RADIUS Protocol is a protocol for carrying information related to authentication, authorization, and configuration between a Network Access Server that desires to authenticate its links and a shared Authentication Server.
- RADIUS stands for Remote Authentication Dial In User Service.
- RADIUS is an AAA protocol for applications such as Network Access or IP Mobility.
- It works in both situations, Local and Mobile.
- It uses Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Extensible Authentication Protocol (EAP) protocols to authenticate users.
- It look in text file, LDAP Servers, Database for authentication.
- After authentication services parameters passed back to NAS.
- It notifies when a session starts and stop. This data is used for Billing or Statistics purposes.
- SNMP is used for remote monitoring.
- It can be used as a proxy.
- RADIUS is a client/server protocol that runs in the application layer, using UDP as transport.
- The Remote Access Server, the Virtual Private Network server, the Network switch with port-based authentication, and the Network Access Server (NAS), are all gateways that control access to the network, and all have a RADIUS client component that communicates with the RADIUS server.
- RADIUS is often the backend of choice for 802.1X authentication as well.
- RADIUS server is usually a background process running on a UNIX or Microsoft Windows server.
- RADIUS was originally specified in an RFI by Merit Network in 1991 to control dial-in access to NSFnet. Livingston Enterprises responded to the RFI with a description of a RADIUS server. Merit Network awarded the contract to Livingston Enterprises that delivered their PortMaster series of Network Access Servers and the initial RADIUS server to Merit. RADIUS was later (1997) published as RFC 2058 and RFC 2059 (current versions are RFC 2865 and RFC 2866).
- The RADIUS specification RFC 2865 obsoletes RFC 2138. The RADIUS accounting standard RFC 2866 obsoletes RFC 2139.
Communication between a network access server (NAS) and a RADIUS server is based on the User Datagram Protocol (UDP). Generally, the RADIUS protocol is considered a connectionless service. Issues related to server availability, retransmission, and timeouts are handled by the RADIUS-enabled devices rather than the transmission protocol.
RADIUS is a client/server protocol. The RADIUS client is typically a NAS and the RADIUS server is usually a daemon process running on a UNIX or Windows NT machine. The client passes user information to designated RADIUS servers and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver service to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.
- User initiates PPP authentication to the NAS.
- NAS prompts for username and password (if Password Authentication Protocol [PAP]) or challenge (if Challenge Handshake Authentication Protocol [CHAP]).
- User replies.
- RADIUS client sends username and encrypted password to the RADIUS server.
- RADIUS server responds with Accept, Reject, or Challenge.
- The RADIUS client acts upon services and services parameters bundled with Accept or Reject
- Transactions between a client and a server are authenticated through the use of a shared key. This key is never sent over the network.
- Password is encrypted before sending it over the network.
Flexible Authentication Mechanisms
Radius supports the following protocols for authentication purpose:
- Point-to-Point Protocol – PPP
- Password Authentication Protocol – PAP
- Challenge Handshake Authentication Protocol – CHAP
- Simple UNIX Login
- Radius is extensible; most vendors of Radius hardware and software implement their own dialects.
- Stateless protocol, using UDP, runs at port 1812.
Before the Client starts communicating with the Radius Server, it is required that the secret key is shared between the Client and the Server and the Client must be configured to use Radius server to get service.
Radius Codes (decimal) are assigned as follows:
- 1 Access-Request
- 2 Access-Accept
- 3 Access-Reject
- 4 Accounting-Request
- 5 Accounting-Response
- 11 Access-Challenge
- 12 Status-Server (experimental)
- 13 Status-Client (experimental)
- 255 Reserved
- No Keep Alive concept – Good or Bad??
Codes 4 and 5 are related to Radius Accounting Functionality. Codes 12 and 13 are reserved for possible use.
The packet format of Radius is as shown below:
- Code: This is 1 Octet (1 byte) long and identifies various types of packets. Normally 1 Octet means 1 Byte.
- Identifier: This is again 1 Octet long and aids in matching responses with requests.
- Length: This is 2 Octets long and specifies the length of the packet including code, identifier, length, and authenticator. (Min packet is 20 Octets and max is 4096 Octets).
- Authenticator: This is 16 Octets long and filled up in case of some requests and responses.
- List of Attributes: There is a list of 63+ attributes and a Radius attribute will also have a defined format which is described in next chapter.
A Radius attribute consists of the following three parts:
- Type: 1 Octet long, identifies various types of attributes. It is an attribute code listed below.
- Length: 1 Octet long, length of the attribute including Type.
- Value: 0 or more Octets long, contains information specific to attribute.
Radius Request Example
Let us have a look into a Radius Request example:
- The NAS at 192.168.1.16 sends an Access-Request UDP packet to the RADIUS Server for a user named Nemo logging in on port 3 with password “arctangent”.
- The Request Authenticator is a 16 octet random number generated by the NAS.
- The User-Password is 16 octets padded at end with nulls, XORed with D5 (Shared Secret|Request Authenticator).
- 01 00 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb 98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d be 70 8d 93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a8 01 10 05 06 00 00 00 03
- 1 Code = Access-Request (1)
- 1 Identifier = 0
- 2 Length = 56
- 16 Request Authenticator
- Attribute List
- 6 User-Name = “Nemo”
- 18 User-Password
- 6 NAS-IP-Address = 192.168.1.16
- 6 NAS-Port = 3
Radius Response Example
Here is an example of Response Packets:
- The Radius server authenticates Nemo and sends an Access-Accept UDP packet to the NAS telling it to telnet Nemo to host 192.168.1.3
- The Response Authenticator is a 16-octet MD5 checksum of the code (2), id (0), Length (38), the Request Authenticator from above, the attributes in this reply, and the shared secret.
