3Com Switch 4800G 24-Port Configuration Manual page 749

Introduction to RADIUS
AAA can be implemented through multiple protocols. Currently, the device
supports using RADIUS and HWTACACS for AAA, and RADIUS is often used in
practice.
Remote Authentication Dial-In User Service (RADIUS) is a distributed information
interaction protocol in the client/server model. RADIUS can protect networks
against unauthorized access and is often used in network environments where
both high security and remote user access are required. Based on UDP, RADIUS
defines the RADIUS packet format and the message transfer mechanism, and uses
UDP port 1812 as the authentication port and 1813 as the accounting port.
RADIUS was originally designed for dial-in user access. With the diversification of
access methods, RADIUS has been extended to support more access methods, for
example, Ethernet access and ADSL access. It uses authentication and
authorization to provide access service and uses accounting to collect and record
usage of network resources by users.
Client/server model
Client: The RADIUS client runs on the NASs located throughout the network. It
■
passes user information to designated RADIUS servers and acts on the response
(for example, rejects or accepts user access requests).
Server: The RADIUS server runs on the computer or workstation at the network
■
center and maintains information related to user authentication and network
service access. It authenticates a user after receiving a connection request and
returns the processing result (for example, rejecting or accepting user access
requests) to the client.
In general, the RADIUS server maintains three databases, namely, Users, Clients,
and Dictionary, as shown in Figure 228:
Figure 228 RADIUS server components
RADIUS servers
Users
Users: Stores user information such as the username, password, applied
■
protocols, and IP address.
Clients: Stores information about RADIUS clients such as the shared keys and IP
■
addresses.
Dictionary: Stores the information for interpreting RADIUS protocol attributes
■
and their values.
Security authentication mechanism
Information exchanged between the RADIUS client and the RADIUS server is
authenticated with a shared key, which is never transmitted over the network,
thus enhancing the security of information exchange. To prevent user passwords
from being intercepted in non-secure networks, the passwords are encrypted
during transmission.
AAA/RADIUS/HWTACACS Overview
Clients Dictionary
749