Configuring RADIUS
Overview
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that
uses a client/server model to implement AAA. It can protect networks against unauthorized access and
is often used in network environments that require both high security and remote user access. For more
information about AAA, see
RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. Because of new access methods, RADIUS has
been extended to support additional access methods, including Ethernet and ADSL. RADIUS provides
access authentication and authorization services, and its accounting function collects and records
network resource usage information.
Client/server model
RADIUS clients run on NASs located throughout the network. NASs pass user information to RADIUS
servers, and reject or accept user access requests depending on the responses from RADIUS servers.
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network service access. It receives connection requests, authenticates
users, and returns access control information (for example, rejecting or accepting the user access request)
to the clients.
The RADIUS server typically maintains the following databases: Users, Clients, and Dictionary.
See
Figure
417.
Figure 417 RADIUS server databases
•
Users—Stores user information such as usernames, passwords, applied protocols, and IP
addresses.
Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•
Dictionary—Stores RADIUS protocol attributes and their values.
•
Security and authentication mechanisms
The RADIUS client and the RADIUS server use a shared key to authenticate RADIUS packets and encrypt
user passwords exchanged between them. For security purpose, this key must be manually configured on
the client and the server.
"Configuring
AAA."
402