The Remote Authentication Dial-In User Service or RADIUS is a common tool of Internet Service Providers (ISPs) and companies with larger networks for managing access to an internal network, the Internet, a wireless network or e-mail services. RADIUS acts as a front-end tool that draws on a common database/data source to authenticate users and authorize their access to a system or a service.
RADIUS Provides AAA Processing
From its initial uses for dial-up services by ISPs, RADIUS has become a powerful "AAA" tool. AAA stands for authentication, authorization, and accounting.
When a remote user or a wireless device attempts to join a network, the user typically must enter a username and password. These credentials, along with some other data generated by the login process, are passed to the RADIUS server, which is also referred to as the AAA server. RADIUS then authenticates the user, provides authorization for allowed activities and resources, and, in many cases, starts the accounting/tracking process. If the credentials entered are not known to the RADIUS server, access is denied.
RADIUS in the Dial-up World
When a dial-up user connects to a Network Access Server (NAS), the NAS sends the username and password and the port ID, and other data, in a Access-Request message to the RADIUS server. The server verfies whether the NAS has authorization to send requests. If so, the RADIUS server then attempts to find the user credentials in its database.
If the user is authentic and has the authorization to use a requested service in the database, the RADIUS server returns an Access-Accept message, which also enables RADIUS accounting, and the user may proceed. If the user cannot be authenticated, the server returns an Access-Reject message and the NAS disconnects from the user.
RADIUS in a WLAN
In addition to the AAA functions of RADIUS, there are reasons specific to a wireless local area networks (WLAN) for including RADIUS in the wireless network. RADIUS is included in the security standards of the Institute for Electric and Electronics Engineering (IEEE) standard 802.1x for port-based access control of Ethernet networks. IEEE 802.1x defines the use of RADIUS as an authentication server for Ethernet networks, including wireless networks.
When RADIUS is enabled on a WLAN -- or any network for that matter -- network security is enhanced, the tracking and reporting of users and their activities is improved, and you gain the capability to direct user groups to specific user profiles or virtual LANs (VLANs). However, in a Bring-Your-Own-Device (BYOD) environment, users attempting to connect Windows clients may find that configuring RADIUS can be complex and difficult.
RADIUS and IPv6
RADIUS came to be in an IPv4 world and, for the most part, is still largely an IPv4 tool. However, several software publishers have adapted their RADIUS offerings to service both IPv4 and IPv6 traffic and interfaces. Some accept IPv6 messages and convert them to IPv4 messages for AAA processing, while others handle either IP format completely.
- Photo Credit Stewart Cohen/Blend Images/Getty Images