About Radius - Cisco IOS XR Configuration Manual

Information About Configuring AAA Services
•
•

About RADIUS

RADIUS is a distributed client/server system that secures networks against unauthorized access. In the
Cisco implementation, RADIUS clients run on Cisco routers and send authentication and accounting
requests to a central RADIUS server that contains all user authentication and network service access
information.
RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with
any security system currently available on the market.
Cisco supports RADIUS under its AAA security paradigm. RADIUS can be used with other AAA
security protocols, such as TACACS+, Kerberos, and local username lookup. RADIUS is supported on
all Cisco platforms, but some RADIUS-supported features run only on specified platforms.
RADIUS has been implemented in a variety of network environments that require high levels of security
while maintaining network access for remote users.
Use RADIUS in the following network environments that require access security:
•
•
•
•
•
•
RADIUS is not suitable in the following network security situations:
•
Cisco IOS XR System Security Configuration Guide
SC-182
TACACS+ server and server group configuration
RADIUS server and server group configuration
Networks with multiple-vendor access servers, each supporting RADIUS. For example, access
servers from several vendors use a single RADIUS server-based security database. In an IP-based
network with multiple vendors' access servers, dial-in users are authenticated through a RADIUS
server that has been customized to work with the Kerberos security system.
Turnkey network security environments in which applications support the RADIUS protocol, such
as in an access environment that uses a "smart card" access control system. In one case, RADIUS
has been used with Enigma security cards to validate users and grant access to network resources.
Networks already using RADIUS. You can add a Cisco router with RADIUS to the network. This
might be the first step when you make a transition to a Terminal Access Controller Access Control
System Plus (TACACS+) server.
Networks in which a user must access only a single service. Using RADIUS, you can control user
access to a single host, utility such as Telnet, or protocol such as Point-to-Point Protocol (PPP). For
example, when a user logs in, RADIUS identifies this user as having authorization to run PPP using
IP address 10.2.3.4 and the defined access list is started.
Networks that require resource accounting. You can use RADIUS accounting independent of
RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent
at the start and end of services, indicating the amount of resources (such as time, packets, bytes, and
so on) used during the session. An Internet service provider (ISP) might use a freeware-based
version of RADIUS access control and accounting software to meet special security and billing
needs.
Networks that wish to support preauthentication. Using the RADIUS server in your network, you
can configure AAA preauthentication and set up the preauthentication profiles. Preauthentication
enables service providers to better manage ports using their existing RADIUS solutions and to
efficiently manage the use of shared resources to offer differing service-level agreements.
Multiprotocol access environments. RADIUS does not support the following protocols:
– AppleTalk Remote Access (ARA)
NetBIOS Frame Control Protocol (NBFCP)
–
Configuring AAA Services on Cisco IOS XR Software