What is Radius Authentication Protocol?

Radius packets

Authentication RequiredAs part of securing a network, access to your devices needs to be restricted and monitored.

This includes direct access to routers, switches and servers but it can extend to allowing users to log on to particular services such as logging on to your ISP. It would be a tedious task if, for example, on every new router you added to the network you had to configure every single username and password. This is where AAA – Authentication, Authorization and Accounting comes into play.

Authentication – you want to confirm the user identity

Authorization – you want to define what permissions a particular user can have

Accounting – you want to track some information from your users

How can you achieve this? One of the solutions is Radius (Remote Authentication Dial-In User Service), originally developed by Livingston Enterprises and later standardized. The specifications can be found in RFC2865 and RFC2866. It is a client/server protocol where a client sends requests to a remote server (Unix or Windows), which typically has a database (it can be internal or external to the Radius server) holding user information. It uses UDP at the transport layer and has officially been assigned ports 1812 for authentication and 1813 for authorization.

 

How does the Radius protocol work?

The user that needs to gain access to a particular resource will send a request to the Access Server with its credentials and then access can be granted with specific privileges or denied. The communication flow is as follows:

Radius packets

 

In the “Access Request” the client will send information such as username, password (encrypted), IP and port of the Access Server. In response the Radius Server will check its database with user information and either accept or reject the user. A message may accompany the “Access Reject” with an explanation the cause. If the user is accepted it will be sent attributes (as part of the authorization step) to define the type of access. Such attributes may include an IP address, Vendor-Specific information, session timeout and access lists. The “Access Challenge” is optional and the Radius Server may request further information before granting access. Once the user is authenticated and authorized, accounting will start. Packets will be exchanged to signal when the user connection started and ended together with specific user information to uniquely identify them.

 

A Practical Example on Cisco and Juniper

So let’s say you have a Cisco or Juniper router in your network and you want to use Radius to control access to your device, in this case the router would be the client and it would contact the Radius Server for user information.
How would you go about configuring it? Just follow the commands outlined below.

 

Radius on Cisco

Router1# conf t
Router1(config)#aaa new-model

This enables AAA on the Cisco

Router1(config)#radius-server host x.x.x.x auth-port yyyy acct-port zzzz

The IP address of the radius server is configured and optionally the ports used for authentication and authorization can be defined. This needs to match on the Radius Server.


Router1(config)#radius-server key 0 xxxxxx

A password is specified to secure the communication between the Cisco and the Radius Server. This needs to match on the Radius Server.

Router1(config)#radius-server retransmit x

(Optional) Specify the number of times the Cisco tries to contact the radius server.

Router1(config)#radius-server timeout x

(Optional) Specify the number of seconds the Cisco waits before resending the request.

Router1(config)#radius-server deadtime x

(Optional) Specify the number of minutes the Cisco waits before considering the Radius Server down.

Router1(config)#aaa authentication login default group radius local

This enables Radius for login access to the Cisco. In case the Radius Server is down or unreachable it will resort to using the local Cisco configuration for access.

Router1(config)#ip radius source-interface xxxx

Specify the interface to use for communication to the Radius Server.

 

Radius on Juniper

Below is the equivalent configuration for a Juniper device:

[edit system]
authentication-order [radius password];
radius-server x.x.x.x {
accounting-port xxxx;
port yyyy;
retry x;
secret xxxxxx;
source-address y.y.y.y;
timeout x;

 

Conclusion

Radius authentication protocol can be used in various scenarios, from restricting access to your network devices to an ISP as a way to authenticate and authorize its ADSL customers. As of 2012 there is an option to use Radius with TCP as well, which was standardized in RFC6613. Besides Radius there are other protocols such as TACACS or Kerberos for authentication and Diameter, which was designed as the successor to Radius.

 

To read about Radius alternative, Tacacs+, check out this other great article!

Nadia

Nadia

Nadia is currently working for a startup in the world of mobile technologies writing all sorts of documentation including user guides, release notes, training material and FAQs. Previously worked as a network engineer for an ISP and as Advanced Technical Support for a well known networking vendor. I consider myself a citizen of the world and in my spare time love to travel, indulge in various cuisines, do some volunteer work and play games.

What do you think about this article?

2 comments

  1. Thanks for the article and nice Explanation.

  2. Thanks for the great contribution, Nadia!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About us

RouterFreak is a blog dedicated to professional network engineers. We
focus on network fundamentals, product/service reviews, and career advancements.

Disclaimer

As an Amazon Associate, I earn from qualifying purchases.

RouterFreak is supported by its audience. We may receive a small commission from the affiliate links in this post, at no extra cost to our readers.

Topics

Recommended

NFA