Radius - HP 12500 Series Configuration Manual

You can choose the three security functions provided by AAA as needed. For example, if your company
only wants employees to be authenticated before they access specific resources, you only need to
configure an authentication server. If network usage information is needed, you must also configure an
accounting server.
AAA can be implemented through multiple protocols. The switch supports using RADIUS and
HWTACACS. RADIUS is often used in practice.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that
uses a client/server model. It can protect networks against unauthorized access and is often used in
network environments where both high security and remote user access are required.
RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813
for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, such as Ethernet and ADSL. RADIUS
provides access authentication and authorization services, and its accounting function collects and
records network resource usage information.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
designated RADIUS servers and acts on the responses (for example, rejects or accepts user access
requests).
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network service access. It listens to connection requests, authenticates
users, and returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary.
Figure 2 RADIUS server components
Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
•
addresses.
Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•
• Dictionary—Stores RADIUS protocol attributes and their values.
Security and authentication mechanisms
RADIUS uses a shared key that is never transmitted over the network to authenticate Information
exchanged between a RADIUS client and the RADIUS server, enhancing the information exchange
security. In addition, to prevent user passwords from being intercepted on insecure networks, RADIUS
encrypts passwords before transmitting them.
6