RADIUS Remote Authentication Dial-In User Service RADIUS Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that authorizes, authenticates and accounting users who access a remote and local network’s RADIUS is an important tool for managing network access because it can prevent unauthorized users—and attackers—from infiltrating your network. It is commonly used to connect embedded routers, modem servers, software, and wireless apps. RADIUS Services • Authentication : It Identify remote users, and Control which users can access the network • Authorization : It define what each user can do by controlling access to network resources • Accounting : RADIUS accounting functions allow data to be sent at the start and end of sessions, indicating the amount of resources (such as time, packets, bytes, and so on) used during the session Radius Authentication Process Radius Authentication Process A user sends a request to Client it carries the user’s credentials to the Client. This may include the user’s network address, username, and password. Client forwards an Authentication Request Packet to the RADIUS Server, containing user identification, encrypted password, and Client identification. Radius Authentication Process RADIUS Server validates the user and sends the Client an Authentication Acknowledgement packet containing user configuration and either 1)Access-accept : Specifying what network services and privileges the RAS should provide to the user or 2) Access-reject : Denying the Authentication Request 3) Access-Challenge : sent by the RADIUS server requesting more information in order to allow access. The NAS, after communicating with the user, responds with another AccessRequest. Password Authentication protocols For Password Authentication we use different protocols for example PAP , CHAP , etc... PAP is a password Authentication Protocol used by PPP links to validate users. PAP authentication requires the calling device to enter the username and password. If the credentials match with the local database of the called device or in the remote AAA database then it is allowed to access otherwise denied. CHAP is a more secure method of authentication than PAP. It eliminates the process of sending clear-text passwords and instead utilizes encryption to mask the information being transferred. Uses Used to secure many university networks that provide dial-in IP connectivity to students and faculty. Used by many Internet service providers to provide security to users accessing their networks from multiple POPs (Points Of Presence)