connection requests, authenticates users, and returns the processing results (for example,
rejecting or accepting the user access request) to the clients.
In general, the RADIUS server maintains three databases, namely, Users, Clients, and Dictionary, as
Figure 1-2 RADIUS server components
Users: Stores user information such as the usernames, passwords, applied protocols, and IP
Clients: Stores information about RADIUS clients, such as the shared keys and IP addresses.
Dictionary: Stores information about the meanings of RADIUS protocol attributes and their values.
Security and Authentication Mechanisms
Information exchanged between a RADIUS client and the RADIUS server is authenticated with a
shared key, which is never transmitted over the network. This enhances the information exchange
security. In addition, to prevent user passwords from being intercepted in non-secure networks,
RADIUS encrypts passwords before transmitting them.
A RADIUS server supports multiple user authentication methods, for example, the Password
Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Moreover, a
RADIUS server can act as the client of another AAA server to provide authentication proxy services.
Basic Message Exchange Process of RADIUS
illustrates the interaction of the host, the RADIUS client, and the RADIUS server.