RADIUS
Encyclopedia
Remote Authentication Dial In User Service (RADIUS) is a networking protocol
that provides centralized Authentication, Authorization, and Accounting (AAA
) management for computers to connect and use a network service. RADIUS was developed by Livingston Enterprises, Inc., in 1991 as an access server authentication and accounting protocol and later brought into the Internet Engineering Task Force
(IETF) standards.
Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by ISPs and enterprises to manage access to the Internet
or internal network
s, wireless network
s, and integrated e-mail services. These networks may incorporate modem
s, DSL, access point
s, VPNs, network ports, web server
s, etc.
RADIUS is a client/server protocol that runs in the application layer
, using UDP
as transport. The Remote Access Server, the Virtual Private Network server, the Network switch
with port-based authentication, and the Network Access Server (NAS)
, are all gateways that control access to the network, and all have a RADIUS client component that communicates with the RADIUS server. The RADIUS server is usually a background process running on a UNIX or Microsoft Windows server. RADIUS serves three functions:
concept to manage network access in the following two-step process, also known as an "AAA transaction". AAA stands for “authentication, authorization and accounting”. Authentication
and Authorization
characteristics in RADIUS are described in RFC 2865 while Accounting is described by RFC 2866.
protocol - for example, Point-to-Point Protocol
(PPP) in the case of many dialup or DSL
providers or posted in an HTTPS
secure web form.
In turn, the RAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.
This request includes access credentials, typically in the form of username and password
or security certificate provided by the user. Additionally, the request may contain other information which the RAS knows about the user, such as its network address or phone number, and information regarding the user's physical point of attachment to the RAS.
The RADIUS server checks that the information is correct using authentication schemes like PAP
, CHAP
or EAP
. The user's proof of identification is verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status and specific network service access privileges. Historically, RADIUS servers checked the user's information against a locally stored flat file database. Modern RADIUS servers can do this, or can refer to external sources - commonly SQL
, Kerberos, LDAP, or Active Directory
servers - to verify the user's credentials.
The RADIUS server then returns one of three responses to the NAS : 1) Access Reject, 2) Access Challenge or 3) Access Accept.
Each of these three RADIUS responses may include a Reply-Message attribute which may give a reason for the rejection, the prompt for the challenge, or a welcome message for the accept. The text in the attribute can be passed on to the user in a return web page.
Authorization attributes
are conveyed to the RAS stipulating terms of access to be granted.
For example: the following authorization attributes may be included in an Access-Accept.
When network access is granted to the user by the NAS
, an Accounting Start (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "start") is sent by the NAS to the RADIUS server to signal the start of the user's network access. "Start" records typically contain the user's identification, network address, point of attachment and a unique session identifier.
Periodically, Interim Update records (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "interim-update") may be sent by the NAS to the RADIUS server, to update it on the status of an active session. "Interim" records typically convey the current session duration and information on current data usage.
Finally, when the user's network access is closed, the NAS issues a final Accounting Stop record (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "stop") to the RADIUS server, providing information on the final usage in terms of time, packets transferred, data transferred, reason for disconnect and other information related to the user's network access.
Typically, the client sends Accounting-Request packets until it receives an Accounting-Response acknowledgement, using some retry interval.
The primary purpose of this data is that the user can be billed
accordingly; the data is also commonly used for statistical purposes and for general network monitoring.
RADIUS is commonly used to facilitate roaming between ISPs, for example:
RADIUS facilitates this by the use of realms, which identify where the RADIUS server should forward the AAA requests for processing.
Modern RADIUS servers allow any character to be used as a realm delimiter, although in practice '@' and '\' are usually used.
Realms can also be compounded using both prefix and postfix notation, to allow for complicated roaming scenarios; for example, somedomain.com\username@anotherdomain.com could be a valid username with two realms.
Although realms often resemble domains, it is important to note that realms are in fact arbitrary text and need not contain real domain names.
RADIUS Codes (decimal) are assigned as follows:
The Identifier field aids in matching requests and replies.
The Length field indicates the length of the entire RADIUS packet including the Code, Identifier, Length, Authenticator and optional Attribute fields.
The Authenticator is used to authenticate the reply from the RADIUS server, and is used in encrypting passwords; its length is 16 bytes.
