RADIUS Protocol Facts

RADIUS protocol (Remote Authentication Dial In User Service) is one of the oldest, yet reliable protocol systems used on the Internet.

It was invented more than two decades ago by Livingston Enterprises, Inc. Today, numerous ISPs (Internet Service Providers) and enterprises use the system of RADIUS billing to operate access to the Internet or internal networks including integrated e-mail services and wireless nets. These networks, in their turn, may encompass modems, DSL, VPNs, web servers, network ports, access points etc.

 

RADIUS Protocol Functions

RADIUS is a kind of client/server protocol running in the application layer in which UDP is used as a transport. It serves three primary functions also known as ’AAA’:

  • authentication of users or devices prior to giving them access to a network;
  • authorization of those users/devices for certain services of the network;
  • accounting for service usage.

 

RADIUS protocol (Remote Authentication Dial In User Service)

RADIUS server uses this concept (AAA) to manage two parts of the network access process also known as ‘AAA transaction’.

 

Authentication, Authorization and Accounting in RADIUS

Let’s try to describe these complicated processes in simple terms. First, the user or a device sends a request to RAS (Remote Access Service) in order to get access to a particular resource. To do this, he/she/it uses access credentials (typically in the form of username and password or security certificate). Then, the RAS sends a message with provided data (credentials) directly to the RADIUS server requesting authorization. The given information is checked with the help of PAP, CHAP or EAP schemes and then one of the three responses are sent to the RAS: ‘Access Reject’, ‘Access Challenge’ or ‘Access Accept’.

 

Access Reject: the user is denied access. The reasons may vary, one of the most frequent is failure to provide proof of identification. Access Challenge: additional credentials are needed (secondary password, PIN, token etc). This response is mainly used in more complicated dialogues where the access data are hidden from the RAS. Access Accept: access is granted and the user is authorized. Each of the responses may contain a Reply-Message attribute (it usually includes a reason for rejection, challenge or a welcome message in case of authorization). When the user is authorized, the Accounting process is started. Although the main goal of this function is to bill the user accordingly, the obtained data can serve for statistical purposes and overall network monitoring.

 

UDP Port Numbers for RADIUS

The Internet Assigned Numbers Authority (IANA) officially assigned UDP ports 1812 and 1813 for RADIUS Authentication and RADIUS Accounting respectively. Prior to this allocation, ports 1645 and 1646 were used unofficially. These ports are traditionally used to this day for backwards compatibility. For this reason many of the server implementations check both sets of allocations for RADIUS request.

 

RADIUS protocol has been proven to be a reliable system providing management for computers connecting and using network services.

 

Today RADIUS billing services empowers providers with all tools necessary for a wide variety of business models.