users, and returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary, as
shown in
Figure
Figure 2 RADIUS server components
•
Users—Stores user information such as the usernames, passwords, applied protocols, and IP
addresses.
Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•
Dictionary—Stores RADIUS protocol attributes and their values.
•
Security and Authentication Mechanisms
Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared
key, which is never transmitted over the network. This enhances the information exchange security. In
addition, to prevent user passwords from being intercepted in non-secure networks, RADIUS encrypts
passwords before transmitting them.
A RADIUS server supports multiple user authentication methods, such as the Password Authentication
Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP). Moreover, a RADIUS
server can act as the client of another AAA server to provide authentication proxy services.
RADIUS Basic Message Exchange Process
Figure 3
illustrates the interaction between the host, the RADIUS client, and the RADIUS server.
2.
3