RADIUS

What Is RADIUS?

Remote Authentication Dial-In User Service (RADIUS) is a distributed information exchange protocol utilizing a client/server model. It secures networks against unauthorized access and is commonly employed in environments requiring robust security alongside remote access capabilities. RADIUS is a widely adopted standard protocol supported by nearly all mainstream devices, serving as the predominant AAA (Authentication, Authorization, and Accounting) protocol in operational networks. Operating over User Datagram Protocol (UDP), RADIUS ensures efficient real-time performance. Moreover, it incorporates mechanisms such as retransmission and backup servers to ensure high reliability. RADIUS implementations are straightforward and include server-side multithreading capabilities for efficient authentication of large user populations.

Why Do We Need RADIUS?

Authentication, Authorization, and Accounting (AAA) provides a framework for managing access control on a network access server (NAS). It determines which users can access the network, specifies the resources or services authorized users can use, and handles the billing for network resource usage. AAA can be implemented using various protocols, with RADIUS being the most widely adopted.

RADIUS is a protocol used for communication between the NAS and AAA server. Initially developed to manage large numbers of dispersed users using serial ports and modems, RADIUS has since been extensively applied to NAS systems. When a user seeks permission to access specific networks or utilize certain network resources, they establish a connection with the NAS via a network (such as a telephony network). The NAS then handles user authentication or connection authentication and forwards the user's AAA information to the RADIUS server. RADIUS specifies how to transmit user information and accounting details between the NAS and the RADIUS server. Upon receiving user requests, the RADIUS server authenticates the users and sends the necessary configuration information back to the NAS.

What Are the Characteristics of RADIUS?

Client/Server Model

RADIUS operates on a standard client/server model, offering excellent scalability and enabling centralized management of user information.

RADIUS Client

RADIUS clients typically reside on NAS devices deployed throughout the network. These clients are responsible for transmitting user information to designated RADIUS servers and subsequently acting upon server responses (e.g., granting or denying user access). Key functions supported by the RADIUS client include:

• Standard RADIUS protocol and extended attributes

• RADIUS server status detection

• Automatic failover to another RADIUS server

• Retransmission of accounting packets stored in local buffers

RADIUS Server

RADIUS servers are commonly hosted on central computers or workstations to oversee user authentication and manage access to network services. These servers receive user connection requests, authenticate users, and return responses (e.g., granting or denying access) to the clients. A single RADIUS server can serve multiple RADIUS clients.

A typical RADIUS server maintains three essential databases:

• Users: Stores user details (e.g., usernames, passwords, protocols, IP addresses).

• Clients: Stores RADIUS client information (e.g., shared keys, IP addresses).

• Dictionary: Stores RADIUS attributes and their descriptive values.

Secure Message Exchange Mechanism

Authentication messages between the RADIUS client and server are secured using a shared key. This key, known to both parties, is used to calculate a digital signature (16-octet Authenticator field) for each RADIUS packet using the MD5 algorithm. Upon packet receipt, the receiving device verifies the signature; if incorrect, the packet is discarded. This ensures secure information exchange between the RADIUS client and server.

Additionally, user passwords within RADIUS packets are encrypted with shared keys before transmission, safeguarding them from theft over insecure networks.

Scalability

RADIUS attributes within RADIUS packets carry authentication, authorization, and accounting information. The protocol supports adding new attributes without disrupting existing implementations, thus demonstrating robust scalability.

How Does RADIUS Work?

RADIUS Authentication, Authorization, and Accounting

RADIUS supports the authentication, authorization, and accounting components within AAA. Originating earlier than the AAA framework, RADIUS integrates authentication and authorization processes. Authentication and accounting in RADIUS can be conducted on separate servers.

A RADIUS client device gathers user information (such as usernames and passwords) and transmits this data to a RADIUS server. The server validates the user based on this information and proceeds with authorization and accounting tasks. The process of information exchange among a user, RADIUS client, and RADIUS server is illustrated below:

• The user initiates network access by sending a connection request containing a username and password to the RADIUS client.

• RADIUS client forwards an Access-Request packet with the username and password to the RADIUS server.

• The RADIUS server authenticates the user:Upon valid user credentials, the RADIUS server responds with an Access-Accept packet to the RADIUS client, granting further access. This packet includes authorization details as RADIUS integrates authentication and authorization functions.For invalid user credentials, the RADIUS server replies with an Access-Reject packet to the RADIUS client, denying access.

• The RADIUS client notifies the user of the authentication outcome.

• Based on the authentication result, the RADIUS client either accepts or rejects the user's access request. If accepted, the RADIUS client sends an Accounting-Request (Start) packet to the RADIUS server.

• The RADIUS server replies with an Accounting-Response (Start) packet, commencing accounting procedures.

• The user begins accessing network resources.

• (Optional) Real-time accounting is supported, allowing the RADIUS client to periodically send Accounting-Request (Interim-Update) packets to the server. This prevents inaccurate accounting if an Accounting-Request (Stop) packet isn't sent after a paid user unexpectedly logs out. The client can configure the frequency of Interim-Update packets.

