IT:AD:Remote Access Dial In User Service (RADIUS)

Summary

It is a system of distributed security that secures remote access to networks and network services against unauthorized access. RADIUS is composed of three components:

  • Protocol with a frame format that uses UDP/IP
  • Server, running on a central computer
  • Client, running on dial-up access servers.

RADIUS is an older, simple authentication mechanism than AD which was designed to allow network devices (think: routers, VPN concentrators, switches doing Network Access Control (NAC)) to authenticate users.

It doesn't have any sort of complex membership requirements; given network connectivity and a shared secret, the device has all it needs to test users' authentication credentials.

A Router operates as a RADIUS Client. The Client is responsible for passing user information to designated RADIUS servers.

The RADIUS server is responsible for receiving user connection requests, authenticating the user and returning all configuration information necessary for the client to deliver service to the user. The RADIUS server can act as proxy clients to other kinds of authentication servers

The RADIUS Client can then act on the response that is returned.

Weaknesses

“Once the client has obtained such information, it may choose to authenticate using RADIUS. To do so, the client creates an “Access- Request” containing such Attributes as the user's name, the user's password, the ID of the client and the Port ID which the user is accessing. When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5.”

Probably why IT:AD:Authenticated Authorized Accounted over Secure Transport (AAAS) is recommended.

Authentication

IdentityPrincipalThe UserName or otherIdentifier AttributeCredentialThe Password,Token or otherEvidence orCredibilitySecurity relatedAttributeContextSubjectUser, Device or Servicemaking the Request