(IANA). However, prior to IANA allocation of ports 1812 and 1813, ports 1645 and 1646 (authentication and accounting, respectively) were used unofficially and became the default ports assigned by many RADIUS Client/Server implementations of the time. The tradition of using 1645 and 1646 for backwards compatibility continues to this day. For this reason many RADIUS Server implementations monitor both sets of UDP ports for RADIUS requests. Microsoft
RADIUS servers default to 1812 and 1813. Cisco
RADIUS servers listen on RADIUS ports UDP 1645 and UDP 1812 for authentication; on ports 1646 and 1813 for accounting and can be configured with non-standard ports. Juniper Networks
' RADIUS servers listen on both unofficial and official ports 1645, 1812, 1646 and 1813 by default but can be configured with arbitrary ports.SBR
is used along with the MD5
hashing algorithm to obfuscate passwords. Because this particular implementation is not considered to be a very strong protection of the user's credentials, additional protection - such as IPsec
tunnels or physically secured data-center networks - should be used to further protect the RADIUS traffic between the NAS device and the RADIUS server. Additionally, the user's security credentials are the only part protected by RADIUS itself, yet other user-specific attributes such as tunnel-group IDs or vlan memberships passed over RADIUS may be considered sensitive (helpful to an attacker) or private (sufficient to identify the individual client) information as well. The RadSec
protocol claims to solve aforementioned security issues.
by Merit Network
in 1991 to control dial-in access to NSFnet
. Livingston Enterprises responded to the RFI with a description of a RADIUS server. Merit Network awarded the contract to Livingston Enterprises that delivered their PortMaster series of Network Access Servers and the initial RADIUS server to Merit. RADIUS was later (1997) published as RFC 2058 and RFC 2059 (current versions are RFC 2865 and RFC 2866).
Now, several commercial and open-source RADIUS servers exist. Features can vary, but most can look up the users in text files, LDAP
servers, various databases, etc. Accounting records can be written to text files, various databases, forwarded to external servers, etc. SNMP
is often used for remote monitoring and keep-alive checking of a RADIUS server. RADIUS proxy server
s are used for centralized administration and can rewrite RADIUS packets on the fly (for security reasons, or to convert between vendor dialects).
The Diameter protocol is the planned replacement for RADIUS. Diameter uses SCTP
or TCP
while RADIUS uses UDP
as the transport layer
.
text.
Communications protocol
A communications protocol is a system of digital message formats and rules for exchanging those messages in or between computing systems and in telecommunications...
that provides centralized Authentication, Authorization, and Accounting (AAA
AAA protocol
In computer security, AAA commonly stands for authentication, authorization and accounting.- Authentication :Authentication refers to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity such as an identifier and the...
) management for computers to connect and use a network service. RADIUS was developed by Livingston Enterprises, Inc., in 1991 as an access server authentication and accounting protocol and later brought into the Internet Engineering Task Force
Internet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...
(IETF) standards.
Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by ISPs and enterprises to manage access to the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
or internal network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
s, wireless network
Wireless network
Wireless network refers to any type of computer network that is not connected by cables of any kind. It is a method by which homes, telecommunications networks and enterprise installations avoid the costly process of introducing cables into a building, or as a connection between various equipment...
s, and integrated e-mail services. These networks may incorporate modem
Modem
A modem is a device that modulates an analog carrier signal to encode digital information, and also demodulates such a carrier signal to decode the transmitted information. The goal is to produce a signal that can be transmitted easily and decoded to reproduce the original digital data...
s, DSL, access point
Wireless access point
In computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
s, VPNs, network ports, web server
Web server
Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
s, etc.
RADIUS is a client/server protocol that runs in the application layer
Application layer
The Internet protocol suite and the Open Systems Interconnection model of computer networking each specify a group of protocols and methods identified by the name application layer....
, using UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
as transport. The Remote Access Server, the Virtual Private Network server, the Network switch
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
with port-based authentication, and the Network Access Server (NAS)
Network access server
A Network Access Server is a single point of access to a remote resource.-Overview:Concentrates dial-in and dial-out user communications. An access server may have a mixture of analog and digital interfaces and support hundreds of simultaneous users.Communications processor that connects...
, are all gateways that control access to the network, and all have a RADIUS client component that communicates with the RADIUS server. The RADIUS server is usually a background process running on a UNIX or Microsoft Windows server. RADIUS serves three functions:
- to authenticate users or devices before granting them access to a network,
- to authorize those users or devices for certain network services and
- to account for usage of those services.
