Radius Authentication Process - 3Com 3C421600A Management Manual

The RAS 1500 integrates the following enhanced RADIUS features:
RADIUS When a user dials into RAS 1500, and RADIUS authentication is enabled,
Authentication the following occurs:
Process
1 The RAS 1500 checks its own user table. If the RAS 1500 finds a local
entry, the RAS 1500 grants or denies the user access based on
information in the table. RADIUS authentication is not attempted. If the
RAS 1500 cannot find a local entry, it uses the RADIUS server to
authenticate the user.
The preceding step is performed only if local authentication is enabled.
2 The RAS 1500 encrypts the user's password using an encryption key
shared by both the RAS 1500 and the RADIUS server, and passes the
username and encrypted password to the RADIUS server.
3 The RADIUS server checks the username and password against its users
file, determines whether to grant or deny access, and passes this
information back to the RAS 1500.
4 If access is denied, the RAS 1500 disconnects the user. If access is
granted, the RADIUS server forwards the appropriate user configuration
information (such as what host or what protocol the user needs) to the
RAS 1500.
CHAP Authentication Using RADIUS
The username of the remote device must be the user ID it sends during
Challenge Handshake Authentication Protocol (CHAP) authentication.
The password must be in clear text for the MD5/MD4 comparison to
succeed. This password is called a shared secret. The remote device uses
the same password. If the RAS 1500 does not have a user table entry for
the remote device, there must be an entry for the remote device in the
RADIUS users file.
128 challenge responses up to 128 bytes
A filter rule format allowing filter names and rules to be downloaded
to the RADIUS client
Dynamic RADIUS server changes of a user filter rules
Increased RADIUS security through RADIUS server verification of
source IP address and UDP port
Configuration of one secret and UDP port per server
RADIUS Authentication 179