Security And Authentication Mechanisms; Basic Radius Message Exchange Process - HP 1920 Gigabit Ethernet Switch Series User Manual

Security and authentication mechanisms

The RADIUS client and the RADIUS server use a shared key to authenticate RADIUS packets and encrypt
user passwords exchanged between them. For security, this key must be manually configured on the
client and the server.
RADIUS servers support multiple authentication protocols, including PPP PAP and CHAP. A RADIUS
server can act as the client of another AAA server to provide authentication proxy services.

Basic RADIUS message exchange process

Figure 347 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.
Figure 347 Basic RADIUS message exchange process
RADIUS operates in the following manner:
1. The host initiates a connection request that carries the user's username and password to the
RADIUS client.
2. Having received the username and password, the RADIUS client sends an authentication request
(Access-Request) to the RADIUS server, with the user password encrypted using the MD5 algorithm
and the shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds, the
server returns an Access-Accept message containing the user's authorization information. If the
authentication fails, the server returns an Access-Reject message.
4. The RADIUS client permits or denies the user according to the returned authentication result. If it
permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.
5. The RADIUS server returns an acknowledgement (Accounting-Response) and starts accounting.
6. The user accesses the network resources.
364