RADIUS Server Management

RADIUS Server Overview

RADIUS is an industry-standard protocol for providing authentication, authorization and accounting services.

•Authentication - Authentication is the process of verifying a user’s identity and associating additional information (attributes) to the user’s login session.

•Authorization - Authorization is the process of determining whether the user is allowed on the network and of controlling network access values based on a defined security policy.

•Accounting - Accounting is the process of generating log files that record session statistics to be used for billing, system diagnosis and usage planning.

•The following figure illustrates a simple RADIUS Environment.

A RADIUS-based remote access environment typically involves the following four types of components:

•Access Client - An access client is a user who initiates a network connection. An access client might be a user dialing in to a service provider network, a router at a small office or home office connecting to an enterprise network to provide network access, or a wireless client connecting to an 802.1X access point.

•Network Access Device (NAD) - A network access device (NAD), also called a RADIUS client, is a device that recognizes and processes connection requests from outside the network edge. A NAD can be a wireless access point, a modem pool, a network firewall, or any other device that authenticates users.

•RADIUS Server - The RADIUS server (in this case, the Pulse Policy Secure) matches data from the authentication and authorization request with information in a trusted database. If a match is found and the user’s credentials are correct, the RADIUS server sends an Access-Accept message to the NAD. If a match is not found or if a problem is found with the user’s credentials, the server returns an Access-Reject message. The NAD then establishes or terminates the user’s connection. The NAD might also forward accounting information to the RADIUS server to document the transaction, and the RADIUS server might store or forward this information as needed to support billing for the services provided.

•Back-end Authentication Server - In some networks, a back-end authentication server, such as RSA or SecurID (an LDAP database) stores the information against which the authentication request is compared. In some cases, the back-end server passes information to the RADIUS server, which determines whether a match exists. In other cases, the matching is performed on the back-end server, which then passes ‘accept’ or ‘reject’ result to the RADIUS server.