Introduction to RADIUS
The Remote Authentication Dial-In User Service (RADIUS) protocol implements Authentication, Authorization,
and Accounting (AAA). For more information, see the chapter "AAA configuration".
RADIUS uses the client/server model. It can protect networks against unauthorized access and is often used
in network environments where both high security and remote user access are required. RADIUS defines the
packet format and message transfer mechanism, and uses UDP as the transport layer protocol for
encapsulating RADIUS packets. It uses UDP port 1812 for authentication and UDP port 1813 for
RADIUS was originally designed for dial-in user access. With the addition of new access methods, RADIUS
has been extended to support additional access methods, for example, Ethernet and ADSL. RADIUS
provides access authentication and authorization services, and its accounting function collects and records
network resource usage information.
Client—Generally, the RADIUS client runs on the NASs located throughout the network. It passes user
information to designated RADIUS servers and acts on the responses (for example, rejects or accepts
user access requests).
Server—Generally, the RADIUS server runs on the computer or workstation at the network center and
maintains information related to user authentication and network service access. It listens to
connection requests, authenticates users, and returns the processing results (for example, rejecting or
accepting the user access request) to the clients.
In general, the RADIUS server maintains the databases: Users, Clients, and Dictionary, as shown in a.
RADIUS server components
Users—Stores user information such as the usernames, passwords, applied protocols, and IP
Clients—Stores information about RADIUS clients, such as the shared keys and IP addresses.
Dictionary—Stores RADIUS protocol attributes and their values.
Security and authentication mechanisms
Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared key,
which is never transmitted over the network. This enhances the information exchange security. In addition,