AAA
RADIUS servers use the AAAAAA protocol
In computer security, AAA commonly stands for authentication, authorization and accounting.- Authentication :Authentication refers to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity such as an identifier and the...
concept to manage network access in the following two-step process, also known as an "AAA transaction". AAA stands for “authentication, authorization and accounting”. Authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
and Authorization
Authorization
Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...
characteristics in RADIUS are described in RFC 2865 while Accounting is described by RFC 2866.
Authentication and authorization
The user or machine sends a request to a Remote Access Server (RAS) to gain access to a particular network resource using access credentials. The credentials are passed to the RAS device via the link-layerLink Layer
In computer networking, the link layer is the lowest layer in the Internet Protocol Suite , the networking architecture of the Internet . It is the group of methods or protocols that only operate on a host's link...
protocol - for example, Point-to-Point Protocol
Point-to-Point Protocol
In networking, the Point-to-Point Protocol is a data link protocol commonly used in establishing a direct connection between two networking nodes...
(PPP) in the case of many dialup or DSL
Digital Subscriber Line
Digital subscriber line is a family of technologies that provides digital data transmission over the wires of a local telephone network. DSL originally stood for digital subscriber loop. In telecommunications marketing, the term DSL is widely understood to mean Asymmetric Digital Subscriber Line ,...
providers or posted in an HTTPS
Https
Hypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server...
secure web form.
In turn, the RAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.
This request includes access credentials, typically in the form of username and password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
or security certificate provided by the user. Additionally, the request may contain other information which the RAS knows about the user, such as its network address or phone number, and information regarding the user's physical point of attachment to the RAS.
The RADIUS server checks that the information is correct using authentication schemes like PAP
Password authentication protocol
A password authentication protocol is an authentication protocol that uses a password.PAP is used by Point to Point Protocol to validate users before allowing them access to server resources. Almost all network operating system remote servers support PAP.PAP transmits unencrypted ASCII passwords...
, CHAP
Challenge-handshake authentication protocol
In computing, the Challenge-Handshake Authentication Protocol authenticates a user or network host to an authenticating entity. That entity may be, for example, an Internet service provider. CHAP is specified in RFC 1994....
or EAP
Extensible Authentication Protocol
Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....
. The user's proof of identification is verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status and specific network service access privileges. Historically, RADIUS servers checked the user's information against a locally stored flat file database. Modern RADIUS servers can do this, or can refer to external sources - commonly SQL
SQL
SQL is a programming language designed for managing data in relational database management systems ....
, Kerberos, LDAP, or Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
servers - to verify the user's credentials.
The RADIUS server then returns one of three responses to the NAS : 1) Access Reject, 2) Access Challenge or 3) Access Accept.
- Access Reject - The user is unconditionally denied access to all requested network resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account.
- Access Challenge - Requests additional information from the user such as a secondary password, PIN, token or card. Access Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the RAS.
- Access Accept - The user is granted access. Once the user is authenticated, the RADIUS server will often check that the user is authorised to use the network service requested. A given user may be allowed to use a company's wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server, or may be looked up in an external source like LDAP or Active Directory.
Each of these three RADIUS responses may include a Reply-Message attribute which may give a reason for the rejection, the prompt for the challenge, or a welcome message for the accept. The text in the attribute can be passed on to the user in a return web page.
Authorization attributes
Radius Values
Remote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service....
are conveyed to the RAS stipulating terms of access to be granted.
For example: the following authorization attributes may be included in an Access-Accept.
- The specific IP addressIP addressAn Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
to be assigned to the user - The address pool from which the user's IP should be chosen
- The maximum length that the user may remain connected
- An access list, priority queue or other restrictions on a user's access
- L2TPL2TPIn computer networking, Layer 2 Tunneling Protocol is a tunneling protocol used to support virtual private networks . It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy.-History:Published in 1999...
parameters - VLAN parameters
- Quality of Service (QoS) parameters
Accounting
Accounting is described in RFC 2866.When network access is granted to the user by the NAS
Network access server
A Network Access Server is a single point of access to a remote resource.-Overview:Concentrates dial-in and dial-out user communications. An access server may have a mixture of analog and digital interfaces and support hundreds of simultaneous users.Communications processor that connects...