• (Optional) The RADIUS server responds with an Accounting-Response (Interim-Update) packet, conducting real-time accounting.

• The user requests logout to terminate network access.

• The RADIUS client transmits an Accounting-Request (Stop) packet to the RADIUS server.

• The RADIUS server replies with an Accounting-Response (Stop) packet, halting accounting.

• The RADIUS client notifies the user of the concluded network access, terminating their session.

RADIUS Dynamic Authorization

RADIUS supports the Change of Authorization (CoA) function. After a user is successfully authenticated, the RADIUS server can modify the permissions of the online user dynamically. CoA packets include CoA-Request, CoA-ACK, and CoA-NAK packets, which are used for dynamic authorization requests, dynamic authorization acceptances, and dynamic authorization rejections, respectively. The diagram below illustrates the CoA packet exchange process.

• The RADIUS server sends a CoA-Request packet to the RADIUS client based on service information, requesting the client to modify user authorization information. This packet may include authorization details such as ACLs.

• Upon receiving the CoA-Request packet, the RADIUS client matches it against the user information stored locally to identify the user. If the match is successful, the RADIUS client proceeds to modify the user's authorization information. Otherwise, it retains the user's original authorization settings.

• The RADIUS client responds with either a CoA-ACK or CoA-NAK packet:If the modification of authorization information is successful, the RADIUS client sends a CoA-ACK packet to the RADIUS server.If the modification fails, the RADIUS client sends a CoA-NAK packet back to the RADIUS server.

Unlike the authorization processes for login or logout scenarios, where the RADIUS server handles Disconnect-Request packets, in the CoA process, the RADIUS server sends a Disconnect-Request packet to the RADIUS client, which responds with a Disconnect-ACK packet (if successful) or Disconnect-NAK packet (if unsuccessful).

Logging Out Users Through RADIUS

RADIUS also supports the Disconnect Message (DM) function. Once a user is online, an administrator can forcibly disconnect the user from the RADIUS server by sending a Disconnect-Request packet. DMs are categorized into three types: Disconnect-Request, Disconnect-ACK, and Disconnect-NAK, representing the user logout request packet, user logout request acceptance packet, and user logout request rejection packet, respectively. The diagram below illustrates the DM exchange process.

• An administrator initiates a user logout on the RADIUS server. Subsequently, the RADIUS server sends a Disconnect-Request packet to the RADIUS client, instructing it to disconnect the user.

• Upon receiving the Disconnect-Request packet, the RADIUS client verifies the packet against its local user information to identify the user. If successful, the client terminates the user's session. Otherwise, the user remains logged in.

• The RADIUS client responds with either a Disconnect-ACK or Disconnect-NAK packet:If the user is successfully logged out, the RADIUS client sends a Disconnect-ACK packet to the RADIUS server.If the user cannot be logged out, the RADIUS client sends a Disconnect-NAK packet to the RADIUS server.

Unlike the process of authorizing login or handling user-initiated logouts, where the RADIUS server manages Disconnect-Request packets, in the CoA/DM process, the RADIUS server sends a Disconnect-Request packet to the RADIUS client, which then replies with a Disconnect-ACK packet (upon successful operation) or Disconnect-NAK packet (if the operation fails).

How Does RADIUS Ensure Transmission Reliability?

RADIUS employs UDP for real-time data transmission. However, under poor network conditions, UDP usage may lead to packet loss during transmission. To enhance data transmission reliability, RADIUS supports backup server and retransmission mechanisms.

Backup RADIUS Server Mechanism

In large networks, multiple RADIUS servers are typically deployed to ensure uninterrupted user access in case of server failures. Additionally, these servers can balance the load of numerous users accessing the network, thus preventing any single server from becoming overloaded. When multiple servers are configured within a RADIUS server group, a RADIUS client can select a server based on either a master/backup or load balancing algorithm when sending packets.

Master/Backup Mode

A RADIUS server group can include one master server and zero, one, or more backup servers. A RADIUS client selects the master server if it exists and is operational (Up state). Otherwise, the client selects a backup server to handle user requests. Upon receiving an AAA request, the client verifies the availability of the master server. If operational, the client directs requests to the master server; otherwise, it selects the first available backup server.

Load Balancing Mode

In load balancing mode, user traffic is evenly distributed among multiple RADIUS servers to expedite processing of user requests. Utilizing a load balancing algorithm, the RADIUS client assigns authentication or accounting packets to servers based on configured weights for RADIUS authentication or accounting servers.

RADIUS Packet Retransmission Mechanism

During user authentication, if a RADIUS client does not receive a response packet from the server within a specified timeout period due to network issues, it employs a retransmission mechanism. The client retransmits the request packet to the same server a designated number of times. If no response is received, the client redirects the request to an alternative server, regardless of the operational mode (master/backup or load balancing). Configuration options for retransmission attempts and timeout periods are available for server groups and their respective servers on the RADIUS client.