- 02 00 00 26 86 fe 22 0e 76 24 ba 2a 10 05 f6 bf 9b 55 e0 b2 06 06 00 00 00 01 0f 06 00 00 00 00 0e 06 c0 a8 01 03
- 1 Code = Access-Accept (2)
- 1 Identifier = 0 (same as in Access-Request)
- 2 Length = 38
- 16 Response Authenticator
- Attribute List:
- 6 Service-Type (6) = Login (1)
- 6 Login-Service (15) = Telnet (0)
- 6 Login-IP-Host (14) = 192.168.1.3
Diameter is a planned replacement of RADIUS. It is an AAA protocol for applications such as network access and IP mobility. Listed below are a few points that you need to know about Diameter:
- It is intended to work in both local and roaming AAA situations.
- Diameter is just twice the predecessor protocol Radius.
- It uses TCP or SCTP and not UDP.
- It uses transport level security (IPSEC or TLS).
- It has 32 bit identifier instead of 8 bit.
- It supports stateless as well as stateful mode.
- It supports application layer acknowledgement, define failover.
- It offers better roaming support.
- It uses AVPs.
- Diameter allows to define new commands and attributes. It is easy to extend.
RADIUS Infrastructure Components
The following components are part of the RADIUS authentication, authorization, and accounting infrastructure:
An access client is a device that requires some level of access to a larger network. Examples of access clients are dial-up or virtual private network (VPN) clients, wireless clients, or LAN clients connected to a switch.
Access Servers (RADIUS Clients)
An access server is a device that provides some level of access to a larger network. An access server using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server. The following are examples of access servers:
- Network access servers that provide remote access connectivity to an organization network or the Internet. An example is a computer running Windows Server® 2003 and the Routing and Remote Access service and providing either traditional dial-up or virtual private network (VPN) services to an organization’s intranet.
- Wireless access points that provide physical layer access to an organization’s network, using wireless-based transmission and reception technologies.
- Switches that provide physical layer access to an organization’s network, using traditional LAN technologies, such as Ethernet.
A RADIUS proxy is a device that forwards or routes RADIUS connection requests and accounting messages between RADIUS Clients (and RADIUS Proxies) and RADIUS servers (or RADIUS proxies). The RADIUS proxy uses information within the RADIUS message, such as the User-Name or Called-Station-ID RADIUS attributes, to route the RADIUS message to the appropriate RADIUS server.
A RADIUS proxy can be used as a forwarding point for RADIUS messages when the authentication, authorization, and accounting must occur at multiple RADIUS servers in different organizations.
A RADIUS server is a device that receives and processes connection requests or accounting messages sent by RADIUS Clients or RADIUS Proxies. In the case of connection requests, the RADIUS server processes the list of RADIUS attributes in the connection request. Based on a set of rules and the information in the user account database, the RADIUS server either authenticates and authorizes the connection and sends back an Access-Accept message or sends back an Access-Reject message. The Access-Accept message can contain connection restrictions that are implemented by the access server for the duration of the connection.
User Account Databases
The user account database is the list of user accounts and their properties that can be checked by a RADIUS server to verify authentication credentials and user account properties containing authorization and connection parameter information.
The user account databases that NPS can use are the local Security Accounts Manager (SAM), a Microsoft Windows NT 4.0 domain, or Active Directory Domain Services (AD DS). For AD DS, NPS can provide authentication and authorization for user or computer accounts in the domain in which the NPS server is a member, two-way trusted domains, and trusted forests with domain controllers running Windows Server 2008; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
If the user accounts for authentication reside in a different type of database, NPS can be configured as a RADIUS proxy to forward the authentication request to a RADIUS server that does have access to the user account database. Different databases for AD DS include untrusted forests, untrusted domains, or one-way trusted domains.
RADIUS is commonly used to facilitate roaming between ISPs, for example:
- by companies which provide a single global set of credentials that are usable on many public networks;
- by independent, but collaborating, institutions issuing their own credentials to their own users, that allow a visitor from one to another to be authenticated by their home institution, such as in eduroam.
RADIUS facilitates this by the use of realms, which identify where the RADIUS server should forward the AAA requests for processing.
A realm is commonly appended to a user’s user name and delimited with an ‘@’ sign, resembling an email address domain name. This is known as postfix notation for the realm. Another common usage is prefix notation, which involves prepending the realm to the username and using ‘\’ as a delimiter. Modern RADIUS servers allow any character to be used as a realm delimiter, although in practice ‘@’ and ‘\’ are usually used.
Realms can also be compounded using both prefix and postfix notation, to allow for complicated roaming scenarios; for example:
somedomain.com\email@example.com could be a valid username with two realms.
When a RADIUS server receives an AAA request for a user name containing a realm, the server will reference a table of configured realms. If the realm is known, the server will then proxy the request to the configured home server for that domain. The behavior of the proxying server regarding the removal of the realm from the request (“stripping”) is configuration-dependent on most servers. In addition, the proxying server can be configured to add, remove or rewrite AAA requests when they are proxied over time again.
Roaming with RADIUS exposes the users to various security and privacy concerns. More generally, some roaming partners establish a secure tunnel between the RADIUS servers to ensure that users’ credentials cannot be intercepted while being proxied across the internet. This is a concern as the MD5 hash built into RADIUS is considered insecure.