, an Accounting Start (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "start") is sent by the NAS to the RADIUS server to signal the start of the user's network access. "Start" records typically contain the user's identification, network address, point of attachment and a unique session identifier.
Periodically, Interim Update records (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "interim-update") may be sent by the NAS to the RADIUS server, to update it on the status of an active session. "Interim" records typically convey the current session duration and information on current data usage.
Finally, when the user's network access is closed, the NAS issues a final Accounting Stop record (a RADIUS Accounting Request packet containing an Acct-Status-Type attribute with the value "stop") to the RADIUS server, providing information on the final usage in terms of time, packets transferred, data transferred, reason for disconnect and other information related to the user's network access.
Typically, the client sends Accounting-Request packets until it receives an Accounting-Response acknowledgement, using some retry interval.
The primary purpose of this data is that the user can be billed
Bill (payment)
A bill or invoice is a document requesting payment for an order previously supplied. Presentation of a bill is common practice on the part of credit card companies, utilities, and other service providers...
accordingly; the data is also commonly used for statistical purposes and for general network monitoring.
Roaming
- by companies which provide a single global set of credentials that are usable on many public networks;
- by independent, but collaborating, institutions issuing their own credentials to their own users, that allow a visitor from one to another to be authenticated by their home institution, such as in EduroamEduroameduroam is a secure international roaming service for users in Higher Education. The European eduroam confederation is based on a set of defined organisational and technical requirements that each member of the confederation must agree to and follow.- History...
.
RADIUS facilitates this by the use of realms, which identify where the RADIUS server should forward the AAA requests for processing.
Realms
A realm is commonly appended to a user's user name and delimited with an '@' sign, resembling an email address domain name. This is known as postfix notation for the realm. Another common usage is prefix notation, which involves prepending the realm to the username and using '\' as a delimiter.Modern RADIUS servers allow any character to be used as a realm delimiter, although in practice '@' and '\' are usually used.
Realms can also be compounded using both prefix and postfix notation, to allow for complicated roaming scenarios; for example, somedomain.com\username@anotherdomain.com could be a valid username with two realms.
Although realms often resemble domains, it is important to note that realms are in fact arbitrary text and need not contain real domain names.
Proxy operations
When a RADIUS server receives an AAA request for a user name containing a realm, the server will reference a table of configured realms. If the realm is known, the server will then proxy the request to the configured home server for that domain. The behaviour of the proxying server regarding the removal of the realm from the request ("stripping") is configuration-dependent on most servers. In addition, the proxying server can be configured to add, remove or rewrite AAA requests when they are proxied.Security
Roaming with RADIUS exposes the users to various security and privacy concerns. More generally, some roaming partners establish a secure tunnel between the RADIUS servers to ensure that users' credentials cannot be intercepted while being proxied across the internet. This is a concern as the MD5 hash built into RADIUS is considered insecure.Packet structure
The RADIUS packet data format is shown to the right. The fields are transmitted from left to right, starting with the code, the identifier, the length, the authenticator and the attributes.RADIUS Codes (decimal) are assigned as follows:
| Code | Assignment |
|---|---|
| 1 | Access-Request |
| 2 | Access-Accept |
| 3 | Access-Reject |
| 4 | Accounting-Request |
| 5 | Accounting-Response |
| 11 | Access-Challenge |
| 12 | Status-Server (experimental) |
| 13 | Status-Client (experimental) |
| 255 | Reserved |
The Identifier field aids in matching requests and replies.
The Length field indicates the length of the entire RADIUS packet including the Code, Identifier, Length, Authenticator and optional Attribute fields.
The Authenticator is used to authenticate the reply from the RADIUS server, and is used in encrypting passwords; its length is 16 bytes.
