If you’ve heard of RADIUS servers and authentication, then you may be wondering: what is RADIUS? RADIUS clients and servers are important authentication tools, so it’s important to understand what they do, how they work, and what makes them important for solutions like Foxpass.
What is RADIUS?
Remote Authentication Dial-In User Service (RADIUS) is a client-server networking protocol that runs on the application layer. The RADIUS protocol uses a RADIUS Server and RADIUS Clients.
A RADIUS Client (or Network Access Server) is a networking device (like a VPN concentrator, router, or switch) that is used to authenticate users.
A RADIUS Server is a background process that runs on a UNIX or Windows server. It lets you maintain user profiles in a central database. If you have a RADIUS Server, you have control over who can connect to your network.
When a user tries to connect to a RADIUS Client, the Client sends requests to the RADIUS Server. The user can connect to the RADIUS Client only if the RADIUS Server authenticates and authorizes the user.
The working of the RADIUS Server depends on the exact nature of the RADIUS ecosystem. However, all servers have AAA capabilities (Authentication, Authorization, and Accounting). In some RADIUS ecosystems, a RADIUS Server can also act as a proxy client to other RADIUS Servers.
RADIUS Servers give businesses the ability to preserve the privacy and security of their system and their users, thus helping with security management and creating policies for server administration.
How does RADIUS Server authentication and authorization work?
A RADIUS Server supports a variety of methods to authenticate users. RADIUS Server authentication and authorization go hand-in-hand and usually start when a user tries to connect to the RADIUS Client using a username and password.
A basic RADIUS authentication and authorization process include the following steps:
The RADIUS Client tries to authenticate to the RADIUS
Server using user credentials (username and password).
The Client sends an Access-Request message to the RADIUS Server. Passwords are always encrypted in the Access-Request message.
The RADIUS Server reads the shared secret and ensures
that the Access-Request message is from an authorized Client. If it’s not, then the message is discarded.
If the Client is authorized, the RADIUS Server reads the authentication method requested.
If the authentication method used is allowed, then the RADIUS Server reads the user’s credentials from the message and matches the credentials against the user database. If there is a match, the RADIUS Server extracts
additional user details from the user database.
The RADIUS server now checks to see if there is an access policy or a profile that matches the user credentials.
If there is no matching policy, then the server sends an Access-Reject message. The RADIUS transaction ends, and the user is denied access to the system.
If there is a matching policy, the RADIUS Server sends an Access-Accept message to the device.
The Access-Accept message consists of a shared secret and a Filter ID attribute. If the shared secret does not match, the RADIUS Client rejects the message.
If the shared secret matches, the Client reads the value of the Filter ID attribute. The Filter ID is a string of text. The RADIUS Client connects the user to a particular RADIUS
Group using this Filter ID. (A RADIUS Group is a group of users who have the same FilterID value, making it easier to categorize users in functional groups like Sales, Networking, HR, IT, etc.)
The user is finally authenticated and authorized and will obtain access to the RADIUS Client.
This occurs in a matter of split-seconds, providing fast and secure network access to all approved users.
How does accounting for RADIUS Server / RADIUS Authentication work?
RADIUS Servers are also used for accounting purposes by collecting data for network monitoring, billing, or statistical purposes. The accounting process typically starts when the user is granted access to the RADIUS Server. However, RADIUS accounting can also be used independently of RADIUS authentication and authorization.
A basic RADIUS accounting process includes the following steps:
The process starts when the user is granted access to the RADIUS Server.
The RADIUS Client sends a RADIUS Accounting-Request packet, known as Accounting Start, to the RADIUS Server. The request packet comprises the user ID, network address, session identifier, and point of access.
During the session, the Client may send additional Accounting-Request packets (known as Interim Updates) to the RADIUS Server. These packets include details like the current session duration and data usage. This packet serves the purpose of updating the information about the user's session to the RADIUS Server.
Once the user’s access to the RADIUS Server ends, the RADIUS Client sends another Accounting-Request packet (known as Accounting Stop) to the RADIUS Server. The packet includes information such as total time, data, packets transferred, the reason for disconnection, and other information relevant to the user's session.
Conclusion
A RADIUS Server protects your organization's private information and prevents it from being leaked to snooping outsiders. Additionally, it allows easy depreciation capabilities and enables individual users to be assigned unique network permissions, and can integrate into your existing system without any significant changes. All this and more makes it a valuable tool for authentication, access, and security.
The uses and benefits of RADIUS Servers are wide-reaching, from security to ease of management to implementing role-based access control. So, if you’re looking to integrate a RADIUS ecosystem into your current system with ease, contact Foxpass today and see what our cloud-hosted RADIUS and LDAP can do for you.
Wi-Fi is a trademark of Wi-Fi Alliance®
