What is a RADIUS server?
What does a RADIUS server do?
A RADIUS server is a software package/ protocol that provides Authentication, Authorization and Accounting services. RADIUS stands for Remote Authentication Dial In User Service but the RADIUS servers of today are much more than authentication services – they can control the access to the network.
A RADIUS server is not a database, and it doesn’t contain a database. But it is a protocol that defines how to work along with a database like LDAP, MySQL etc. to provide the authentication and authorization services.
Let us take an example of an ISP – Internet Service Provider scenario, where there are so many users connecting and hence a nice place to have a RADIUS server. Each of these users would be trying to access the host servers/NAS system. All these users need to be individually authenticated before allowing them the user session through their servers. So, when each of these users are attempting to start a connection, their user credentials (User name, passwords etc) are sent to the host server/NAS system requesting access. Now, these servers send the required authentication information to a central RADIUS server which looks up to a database like LDAP or uses its internal hashed database to check if the credentials are correct. If they are, then a message indicating as much is sent back to the host server/NAS and a session is started with the client. These messages also include the type of access the particular user can be given access to, based on their authentication parameters.
Once the session is started, the host server/NAS also send an information containing the time-stamp details, to the RADIUS server which stores it along with the session termination details to be sent when the session is broken by the user later. This information is used by some applications for billing purposes/ calculate the total usage time/ bandwidth over a period of time etc.
The host server/NAS application needs to run a client RADIUS software in order to communicate with the central RADIUS server. It is beneficial to run a RADIUS server in any organization with more than 30 users. If the organization is distributed and the users have various means of accessing the network (Wired, wireless access points, broadband, dial-in etc) then it is even better to run RADIUS server along with databases like LDAP etc.
Authentication and Authorization:
There are various types of authentication packets exchanged between the host server, NAS and the RADIUS Server. There are authentication request packets sent to the RADIUS server and there are various types of authentication replies sent from the RADIUS server to the host server/NAS.
One is authentication acknowledgement – which indicated the host server/NAS to initiate a normal session with the user by providing them with an IP address. Additional information like authorization data can also be sent with that packet to determine the type of service that the user is entitled to. Second is authentication rejection, where the RADIUS server tells the host server/NAS not to provide any type of connection to the user and they also include attributes which contain a reason for not allowing the session which can be shown to the users – like user name/ password being incorrect etc. There is also a third type of packet called authentication challenge, which requests for additional authentication information. Here the host server/NAS acts as a liaison between the user and the RADIUS server and requests the user for the additional information and sends them back to the RADIUS server. This continues until the RADIUS server sends an authentication acknowledgement or authentication rejection packets.
Sometimes, a request from the host server/NAS goes un-answered. In those cases, the authentication request packets are re-transmitted with a specified interval gap, till an authentication ack or authentication reject packets are received, or the pre-defined number of tries are exhausted. There can also be a backup RADIUS server which can provide the service to the clients if the primary one fails.
The number of sessions a user can open simultaneously with the host server/ NAS can be restricted by a RADIUS server, which if not restricted is set to unlimited. A RADIUS server also prevents repeated authentication requests by setting up failure counters – this is helpful when someone is trying to break the password. After a specific number of tries, the RADIUS server can stop that user from sending further authentication request packets.
A RADIUS server supports a lot of authentication types like encrypted password authentication type, SQL authentication, Pluggable Authentication Module type etc. It can also support guest authentication – Suppose there is a need to give a temporary access to a guest user – then there is no need to update their credentials or create a new entry for them in LDAP servers etc. They could just be given a default user name like guest and a password with which they could log in and use the network resources (with restricted access) for a specified amount of time.
Accounting:
Like the authentication packets, there are also the accounting packets that are sent between the RADIUS server and host server/NAS. As we mentioned earlier, the RADIUS server stores the accounting information for individual sessions, users, time-span, packets traversed during that session/time-span etc. An accounting request packet can be sent from a host server/NAS to the RADIUS server requesting such user session information and the RADIUS server responds back with appropriate attributes and information. After sending the requested information, the RADIUS server also sends an accounting acknowledgement packet to confirm to the host server/NAS that it has received the request and has sent the required information.
Since RADIUS servers can interface with databases like MySQL, odbc based database applications etc, they can store the accounting information/accounting requests in the database, along with the user credentials.
Information like how many packets have been sent from and to a port for a specific user or a specific session and the time taken for such sessions can be accessed by RADIUS clients. This is mostly used for billing purposes and to determine the time taken/ bandwidth consumed by individual clients and applications.
Extension and Proxy:
To extend the functionality of the RADIUS server without modifying the source code, extension languages are used which can interface to the core of the RADIUS server functionality and extend their applications based on specific requirements. This can also be done in a more simplistic way by using filters. Filters are used to handle the simpler requests – it is actually an external program that communicates with the RADIUS server via its standard input and output channels to extend its functionalities or to get the relevant data in a specified format.
RADIUS servers also support proxy services. This is required during roaming. Imagine there are two ISP’s and the user moves from the area of one ISP to another. This proxy facility is used to give internet access to the user in such situations. The connection request packets are sent to the primary ISP RADIUS server from the secondary ISP RADIUS server which in turn communicates with the former for authenticating the user, who is now accessing the internet through their network. All the accounting information is sent back to the primary RADIUS server for billing purpose.
excITingIP.com
You could stay up to date on the various computer networking technologies by subscribing to this blog with your email address in the sidebar box that is mentioned as ‘Get email updates when new articles are published’
HI Rajesh
Good one , it would be good if you explain this with firewall .
Thanks
Shruthi
thnks alot
Solved a great piece of puzzle involved in authentication for ISP’s.
This is useful information. That said, one of the more common situations these days is a business, a local park, library, or even a home on a rural property with no cell coverage… to hook up an outdoor 2.4Ghz 802.11n wifi access point with POE, off of a small network, to create a 3km radius hotspot, with the desire to cap data (or even speeds) to the open guest account being used as a local hotspot. It would be very helpful to gave a FAQ on how to set up that sort of simple network. You need the radius type capacity to place limitations on the open account, but your local employees (etc) need the full speed of the network without a daily data cap.