7
AAA can be implemented through multiple protocols. The device supports RADIUS and HWTACACS,
of which RADIUS is most often used.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction
protocol that uses a client/server model. It can protect networks against unauthorized access and is
often used in network environments that require both high security and remote user access.
RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, including Ethernet and ADSL.
RADIUS provides access authentication, authorization, and accounting services. The accounting
function collects and records network resource usage information.
Client/server model
RADIUS clients run on NASs located throughout the network. NASs pass user information to
RADIUS servers, and determine to reject or accept user access requests depending on the
responses from RADIUS servers.
The RADIUS server runs on the computer or workstation at the network center and maintains
information related to user authentication and network access. It receives connection requests,
authenticates users, and returns access control information (for example, rejecting or accepting the
user access request) to the clients.
The RADIUS server typically maintains the following databases: Users, Clients, and Dictionary.
See Figure 2.
Figure 2
RADIUS server databases
• Users—Stores user information, such as usernames, passwords, applied protocols, and IP
addresses.
• Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
• Dictionary—Stores RADIUS protocol attributes and their values.
Security and authentication mechanisms
The RADIUS client and the RADIUS server use a shared key to authenticate RADIUS packets and
encrypt user passwords exchanged between them. For security purposes, this key must be manually
configured on the client and the server.
RADIUS servers support multiple authentication protocols, including PPP PAP and CHAP. A
RADIUS server can also act as the client of another AAA server to provide authentication proxy
services.
Basic RADIUS message exchange process
Figure 3 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.
RADIUS servers
Users Clients Dictionary
To Next Page
Loading...
Need help?
General
