Network Access Server

The Network Access Server (NAS) acts as the gateway between the user and the wider network. When a user tries to obtain network access, the NAS passes authentication information (for example, user name and password) between the user and the RADIUS server. This process is termed an Authentication Session. Note that the user login initiates this Authentication Session conversation. This is a key concept.

At the end of the Authentication Session, the server instructs the NAS to either reject the user and deny network access or accept the user and provide network access. Once the user has accessed the network, security restrictions (defined by the RADIUS server) are enforced by the NAS, which acts as the gateway router and firewall for that user.

The RADIUS server receives a summary of the user’s activities from the NAS. This summary includes data such as session identification information, total time on the network, and total traffic to and from the user. Note that user traffic does not pass through the RADIUS server - the RADIUS server only has access to user information via the NAS summary.

There are many different types of Network Access Servers (NAS). In an enterprise environment, network switches and wireless access points act as NASs to ensure only authorized users may access the corporate network. In contrast, carriers may use ADSL terminators or Digital Subscriber Line Access Multiplexers (DSLAM) as NASs to authenticate users and generate accounting information for billing. In fact, any device or application that verifies username and password authentication may be a RADIUS client.

RADIUS clients include FTP servers, web servers, and Unix login services.

Using the term server in reference to the Network Access Server can create confusion, because the NAS acts as a client in the RADIUS protocol. This documentation uses the term "NAS" to refer to a client and the term "server" to refer to a RADIUS Server.

The NAS initiates RADIUS conversations when a user requests network access.