RADIUS Protocol
What Is RADIUS?
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that authorizes and authenticates users who access a remote network. A protocol is a collection of rules that control how something communicates or operates.
RADIUS is used to make connections between computers and provides authentication, authorization, and accounting. RADIUS is an important tool for managing network access because it can prevent unauthorized users—and attackers—from infiltrating your network.
A RADIUS protocol makes use of a RADIUS client, or network access server (NAS), and a RADIUS server. It performs some of the same functions as a Lightweight Directory Access Protocol (LDAP), and it provides local authentication services by maintaining an active directory of user credentials. Its security features put it on par with Transmission Control Protocol (TCP). RADIUS operates on port 1812 and port 1813.
Origin of the RADIUS Protocol
RADIUS was developed by Livingston Enterprises, Inc. in 1991 and evolved to become the standard for the Internet Engineering Task Force (IETF). RADIUS was first used to connect universities in the state of Michigan. The National Science Foundation (NSF) awarded a grant to Merit Network, a nonprofit internet provider, and they contracted Livingston Enterprises to develop a protocol that ended up being RADIUS.
Primary Functions of RADIUS Protocol
RADIUS performs three basic functions: authentication, authorization, and accounting.
- Authentication: RADIUS authenticates devices or users prior to allowing them to access a network.
- Authorization: RADIUS authorizes devices or users, allowing them to use specific services on the network.
- Accounting: RADIUS accounts for the number of resources used—such as packets, bytes, and the time expended—during the session.
What Is a RADIUS Server?
A RADIUS server bases its operation on the User Datagram Protocol (UDP), and it is typically a daemon application that runs on a Windows or UNIX machine. A daemon is a program that runs as a background process. The RADIUS server collects identification information about all of its users’ credentials. The server waits until it gets a request from a client or NAS, which can be devices or systems like wireless access points or virtual private networks (VPNs).
Once the RADIUS server gets this information, it sends a reply back to the client. In this way, RADIUS servers get connection requests from users, authenticate each user, and then return the necessary configuration details to enable the client to provide the user with service.
A RADIUS server provides users with benefits, including a scalable solution, that can be easily modified for different security systems while separating your communication and security processes.
How Does RADIUS Authentication and Authorization Work?
To authenticate a network, RADIUS uses a client/server model. The messages sent back and forth enable administrators to vet who has access to the connection by using a database containing approved user credentials.
User Sends Request To Network Access Server (NAS)
The first step in a connection using a RADIUS server is the user sends a request to the NAS. This can be done by a number of network resources, like cellular phones or personal computers, for example. A program designed to make login requests, called a supplicant, carries the user’s credentials to the NAS. This may include the user’s network address, username, and password.
NAS Sends Access Request to RADIUS Server
The next step in the connection process occurs when the NAS sends an access request message to the RADIUS server. First, the NAS gets the user data and then sends it via a request. The server makes sure the access request is from a legitimate source by comparing it against information held in its database.
RADIUS Server Responds To Access Request
When the RADIUS server gets the message, it can respond in three different ways: accept access, reject it, or challenge it. When the access request is accepted, access is granted. When the request is rejected, access is not granted, and in the case of a challenge, the RADIUS server requests more information before allowing access.
When access is accepted, it is done according to authorization attributes, which are conditions that govern how the user will have access. Some of these may include how long the user can be connected, the kind of protocol to be used, or the Internet Protocol (IP) address the user will have during the session.
How Does RADIUS Accounting Work?
RADIUS accounting is used apart from the authorization and authentication processes and enables data to be sent at the close of the session. This data outlines elements such as the data packets that were sent, how long the session lasted, and how much data was sent.
The data is useful for billing and monitoring because it accounts for all the resources used while the session was active. For example, if a user is being billed according to the amount of data they use, the accounting function will provide a tally. Also, if an administrator wants to know what kind of information was transferred, they can use the RADIUS accounting feature to monitor the activity engaged in during the session.
RADIUS and TACACS+
TACACS+ stands for Terminal Access Controller Access-Control System Plus, and it is a group of protocols that manage remote authentication.
Similar to RADIUS, TACACS+ facilitates communication between a client and a server. TACACS+ is different, however, in that it gives users more control as to how commands are authorized. Also, with TACACS+, all authentication, authorization, and accounting information gets encrypted.
RADIUS Security
With RADIUS, you can prevent private information from being leaked to unauthorized individuals, primarily because if their credentials do not match what is in the RADIUS server’s database, a user cannot gain access to the connection. RADIUS is a scalable solution because it can be implemented in a variety of different networks. It can also be duplicated as needed as more connections are added. Further, it integrates with most security systems, such as Point-to-Point Protocol (PPP), Password Authentication Protocol (PAP), or UNIX login.
With RADIUS, the communications process is separated from the security process. This benefits an organization because it allows administrators to make adjustments to the security protocols used without changing the communications methods.
How Fortinet Can Help
Remote employees need access to a company’s network, but this needs to be done securely, particularly because remote workers may use a variety of devices with varying levels of security. A zero-trust network access policy is one that assumes every connection can be malicious and requires authentication, across the board, regardless of the user trying to connect.
With FortiAuthenticator, you can ensure only approved people access your network at the appropriate times. In addition, you can orchestrate two-factor authentication (2FA) across your entire network. FortiAuthenticator can also act as a RADIUS server to provide identity management and authentication services, bolstering your network’s security profile.