Attribute value pairs
The RADIUS Attribute Value Pairs (AVP) carry data in both the request and the response for the authentication, authorization, and accounting transactions. The length of the radius packet is used to determine the end of the AVPs.| AVP Type | Assignment |
|---|---|
| 1 | User-Name |
| 2 | User-Password |
| 3 | CHAP Challenge-handshake authentication protocol In computing, the Challenge-Handshake Authentication Protocol authenticates a user or network host to an authenticating entity. That entity may be, for example, an Internet service provider. CHAP is specified in RFC 1994.... -Password |
| 4 | NAS-IP-Address |
| 5 | NAS-Port |
| 6 | Service-Type |
| 7 | Framed-Protocol |
| 8 | Framed-IP-Address |
| 9 | Framed-IP-Netmask |
| 10 | Framed-Routing |
| 11 | Filter-Id |
| 12 | Framed-MTU |
| 13 | Framed-Compression |
| 14 | Login-IP-Host |
| 15 | Login-Service |
| 16 | Login-TCP-Port |
| 17 | (unassigned) |
| 18 | Reply-Message |
| 19 | Callback-Number |
| 20 | Callback-Id |
| 21 | (unassigned) |
| 22 | Framed-Route |
| 23 | Framed-IPX-Network |
| 24 | State |
| 25 | Class |
| 26 | Vendor-Specific |
| 27 | Session-Timeout |
| 28 | Idle-Timeout |
| 29 | Termination-Action |
| 30 | Called-Station-Id |
| 31 | Calling-Station-Id |
| 32 | NAS-Identifier |
| 33 | Proxy-State |
| 34 | Login-LAT-Service |
| 35 | Login-LAT-Node |
| 36 | Login-LAT-Group |
| 37 | Framed-AppleTalk-Link |
| 38 | Framed-AppleTalk-Network |
| 39 | Framed-AppleTalk-Zone |
| 40 | Acct-Status-Type |
| 41 | Acct-Delay-Time |
| 42 | Acct-Input-Octets |
| 43 | Acct-Output-Octets |
| 44 | Acct-Session-Id |
| 45 | Acct-Authentic |
| 46 | Acct-Session-Time |
| 47 | Acct-Input-Packets |
| 48 | Acct-Output-Packets |
| 49 | Acct-Terminate-Cause |
| 50 | Acct-Multi-Session-Id |
| 51 | Acct-Link-Count |
| 52-59 | (reserved for accounting) |
| 60 | CHAP Challenge-handshake authentication protocol In computing, the Challenge-Handshake Authentication Protocol authenticates a user or network host to an authenticating entity. That entity may be, for example, an Internet service provider. CHAP is specified in RFC 1994.... -Challenge |
| 61 | NAS-Port-Type |
| 62 | Port-Limit |
| 63 | Login-LAT-Port |
Vendor-specific attributes
RADIUS is extensible; many vendors of RADIUS hardware and software implement their own variants using Vendor-Specific Attributes (VSAs). Microsoft has published some of their VSAs. VSA definitions from many other companies remain proprietary and/or ad-hoc.UDP port numbers
RADIUS has been officially assigned UDP ports 1812 for RADIUS Authentication and 1813 for RADIUS Accounting by the Internet Assigned Numbers AuthorityInternet Assigned Numbers Authority
The Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
(IANA). However, prior to IANA allocation of ports 1812 and 1813, ports 1645 and 1646 (authentication and accounting, respectively) were used unofficially and became the default ports assigned by many RADIUS Client/Server implementations of the time. The tradition of using 1645 and 1646 for backwards compatibility continues to this day. For this reason many RADIUS Server implementations monitor both sets of UDP ports for RADIUS requests. Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
RADIUS servers default to 1812 and 1813. Cisco
Cisco
Cisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...
RADIUS servers listen on RADIUS ports UDP 1645 and UDP 1812 for authentication; on ports 1646 and 1813 for accounting and can be configured with non-standard ports. Juniper Networks
Juniper Networks
Juniper Networks is an information technology and computer networking products multinational company, founded in 1996. It is head quartered in Sunnyvale, California, USA. The company designs and sells high-performance Internet Protocol network products and services...
' RADIUS servers listen on both unofficial and official ports 1645, 1812, 1646 and 1813 by default but can be configured with arbitrary ports.SBR
Security
The RADIUS protocol does not transmit passwords in cleartext between the NAS and RADIUS server (not even with PAP protocol). Rather, a shared secretShared secret
In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. The shared secret can be a password, a passphrase, a big number or an array of randomly chosen bytes....
is used along with the MD5
MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
hashing algorithm to obfuscate passwords. Because this particular implementation is not considered to be a very strong protection of the user's credentials, additional protection - such as IPsec
IPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
tunnels or physically secured data-center networks - should be used to further protect the RADIUS traffic between the NAS device and the RADIUS server. Additionally, the user's security credentials are the only part protected by RADIUS itself, yet other user-specific attributes such as tunnel-group IDs or vlan memberships passed over RADIUS may be considered sensitive (helpful to an attacker) or private (sufficient to identify the individual client) information as well. The RadSec
RadSec
RadSec is a protocol for transporting RADIUS datagrams over TCP and TLS.The RADIUS protocol is a widely deployed authentication and authorization protocol. The supplementary RADIUS Accounting specification also provides accounting mechanisms, thus delivering a full AAA protocol solution...
protocol claims to solve aforementioned security issues.
