Forest Network

RADIUS

By shellatreille | returnsyourgazeart | 28 Nov 2020


This is a paper that I wrote in Spring 2020 for my Wireless Networking Class.

RADIUS (Remote Authentication Dial-In User Service) is made up of protocol components.  It is used in roaming.  It is also used in realms.  RADIUS is a network protocol and tool.  It is used to manage users’ and devices’ access to networks.  It helps to increase network security and network control (Lujan, 2018). 

RADIUS provides AAA (Authentication, Authorization, Accounting) services for users and devices when they connect to networks.  Users and devices will be challenged by NAS (Network Access Server).  NAS will ask for credentials when the client tries to connect to the network.  RADIUS controls the client / server model for authenticating user’s and device’s network access.  A user’s or device’s request for network access will be sent from the client.  The client could be a user’s system or a Wi-Fi AP (Access Point).  The client’s request will be sent to a RADIUS server.  The RADIUS server will provide the authentication for network access (Lujan, 2018).  

The RADIUS server will gather the information that is transmitted by NAS.  This information can be used for accounting.  It can also provide reports on network activity.  The RADIUS client will transmit information to the destination RADIUS servers when the user logs on and logs off.  The RADIUS client can also transmit other information on usage while the session is in progress.  Accounting requests are sent by the client to the server to record the log on, log off, and usage information (Batchelor, Satran, & Jacobs, 2018). 

NAS functions as a client of a server.  It supports the RADIUS protocol and is called a RADIUS server.  The NAS, or RADIUS client, will send information about the user to the intended RADIUS servers.  It will then act on the response that is returned.  This user authentication process is the authentication request.  If the user’s credentials are successfully authenticated by the RADIUS server, then it will return the configuration information to NAS so that the user can access the network.  The configuration information is made up of authorizations.  It also contains the type of service NAS can give to the user.  During the time that the RADIUS server is processing the authentication request, it can perform other authorization functions, which include verifying to see if the user already has an open session in progress.  The RADIUS server contacts a state server to detect if an open session is in progress (Batchelor et al., 2018). 

RADIUS servers are usually paired with a separate core identity provider database, such as directory services.  The provider database will be the truth source for user’s and device’s identities.  When a user or device tries to access a network that’s protected by RADIUS, they will be asked to provide their unique credentials.  These credentials will be compared with their identities that are stored in the provider database.  The user’s or device’s credentials will travel from the client to a RADIUS server.  The user’s or device’s credentials travel over a supplicant.  A supplicant is a program that makes login requests to try and connect to a network (Lujan, 2018).  

The user’s device will send credentials and authentication requests over the supplicant to a networking device that is backed by a RADIUS.  This networking device forwards the authentication requests to the RADIUS server.  The RADIUS server will provide authentication.  When the RADIUS server receives the user’s request for authentication, along with their credentials, it will compare the credentials with the appropriate provider database.  Valid authorizations will be accepted and sent back to the RADIUS client only if the credentials match the user’s or device’s information that’s stored within the provider database.  Valid authorizations are sent to the RADIUS client.  Whenever the authorizations are valid, the network connection will be established.  Whenever authorizations are invalid, a rejection notice is sent.  Authorizations can also be challenged (Lujan, 2018).

RADIUS is used in roaming.  It assists with roaming between ISPs (Internet Service Providers).  Independent organizations that collaborate with other organizations and issue their credentials to users and allow visitors from one of the collaborating organizations to be authenticated by their home organization will use RADIUS and roaming.  An example of this is Eduroam, which is the wireless network used at Salt Lake Community College.  It is also used by organizations that provide one global set of credentials that can be used on many public networks.  RADIUS makes roaming possible with realms.  Realms will pinpoint where the RADIUS server should forward the AAA requests to be processed (RADIUS, 2020). 

A realm can use postfix notation, which means that the realm is attached to a username and has an @ sign, like an email address domain name.  It can also use prefix notation, which means that the realm is prepended to the username and uses a backward slash (\).  RADIUS servers will permit any character to be used, but the two most common are the @ sign and the backward slash (\).  Realms can use prefix and postfix notation simultaneously, which permits complex roaming situations.  An example of a username with two realms using a complex roaming situation would be somedomain.com\[email protected].  Realms are arbitrary text.  They don’t need to contain actual domain names (RADIUS, 2020). 

Whenever the RADIUS server receives an AAA request for a username that contains a realm, the server reviews a table containing a list of configured realms.  If the realm is listed in the table, then the server will proxy the request to the configured home server for that domain.  The proxying server’s behavior with regards to removing the realm from the request depends on the server’s configuration.  The proxying server can add, remove, or rewrite AAA requests when they are proxied again at another time (RADIUS, 2020). 

Proxy Chaining can be performed.  Authentication, authorization, and accounting packets are typically sent between NAS and a home server through a sequence of proxies.  Proxy chains can improve scalability, implement policies, and make capability modifications.  RADIUS is lacking in end to end security.  When roaming is used with RADIUS, users are subjected to security and privacy risks.  There are some roaming partners that create a secure tunnel between the RADIUS servers to make sure that credentials won’t be captured while they are proxied across the Internet (RADIUS, 2020).

NPS (Network Policy Server) supports the RADIUS protocol.  An authenticating client, or user, will connect to NAS over a dial-up connection, using PPP (Point-to-Point Protocol).  For the user to go through the authentication process, NAS will contact a remote server that runs NPS.  The NAS and NPS server will communicate using the RADIUS protocol.  A RADIUS server can be a proxy client to other RADIUS servers.  The RADIUS server that is contacted by NAS will transmit the authentication or accounting request to a different RADIUS server.  This other RADIUS server will perform the authentication or accounting job (Batchelor et al., 2018).  RADIUS is made up of AAA protocol components.  It is used in roaming and realms.  RADIUS manages users’ and devices’ access to networks.  It increases network security and network control (Lujan, 2018). 

References

Batchelor, D., Satran, M., & Jacobs, M. (2018, May 31). RADIUS Authentication, Authorization, and

Accounting. Retrieved from Microsoft Windows Dev Center:

https://docs.microsoft.com/en-us/windows/win32/nps/ias-radius-authentication-and-accounting

 

Lujan, V. (2018, May 22). What is the RADIUS Protocol? [Blog Post]. Retrieved from JumpCloud:

https://jumpcloud.com/blog/what-is-the-radius-protocol/#cookie-accept

RADIUS. (2020, February 20). Wikipedia. Retrieved from https://en.wikipedia.org/wiki/RADIUS

How do you rate this article?

1


shellatreille
shellatreille

Artist, Photographer, Writer, Creative Innovator, Website / Graphic Designer, & Human Resources Manager in Orem, Utah. I enjoy learning new things, traveling to historic, paranormal, & abandoned places, rock hounding, museums, technology, & the abstract.


returnsyourgazeart
returnsyourgazeart

This blog will showcase my photography, art, short stories, poetry, and recipes. It will be abstract and colorful. My website: www.ReturnsYourGazeArt.com and www.shellatreille.com

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.