Notes on RADIUS

Remote Authentication Dial-In User Service

What does it do?

• Authentication
• Authorization
• Accounting

Provides AAA management for users connecting to a network service.

What is it?

A client/server protocol that uses TCP or UDP as transport.

Question

How would we utilize RADIUS to allow users registered on a web application to access a Wireless Access Point?

How does it work?

User sends a request containing access credentials to a NAS (Network Access Server) via a link-layer protocol (e.g. - PPP, HTTPS). The NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization via the RADIUS protocol. This requests contains a username and password, and additional information the NAS knows about the user (e.g. - network address, phone number, etc). The RADIUS server verifies the credentials using a authentication scheme (such as PAP, CHAP, or EAP). Then, the RADIUS server returns one of three responses:

• Access Reject
• Access Challenge
• Access Accept

Authentication

Verify the identity of a user.

Authorization

What permissions are granted to this user?

e.g. - Grant the user permission to use the local network and access the Internet.

Accounting

Track when someone signs on to the WiFi or logs off of the WiFi with this feature of RADIUS.

Resources

• RADIUS - Wikipedia
• Configuring RADIUS Auth with WPA2 Enterprise - Cisco Meraki