RADIUS history
RADIUS was originally specified in an RFIRequest for Information
A request for information is a standard business process whose purpose is to collect written information about the capabilities of various suppliers. Normally it follows a format that can be used for comparative purposes....
by Merit Network
Merit Network
Merit Network, Inc., is a nonprofit member-governed organization providing high-performance computer networking and related services to educational, government, health care, and nonprofit organizations, primarily in Michigan...
in 1991 to control dial-in access to NSFnet
NSFNet
The National Science Foundation Network was a program of coordinated, evolving projects sponsored by the National Science Foundation beginning in 1985 to promote advanced research and education networking in the United States...
. Livingston Enterprises responded to the RFI with a description of a RADIUS server. Merit Network awarded the contract to Livingston Enterprises that delivered their PortMaster series of Network Access Servers and the initial RADIUS server to Merit. RADIUS was later (1997) published as RFC 2058 and RFC 2059 (current versions are RFC 2865 and RFC 2866).
Now, several commercial and open-source RADIUS servers exist. Features can vary, but most can look up the users in text files, LDAP
Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network...
servers, various databases, etc. Accounting records can be written to text files, various databases, forwarded to external servers, etc. SNMP
Simple Network Management Protocol
Simple Network Management Protocol is an "Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more." It is used mostly in network management systems to monitor...
is often used for remote monitoring and keep-alive checking of a RADIUS server. RADIUS proxy server
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
s are used for centralized administration and can rewrite RADIUS packets on the fly (for security reasons, or to convert between vendor dialects).
The Diameter protocol is the planned replacement for RADIUS. Diameter uses SCTP
Stream Control Transmission Protocol
In computer networking, the Stream Control Transmission Protocol is a Transport Layer protocol, serving in a similar role to the popular protocols Transmission Control Protocol and User Datagram Protocol...
or TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
while RADIUS uses UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
as the transport layer
Transport layer
In computer networking, the transport layer or layer 4 provides end-to-end communication services for applications within a layered architecture of network components and protocols...
.
RFCs
The RADIUS protocol is currently defined in the following IETF RFCs: Obsolete RFCs are indicated with strikethroughStrikethrough
Strikethrough is a typographical presentation of words with a horizontal line through their center. This is an example....
text.
| # | Title | Date published | Related article | Obsoleted by | Notes |
|---|---|---|---|---|---|
| RFC 2058 | |
January 1997 | RADIUS | RFC 2138 | |
| RFC 2059 | |
January 1997 | RADIUS | RFC 2139 | |
| RFC 2138 | |
April 1997 |
RADIUS | RFC 2865 | |
| RFC 2139 | |
April 1997 | RADIUS | RFC 2866 | |
| RFC 2548 | Microsoft Vendor-specific RADIUS Attributes | March 1999 | RADIUS | ||
| RFC 2607 | Proxy Chaining and Policy Implementation in Roaming | June 1999 | |||
| RFC 2618 | |
Management information base Management information base A management information base is a virtual database used for managing the entities in a communications network. Most often associated with the Simple Network Management Protocol , the term is also used more generically in contexts such as in OSI/ISO Network management model... |
RFC 4668 | ||
| RFC 2619 | |
Management information base Management information base A management information base is a virtual database used for managing the entities in a communications network. Most often associated with the Simple Network Management Protocol , the term is also used more generically in contexts such as in OSI/ISO Network management model... |
RFC 4669 | ||
| RFC 2620 | |
June 1999 | Management information base Management information base A management information base is a virtual database used for managing the entities in a communications network. Most often associated with the Simple Network Management Protocol , the term is also used more generically in contexts such as in OSI/ISO Network management model... |
RFC 4670 | |
| RFC 2621 | |
