RADIUS cisco

RADIUS

The Alien Admission Dial In User Service (RADIUS) agreement was developed by

Livingston Enterprises, Inc., as an admission server affidavit and accounting

protocol. Although abounding RFCs are accessible on RADIUS, the capital specification

can be begin in RFC 2058, which was fabricated anachronistic by RFC 2865.The

RADIUS accounting accepted is accurate in RFC 2059, which was made

obsolete by RFC 2866.

RADIUS can be acclimated as a aegis agreement for a arrangement of any size, from

large action networks such as ISPs to baby networks consisting of a few users

requiring alien access. RADIUS is a client/server protocol.The RADIUS

client is about a NAS, firewall, router, or VPN gateway, which requests a service

such as affidavit or allotment from the RADIUS server.A

www.syngress.com

224 Chapter 5 • Authentication, Authorization, and Accounting

RADIUS server is usually a apparition active on a UNIX apparatus or a service

running on a Windows NT/2000 server.The apparition is software such as Cisco

Secure ACS or addition RADIUS server affairs that fulfills requests from

RADIUS clients. Originally, RADIUS acclimated UDP anchorage 1645 for authentication

traffic and 1646 for accounting traffic. However, due to an blank in the standardization

process, these ports were registered with the IANA to altered services.

To get about this issue, new anchorage numbers were assigned to the RADIUS

services (1812 for affidavit and 1813 for accounting). However, many

RADIUS implementations still use the old anchorage numbers.

When a applicant needs allotment information, it passes the user credentials

to the appointed RADIUS server and queries it.The server again acts on the

configuration advice all-important for the applicant to bear casework to the user.

A RADIUS server can additionally act as a proxy applicant to added RADIUS servers.

Figure 5.2 illustrates what happens aback a user attempts to log in and authenticate

to a NAS application RADIUS.

The arrangement of contest is as follows:

1. The alien user dials into a NAS and is prompted by the NAS for

credentials such as a username and password.

www.syngress.com

Figure 5.2 Authenticating with RADIUS

Database

Server

Client A Modem

Network

Access

Server

RADIUS

Server

Server Farm

1. Applicant A dials into the NAS and is

prompted for login and password.

Remote Access

Client

2. The NAS queries the

RADIUS server to

authenticate Applicant A.

3. The RADIUS server

queries the database

where user account

definitions are stored.

4. Accreditation are validated,

an ACCEPT bulletin is

sent aback to the NAS, and

access is granted.

PSTN

Authentication, Authorization, and Accounting • Chapter 5 225

2. The username and encrypted countersign are beatific from the RADIUS

client (NAS) to the RADIUS server via the network.

3. The RADIUS server queries the database in which user annual definitions

are stored.

4. The RADIUS server evaluates the accreditation and replies with one of

the afterward responses:

 REJECT The user is not authenticated; the user is prompted to reenter

the username and password. Depending on the RADIUS configuration,

the user is accustomed a assertive cardinal of tries afore user

access is denied.

 ACCEPT The user is authenticated.

 CHALLENGE A claiming is issued by the RADIUS server, with

a appeal for added advice from the user.

 CHANGE PASSWORD A appeal is beatific from the RADIUS

server allegorical that the user charge change his or her current

password.