS server, since network access servers take over the task of forwarding the dial-in requests.
All the user has to do is identify himself to the network with a unique user ID and the appropriate password or security token. Since all account data is also collected in a central location, billing for the services used is greatly simplified.
One disadvantage is that a malfunction of the central RADIUS server affects the entire dial-up network. Providers try to minimize this risk by relying on distributed RADIUS services with hardware and software backup mechanisms.
The successor to RADIUS, which is not very widespread and not entirely backward compatible, is called Diameter.