If you are in need of a remote authentication solution for your network, the RADIUS protocol is it. To say that the RADIUS protocol is a ubiquitous approach to providing large-scale, centralized authentication management for internal or external networks, would be an understatement. Widely used by ISPs and large enterprises to manage a variety of network access mechanisms, such as access points, web servers, and VPNs, for often enormous amounts of users, RADIUS has retained the de-facto standard status it quickly achieved following its introduction in 1991. Ahead, we’ll take a deeper look into what the RADIUS protocol offers, and the basics of how it works.
Although RADIUS stands for Remote Authentication Dial-In User Service, modern RADIUS servers handle more than just authentication, and serve as the controllers for any form of access to the network. RADIUS is the be-all end-all remote authentication protocol for numerous reasons. Firstly, unlike embedded authentication systems, RADIUS has ability to service very large numbers of users, possibly in the millions, without buckling under the network stress as they are added to, removed from, and authenticated with the database constantly. RADIUS also adds an inherent layer of protection to the network since the protocol itself uses a shared secret along with the MD5 hashing algorithm to obfuscate passwords transmitted over the network. Although RADIUS’s built-in security can be considered weak by modern standards, and it’s recommended to add further protection to RADIUS traffic, the protocol has an added level of security that competitor remote authentication types do not. Lastly, RADIUS remains the dominating protocol, because it is the dominating protocol: Due to its overwhelming prevalence in the industry, RADIUS is almost universally supported, while competitors simply lack consistent support from vendors and hardware.
RADIUS employs a basic client/server model, but has some terminology that can be confusing unless the components are visualized. As shown in the figure below, the connecting user’s machine is known as the ‘access client’, and uses an ‘access server’ mechanism to establish a connection with the RADIUS server. As such, the ‘access server’ network access mechanism (such as VPN software, or an access point) also serves as the client to the RADIUS server. Once a connection is established, the access server then submits the user’s credentials to the RADIUS server, who then authenticates the user against the account repository, and responds with the results. The access server (RADIUS client) then receives the results, and the user is either granted access to the private network if authentication succeeded, or rejected if it failed.
The process is simple when boiled down to the basics, but the real beauty of RADIUS is the sheer number of different scenarios in which this process actually occurs. The Access Server, as mentioned, can be any one of all kinds of mechanisms such as a VPN client, or a wireless access point, or any of the endless number of desktop applications that support it. The RADIUS server itself has a similarly huge variety of commercial and open-source offerings, as does the user account repository being used. It all goes to show that no matter your software or network environment, RADIUS is the key to securing public access to protected resources.