to prevent user passwords from being intercepted on insecure networks, RADIUS encrypts passwords before
transmitting them.
A RADIUS server supports multiple user authentication methods. Moreover, a RADIUS server can act as the
client of another AAA server to provide authentication proxy services.
Basic message exchange process of RADIUS
a illustrates the interaction of the host, the RADIUS client, and the RADIUS server.
a. Basic message exchange process of RADIUS
RADIUS operates in the following manner:
Table 122 The host initiates a connection request that carries the user’s username and password to the
RADIUS client.
Table 123 After receiving the username and password, the RADIUS client sends an authentication request
(Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest
5 (MD5) algorithm and the shared key.
Table 124 The RADIUS server authenticates the username and password. If the authentication succeeds, the
server sends back an Access-Accept message containing the user’s authorization information. If the
authentication fails, the server returns an Access-Reject message.
Table 125 The RADIUS client permits or denies the user according to the returned authentication result. If it
permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.
Table 126 The RADIUS server returns a start-accounting response (Accounting-Response) and starts
accounting.
Table 127 The user accesses the network resources.
Table 128 The host requests the RADIUS client to tear down the connection and the RADIUS client sends a
stop-accounting request (Accounting-Request) to the RADIUS server.
To Next Page
Loading...
