RADIUS (Remote Authentication Dial-In User Service) (Linktionary term)

Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info

RADIUS (Remote Authentication Dial-In User Service)

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

RADIUS is a security service for authenticating and authorizing dial-up users. A typical enterprise network may have an access server attached to a modem pool, along with a RADIUS server to provide authentication services. Remote users dial into the access server, and the access server sends authentication requests to the RADIUS server. The RADIUS server authenticates users and authorizes access to internal network resources. Remote users are clients to the access server and the access server is a client to the RADIUS server.

RADIUS was originally developed by Livingston Enterprises for their PortMaster series of network access servers. Lucent Technologies bought Livingston in October 1997, and now claims the software was "invented by the Remote Access Business Unit of Lucent Technologies in 1992." The remainder of this topic draws on RADIUS descriptions provided by Lucent.

Note that RADIUS is an open protocol and is distributed as source code. It is defined in the following Internet RFCs. See "NAS (Network Access Server)" for related RFCs.

RFC 2139 (RADIUS Accounting, April 1997)

RFC 2865 (Remote Authentication Dial In User Service (RADIUS), June 2000)

Because RADIUS is open, it can be adapted to work with third-party security products or proprietary security systems. Any access server that supports the RADIUS client protocol can communicate with a RADIUS server.

RADIUS is often referred to as RADIUS AAA, referring to its authentication, authorization, and accounting functions. "Accounting" refers to the ability of RADIUS to gather information about user sessions that can be processed for billing and network analysis. The basic RADIUS authentication system uses its own user database, but other sources of user information include UNIX password files, Sun's NIS (Network Information Service), and directories that can be accessed via LDAP (Lightweight Directory Access Protocol).

The most important feature of RADIUS is its distributed security model. Basically, the communication server (access server or NAS) is separate from the authentication server. This approach is more scalable and secure. The user account information is stored on a central RADIUS server that can be accessed by any number of access servers. This distributed approach is essential for large ISPs that handle hundreds or thousands of dial-up accounts from multiple access servers. An example is pictured in Figure R-1.

[ANCHOR HERE: Figure 1]

Note how the access server is separated from the RADIUS server in a distributed configuration. Access servers typically support dial-up asynchronous or ISDN connections. The access servers talk to the RADIUS servers via the RADIUS protocol, which is outlined in the previously mentioned RFCs.

The RADIUS authentication mechanism works as follows:

Users dial in and establish a PPP connection with a network access server.

The user and the access server then negotiate an authentication mechanism, usually CHAP (Challenge Handshake Authentication Protocol) or EAP (Extensible Authentication Protocol).

The user and the access server exchange authentication information.

The access server then packages the access information into an "authentication request packet," along with information about the access server itself and the port being used. The password is encrypted as a precaution against eavesdroppers, using a secret key shared with the RADIUS server.

The packet is sent to the RADIUS server over whatever connection is in use (LAN, WAN, switch, and so on).

When the RADIUS server receives the authentication request packet, it attempts to validate the user against the account information to which it has access. The RADIUS server then returns either an "Authentication Acknowledgment" or an "Authentication Reject" message to the access server.

If a user is validated and an acknowledgment is sent, additional information about the user may be sent as well, such as link requirements and/or policy information that defines service levels for the user. Filters may also be included to restrict access to parts of the network.

Lucent's PortAuthority family of RADIUS servers extends RADIUS with extensible, plug-in modules that enable specific policies. PortAuthority implements policies with what is called the PolicyFlow architecture. The plug-ins can be chained together in a building-block approach. PolicyFlow then defines and manages policy administration across the modules. The modules are Java class files. For example, an ISP implementing PortAuthority can easily switch over from a UNIX password file to a system that stores user data in an LDAP-accessible directory without having to make an immediate migration.

The IETF is evolving RADIUS with its new DIAMETER protocol, which expands on RADIUS with new features, such as the ability to ask for additional logon information beyond the basic authentication, support for roaming users, and the ability to exchange user accounting information among different ISPs. See "DIAMETER" and "Roaming." Also see "Accounting on the Internet." Several topics describe environments in which RADIUS is used. See "Internet Architecture and Backbone" and refer to the section "PoPs and Internet Data Center." Also see "PoP (Point of Presence)" and "L2TP (Layer 2 Tunneling Protocol)."