RADIUS Server Policies

The RADIUS server processes an NAS request based on the following criteria:

  • Contents of the NAS request

  • Information available locally to the RADUS server (flat files, SQL, LDAP)

The limitations inherent in the above processing criteria mean that the server cannot negotiate with an NAS to request more information: the server simply takes what the NAS sends and returns either an acknowledgment or a non-acknowledgment. This limitation is another key concept.

The RADIUS server has no control over the content of the request which is sent by a NAS. Any missing information cannot be created by the RADIUS server.

Thus, once the RADIUS server receives the request from the NAS, it must use local information - policies or rules that a network administrator created and configured within the server - to decide how best to respond to the NAS request. The policies may be simple, such as "accept anyone with a correct user name and password". Or, they may be complicated, such as "allow basic users to request premium services in non-premium hours, except for Sundays and holidays, so long as their payment status is up to date".

In all cases, the policies must be designed, implemented, and deployed by the network administrator; this can be a significant effort, because policies are based on the contents of the NAS requests. Note that the NAS documentation does not always describe the content of the NAS requests; thus, in most cases, the only way for a network administrator to determine the NAS request content is to set up a test network. Test logins will result in the receipt of requests by the server. The administrator can then examine these requests to determine their content and create policies that look for those specific sets of attributes; once the policy is created, the server then uses that information to make decisions.

This process becomes more complicated when different NAS elements send the same information in different formats. For example, RADIUS has no MAC address data type, which means that the MAC address is sent as ASCII strings. Some NAS elements send a MAC address in the format of "00:01:02:03:04:05", while others use the format "00-01-02-03-04-05".

The fact that these differences are not documented makes policy creation very difficult. In many cases, the administrator has to resort to trial and error methods to determine what the NAS is sending, and how best to use that information for creating policies.