RADIUS servers support multiple authentication protocols, including PPP PAP and CHAP. A RADIUS
server can act as the client of another AAA server to provide authentication proxy services.
Basic RADIUS message exchange process
Figure 418
illustrates the interactions between the host, the RADIUS client, and the RADIUS server.
Figure 418 Basic RADIUS message exchange process
RADIUS uses the following workflow:
1.
The host initiates a connection request that carries the user's username and password to the
RADIUS client.
2.
When receives the username and password, it sends an authentication request (Access-Request) to
the RADIUS server, with the user password encrypted using the MD5 algorithm and the shared
key.
3.
The RADIUS server authenticates the username and password. If the authentication succeeds, the
server returns an Access-Accept message containing the user's authorization information. If the
authentication fails, the server returns an Access-Reject message.
4.
The RADIUS client permits or denies the user according to the returned authentication result. If it
permits the user, the RADIUS client sends a start-accounting request (Accounting-Request) to the
RADIUS server.
5.
The RADIUS server returns an acknowledgement (Accounting-Response) and starts accounting.
6.
The user accesses the network resources.
7.
The host requests the RADIUS client to tear down the connection and the RADIUS client sends a
stop-accounting request (Accounting-Request) to the RADIUS server.
8.
The RADIUS server returns an acknowledgement (Accounting-Response) and stops accounting for
the user.
403