Databases

RADIUS servers depend on databases, but the two systems perform very different roles. In short, RADIUS servers implement policies (if / then / else checks), and databases store information.

Databases (e.g. SQL, LDAP, etc.) are designed to store and retrieve data. They have limited decision-making capabilities. While stored procedures are possible in most databases, they are less often used when simple data storage is required.

The key differences between RADIUS servers and databases are the way they support policies and authentication. The role of a database is to provide data to a RADIUS server. The RADIUS server then uses an authentication method to authenticate the user.

When a RADIUS server authenticates a user or stores accounting data for that user, it reads from or writes to a database or directory.User information (i.e., user name, password, credit amount) and session data (i.e., total session time and statistics for total traffic to and from the user) are stored on this database or directory.

In many respects, the RADIUS protocol is similar to a remote database query language. Specifically, while an SQL or LDAP database stores user data, that database cannot be queried directly by the NAS. Instead, the NAS sends a request to the server, which in turn queries the database. This simplification of the normal database query language means that it is easy to add authentication and accounting to an NAS instead of implementing a full-featured SQL client, which would be very resource intensive and costly.

Table 1. Key Differences Between RADIUS Servers and Databases
RADIUS Servers Databases

Implement policies

Rarely implement policies

Contain small amounts of information

Contain millions of pieces of information

Support complete authentication protocols sets, such as:
CHAP
MS-CHAP
MS-CHAPv2
802.1X (EAP, EAP-TLS, PEAP, EAP-TTLS, EAP-MD5, EAP-GTC, LEAP)
HTTP Digest authentication

Permit simple authentication queries, such as:
LDAP "bind as user"
name / password checking

Important
Databases store data. They do not authenticate users.