Introduction To The Radius Protocol - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
RADIUS authorization following successful authentication: With RADIUS, users
are authorized only after they pass authentication. In other words, you cannot
perform RADIUS authorization without authentication.
III. Accounting
AAA supports the following accounting methods:
None accounting: does not require accounting.
Remote accounting: conducted through a RADIUS server or TACACS server.
AAA usually utilizes a Client/Server model, where the client is the router that controls
user access and the server stores user information. The framework of AAA thus allows
for good scalability and centralized user information management. Being a
management framework, AAA can be implemented using multiple protocols. In V 2.41,
AAA is implemented based on RADIUS or HWTACACS.

2.1.2 Introduction to the RADIUS Protocol

I. What is RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information
switching protocol in Client/Server model. RADIUS can prevent the network from
interruption of unauthorized access and it is often used in the network environments
where both high security and remote user access are required. For example, it is often
used for managing a large number of scattered dial-in users that use serial ports and
modems. The RADIUS system is an important auxiliary part of a Network Access
Server (NAS).
The RADIUS service involves three components:
Protocol: Based on the UDP/IP layer, RFC2865 and RFC2866 define the RADIUS
frame format and the message transfer mechanism, and use 1812 as the
authentication port and 1813 as the accounting port.
Server: RADIUS server runs on the computer or workstation at the center, and
contains information on user authentication and network service access.
Client: Located at the Network Access Server (NAS) side. It can be placed
anywhere in the network.
As the RADIUS client, the NAS (a router for example) is responsible for passing user
information to a designated RADIUS server and acts on the response returned from the
server (such as connecting/disconnecting users). The RADIUS server receives user
connection requests, authenticates users, and returns the required information to the
NAS.
In general, the RADIUS server maintains three databases, namely, Users, Clients and
Dictionary, as shown in the following figure. "Users" stores user information such as
username, password, applied protocols, and IP address; "Clients" stores information
Chapter 2 AAA and RADIUS/HWTACACS Protocol
3Com Corporation
2-2
Configuration