Remote Authentication Dial-In User Service (RADIUS)-
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol, operating on default port 1812 that provides centralized Authentication, Authorization, and Accounting (AAA ) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises, Inc. in 1991 as an access server authentication and accounting protocol and later brought into the Internet Engineering Task Force (IETF) standards. RADIUS is a client/server protocol that runs in the application layer, and can use either the TCP or UDP protocols as transport. Network access servers which are the gateways that control access to a network, mostly contain a RADIUS client component that communicates with the RADIUS server. RADIUS is usually the back-end of choice for 802.1X authentication.
RADIUS is basically an AAA protocol that manages network access. AAA stands for Authentication, Authorization and Accounting. RADIUS Authentication uses two types of packets in order to supervise the full AAA process; Access-Request that manages Authentication, Authorization; and Accounting-Request, which takes care of Accounting.
RADIUS passes authentication requests to an identity management system. In lay-man's terms it is a set of rules that govern the communication between a device i.e. a RADIUS Client and a user database i.e. RADIUS Server. It is an old and simple authentication mechanism which was designed to allow network devices (For example: Wi-Fi Routers, VPN Concentrators, Switches) to authenticate users. RADIUS does not have any sort of complex membership requirements in accordance to network connectivity and a shared secret. The device has everything it requires in order to test user authentication credentials.It is robust and generalized.
RADIUS is commonly used to facilitate roaming between networks, for example: By companies which provide a single global set of credentials that are usable on many public networks; By independent, but by means of collaborating, institutions issuing their own credentials to their own users, that allow a visitor from one to another to be authenticated by their home institution.
RADIUS Service allows a company to maintain user profiles in a central database which all remote servers can share. It provides improved security, allowing a company to set up a policy that can be applied at a single administered network point. Possessing a central service also means that it is easier to track usage for billing and for keeping network statistics. RADIUS is a de facto industry standard used by a variety of network product companies and is a proposed IETF standard.
RADIUS facilitates this by the utilization of realms, which identify where the RADIUS server oughtto forward the AAA requests for processing.
How RADIUS works?
The user or machine sends a call for participation/request to a Network Access Server (NAS) to gain access to a network resource. This request includes different data concerning the user or the access credentials (username and password) which are forwarded to the NAS device via the link-layer protocol. The request may contain auxiliaryinformation about the user for example, the network address, phone number, or physical attachment to the NAS.
The RADIUS server checks whether the information is correct using an authentication protocol (ex: PAP, CHAP, EAP). RADIUS server returns with one of stated three responses: Access Reject, Access Challenge, or Access Accept. Each of these responses can be passed to the user on a return webpage.Once the user is authenticated, the RADIUS server will check if the user is authorized for the specific network service.
RADIUS / AAA network access is a vital component of any organization’s network management. NetpassRADIUSservice is a powerful and cost-effective choice for a variety of organizations:
- AAA for Small businesses whichprobably may not have consideredusing RADIUS before can benefit themselves with powerful 802.1X based securitywith the advantage of having an affordable price that scales according to size.
- Guest, Co-Working Space access providers and the process of Deploying Wi-Fi Hotspot can have a flexible and scalable RADIUS service option, that easily integrates with Captive Portal Sign-on Splash Pages to provide access control and usage logging that does not require physical footprint.
- Larger enterprises, government agencies, and educational institutions that are planning to migrate applications and infrastructure to the cloud can add RADIUS to that list which may eventually cut off the cost of on-premises servers and also simplify administration and gain scalability.
Radius is also compatible with EAP-TLS, EAP-TTLS and PEAP methods to work with 802.1X.EAP-TLS is used with smart card user authentication. A smart card holds a digital certificate thatwith the help of user-entered personal identification number (PIN) permits the user to get authenticated on the network. EAP-TLS depends upon digital certificates to authenticate the identities of both the client and server.
- EAP-PEAP uses TLS with respect to create an encrypted tunnel. Within the tunnel, one of the stated “inner EAP” methods are used:
- EAP-Generic Token Card (GTC): This EAP method gives permission for the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time token cards and the use of an LDAP or RADIUS server as the user authentication server. Caching of user credentials on the controllers can also be enabled which works as a backup to an external authentication server.
- EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2: This EAP method is broadly supported by Microsoft clients. A RADIUS server is used as the backend authentication server.
In case an individual is using the controller’s internal database for user authentication, they need to add the names and passwords of the users to be authenticated. If a person uses a RADIUS server for user authentication, he/she needs to configure the RADIUS server on the controller.