June 1999 | Management information base Management information base A management information base is a virtual database used for managing the entities in a communications network. Most often associated with the Simple Network Management Protocol , the term is also used more generically in contexts such as in OSI/ISO Network management model... |
RFC 4671 | |
| RFC 2809 | Implementation of L2TP L2TP In computer networking, Layer 2 Tunneling Protocol is a tunneling protocol used to support virtual private networks . It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy.-History:Published in 1999... Compulsory Tunneling via RADIUS |
April 2000 | |||
| RFC 2865 | Remote Authentication Dial In User Service (RADIUS) | June 2000 | RADIUS | Updated by: RFC 2868, RFC 3575, RFC 5080 | |
| RFC 2866 | RADIUS Accounting | June 2000 | RADIUS | ||
| RFC 2867 | RADIUS Accounting Modifications for Tunnel Protocol Support | June 2000 |
RADIUS | Updates RFC 2866 | |
| RFC 2868 | RADIUS Attributes for Tunnel Protocol Support | June 2000 | Updates RFC 2865 | ||
| RFC 2869 | RADIUS Extensions | June 2000 | updated by RFC 3579, RFC 5080 | ||
| RFC 2882 | Network Access Servers Requirements: Extended RADIUS Practices | July 2000 | |||
| RFC 3162 | RADIUS and IPv6 IPv6 Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4... |
August 2001 | |||
| RFC 3575 | IANA Considerations for RADIUS | July 2003 | |||
| RFC 3576 | |
July 2003 | RFC 5176 | ||
| RFC 3579 | RADIUS Support for EAP | September 2003 | Extensible Authentication Protocol Extensible Authentication Protocol Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247.... |
Updates: RFC 2869 | |
| RFC 3580 | IEEE 802.1X RADIUS Usage Guidelines | September 2003 | 802.1X | ||
| RFC 4014 | RADIUS Attributes Suboption for the DHCP Relay Agent Information Option | February 2005 | |||
| RFC 4372 | Chargeable User Identity | January 2006 | |||
| RFC 4590 | |
July 2006 | RFC 5090 | ||
| RFC 4668 | RADIUS Authentication Client MIB for IPv6 | August 2006 | Management information base Management information base A management information base is a virtual database used for managing the entities in a communications network. Most often associated with the Simple Network Management Protocol , the term is also used more generically in contexts such as in OSI/ISO Network management model... |
||
| RFC 4669 | RADIUS Authentication Server MIB for IPv6 | August 2006 | Management information base Management information base A management information base is a virtual database used for managing the entities in a communications network. Most often associated with the Simple Network Management Protocol , the term is also used more generically in contexts such as in OSI/ISO Network management model... |
||
| RFC 4670 | RADIUS Accounting Client MIB for IPv6 | August 2006 | Management information base Management information base A management information base is a virtual database used for managing the entities in a communications network. Most often associated with the Simple Network Management Protocol , the term is also used more generically in contexts such as in OSI/ISO Network management model... |
||
| RFC 4671 | RADIUS Accounting Server MIB for IPv6 | August 2006 | Management information base Management information base A management information base is a virtual database used for managing the entities in a communications network. Most often associated with the Simple Network Management Protocol , the term is also used more generically in contexts such as in OSI/ISO Network management model... |
||
| RFC 4675 | RADIUS Attributes for Virtual LAN and Priority Support | September 2006 | |||
| RFC 4679 | DSL Forum Vendor-Specific RADIUS Attributes | September 2006 | |||
| RFC 4818 | RADIUS Delegated-IPv6-Prefix Attribute | April 2007 | |||
| RFC 4849 | RADIUS Filter Rule Attribute | April 2007 | |||
| RFC 5080 | Common RADIUS Implementation Issues and Suggested Fixes | December 2007 | Updates RFC 3579 | ||
| RFC 5090 | RADIUS Extension for Digest Authentication | February 2008 | |||
| RFC 5176 | Dynamic Authorization Extensions to RADIUS | January 2008 | |||
| RFC 5607 | RADIUS Authorization for NAS Management | July 2009 | |||
| RFC 5997 | Use of Status-Server Packets in the RADIUS Protocol | August 2010 | Updates RFC 2866 | ||
See also
- 802.1X
- Diameter (protocol)
- Kerberos (protocol)
- Security Assertion Markup Language
- TACACSTACACSTerminal Access Controller Access-Control System is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has...
- TACACS+TACACS+TACACS+ is a Cisco Systems proprietary protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers...