Table of Contents
Advertisement
Foundry NetIron M2404C and M2404F Metro Access Switches
Remote Authentication Dial in User Service
(RADIUS)
The Remote Authentication Dial In User Service (RADIUS) is a client/server protocol for carrying
authentication, authorization, and configuration information between a Network Access Server
(RADIUS Client), which requests to authenticate its links, and a shared Authentication Server
(RADIUS Server). The current RADIUS client supports login-type authentication only.
Overview
A network access server (NAS) uses User Datagram Protocol (UDP) packets to communicate with
a RADIUS server. The RADIUS protocol is a connectionless service. The transmission protocol
does not handle issues related to server availability, retransmission, and timeouts, leaving these
tasks to the RADIUS-enabled devices.
RADIUS is used for exchanging information between the RADIUS client, which is typically a
NAS, and the RADIUS server, which is usually a UNIX or Windows NT daemon process. The
RADIUS client sends user-connection requests to designated RADIUS servers, and the RADIUS
servers respond by returning configuration information necessary for the client to provide service
to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of
authentication servers.
A typical RADIUS communication procedure is demonstrated in
user sends a Telnet request to the NAS. The NAS sends user authentication information to the
RADIUS server, which responds with the appropriate ACCEPT or REJECT reply. The NAS
accepts or rejects the User's request in accordance with the reply received from the RADIUS
server.
The NAS and the RADIUS server use a shared secret to authenticate transactions between them.
This secret is never sent over the network. Furthermore, all user passwords exchanged between the
NAS and the RADIUS server are encrypted on the basis of the RSA Message Digest Algorithm,
MD5, to prevent anyone snooping on an insecure network from determining users' passwords.
When the RADIUS server receives a request, it validates the sending client. If the RADIUS server
does not have a shared secret with the client that sent the request, RADIUS will silently discard the
request. Otherwise, the client is valid, and the RADIUS server consults a database of users to find
the user whose name matches the request. The user entry in the database contains a list of
requirements that must be met in order to allow access for the user. This always includes
Remote Authentication Dial in User Service (RADIUS) © 2008 Foundry Networks, Inc.
Figure 3: RADIUS Communication Example
Configuring Switch Authentication Features (Rev. 03)
Figure 3.
In this example, the
Page 20 of 70
Advertisement
Chapters
Table of Contents
