RADIUS Authentication and Authorization
RADIUS is an access server authentication, authorization, and accounting protocol used to
secure remote access to networks and network services against unauthorized access.
RADIUS consists of three components:
n
A protocol with a frame format that utilizes UDP over IP (based on RFC 2138 and 2866)
n
A centralized server that stores all the user authorization information
n
A client, in this case, the switch
The operation of RADIUS authentication and authorization protocol is based on the AA model
described previously. The switch—acting as the RADIUS client—will communicate to the
RADIUS server to authenticate and authorize a remote administrator using the protocol defini-
tions specified in RFC 2138 and 2866. Transactions between the client and RADIUS server are
authenticated through the use of a shared secret, which is never sent over the network. In addi-
tion, the remote administrator passwords are sent encrypted between the RADIUS client (the
switch) and the back-end RADIUS server.
1. Remote administrator connects to
switch and provides user name
and password
Figure 5-1 Authentication and Authorization: How It Works
212777-A, February 2002
2. Using Authentication/Authorization
protocol, the switch sends request
to authentication server
Internet
Alteon Web Switch
4. Using RADIUS protocol,
the authentication server
instructs the switch to
grant or deny admim access
Chapter 5: Secure Switch Management
Web OS 10.0 Application Guide
Authentication
Servers
3. Authentication server
checks request against
the user ID database
n
103