RADIUS security is composed of three components: authentication, authorization, and accounting. These three links in the RADIUS security chain are often referred to by their acronym, “AAA”. The first of these, authentication, is the process that determines whether a client (a person, a device, or a software process) is a legitimate user of the system.
Authorization is the process that determines what an authenticated client (a person, a device, or a software process) is allowed to do on the network.
Finally, accounting is the process of monitoring and recording a client’s use of the network.
Each link in the RADIUS security chain is unique in its function and implementation, and all three are necessary to obtain the maximum protection benefits that RADIUS can provide. Let’s take a look at the first link in the security chain: the authentication process.
Authentication is the process that determines whether a client (a user, a device, or a software process) really are who they say they are. Authentication usually involves some form of identification and a piece of secret information, such as a password.
RADIUS Authentication Play-By-Play
To the end user, supplying a user name and a password to log in to a network seems simple and straightforward. What goes on behind the scenes is actually fairly complex, involving multiple messages flying back and forth between the client and the RADIUS server.
Several elements are considered when the RADIUS server evaluates a request for access:
Principal: This is the identity of the client requesting access. The client can be a person (user), a device, or combination of user and device. It could also be a software process that requires access to particular network resources to operate. In the case of a person seeking access, the principal is usually a user name; for a device, it is a parameter that uniquely identifies that device on the network.
Credential: This is a piece of information that proves the identity of the principal. It can be a “permanent” password, a one-time password (such as a string of numbers generated on a keyfob), a digital certificate, biometric credential (such as a fingerprint or an iris scan), or some combination.
Context: Other checks that the RADIUS server may perform when making an access decision fall under the umbrella of “” The client might enter the correct user name and password, but if their IP address is not in the right range or if there are too many people on the network, the RADIUS server might still reject their access request. There are numerous other context checks the RADIUS server might perform, including whether the client’s device has the appropriate security software and operating system updates.
The exact sequence of events in an authentication cycle varies according to the credential and context checks each RADIUS server performs, but it generally includes the following:
The client sends a request packet, which includes the principal (user name), encrypted password or other credential, and other network-related information.
The RADIUS authentication server checks a database for the existence of the principal identity. If the identity is found, the server then checks the submitted password against the password associated with that identity in the database.
If the password is correct and any contextual checks are satisfied, then the client is considered “permitted”: The RADIUS server returns an “accept” message to the client, and the connection is established.
If any of the checks fail—if the user name doesn’t exist, or the password is incorrect, and so on, the RADIUS server returns a “reject” message to the client and the authentication process is terminated.
Depending on the security rules defined on the server, the client may have the opportunity to try again a certain number of times, after which the account is locked, either permanently (until an administrator unlocks it) or for a certain amount of time.
Implementing RADIUS Authentication
RADIUS authentication involves a large number of variables and options, many of which depend on the needs of an organization. Implementing it correctly so that no security holes are left open requires specialized expertise. Even businesses that do have in-house RADIUS experience will bring in the experts at Network RADIUS – they have both the knowledge and the experience to do set up your RADIUS authentication process correctly.
By taking a holistic approach to network security, you ensure that all of the parts of your system work together. Your business depends on the security of its network and computing resources; don’t leave your business security to chance.
In the next article in our series about RADIUS security, we’ll examine the process of authorization and how RADIUS determines who can access what on the server. Stay tuned!