How Does Radius Work - Digi PortServer II User Manual

How does RADIUS work?

RADIUS (Remote Authentication Dial In User Service) is a method of remotely
maintaining a database of profiles for dial-in users. RADIUS requires two
components, an authentication host server and client protocols. Client protocol
software is included with PortServer II's software. PortServer II sends authentication
requests to the server and acts on its responses. The RADIUS server accepts and
processes authentication requests, and informs PortServer II of the results. For
example, in a UNIX environment, the RADIUS server authenticates users against a
UNIX password file, Network Information Services (NIS), and a separately-
maintained RADIUS database.
When a user logs into a PortServer II that is configured to use RADIUS, PortServer II
collects login information such as username and password. It then looks in its local
database of users for the username; if it finds the username, the user is locally authen-
ticated. If the local authentication fails, PortServer II creates an Authentication
Request including attributes such as the user's name, the user's password, and the
port through which the user dialled in. For protection against eavesdropping, it hides
any password present using an encryption algorithm.
PortServer II then submits the Authentication Request to the RADIUS server via the
LAN or WAN. The time it waits for a response and the number of retries are
configurable at the RADIUS server. If it receives no response, it may route the request
to an alternate RADIUS server, depending on how the network is configured.
The RADIUS server validates the Authentication Request, and decrypts the password.
It passes validated information to all compatible security systems maintained on the
system.
If any validation condition is not met, the RADIUS server returns an Access Reject
message to PortServer II. This indicates that the user request is invalid and PortServer
II denies the user access.
If all validation conditions are met, the RADIUS server returns an Access Acknowl-
edgment message. This message may include additional information, such as the
protocol to use, or filtering information to restrict the user to specific resources.
PortServer II then provides the user with the service indicated by the Access
Acknowledgment message.
To ensure that requests are not responded to by unauthorized intruders on the network,
the RADIUS server sends an authentication key or password in each transaction,
identifying itself to PortServer II.
Page 176 Configuring RADIUS 90030500B