1-3
Introduction to AAA Services
Introduction to RADIUS
AAA is a management framework. It can be implemented by not only one protocol. But in practice, the
most commonly used service for AAA is RADIUS.
What is RADIUS
RADIUS (remote authentication dial-in user service) is a distributed service based on client/server
structure. It can prevent unauthorized access to your network and is commonly used in network
environments where both high security and remote user access service are required.
The RADIUS service involves three components:
z Protocol: Based on the UDP/IP layer, RFC 2865 and 2866 define the message format and
message transfer mechanism of RADIUS, and define 1812 as the authentication port and 1813 as
the accounting port.
z Server: RADIUS Server runs on a computer or workstation at the center. It stores and maintains
user authentication information and network service access information.
z Client: RADIUS Client runs on network access servers throughout the network.
RADIUS operates in the client/server model.
z A switch acting as a RADIUS client passes user information to a specified RADIUS server, and
takes appropriate action (such as establishing/terminating user connection) depending on the
responses returned from the server.
z The RADIUS server receives user connection requests, authenticates users, and returns all
required information to the switch.
Generally, a RADIUS server maintains the following three databases (see
Figure 1-2):
z Users: This database stores information about users (such as user name, password, protocol
adopted and IP address).
z Clients: This database stores information about RADIUS clients (such as shared key).
z Dictionary: The information stored in this database is used to interpret the attributes and attribute
values in the RADIUS protocol.
Figure 1-2 Databases in a RADIUS server
In addition, a RADIUS server can act as a client of some other AAA server to provide authentication or
accounting proxy service.
Basic message exchange procedure in RADIUS
The messages exchanged between a RADIUS client (a switch, for example) and a RADIUS server are
verified through a shared key. This enhances the security. The RADIUS protocol combines the
authentication and authorization processes together by sending authorization information along with
To Next Page
Loading...