The RADIUS Protocol
What is RADIUS?
RADIUS, which stands for "Remote Authentication Dial In User Service", is a network protocol which controls user network access via authentication and accounting. Commonly used by Internet Service Providers (ISPs), cellular network providers, and corporate and educational networks, the RADIUS protocol serves three primary functions:
-
Authenticates users or devices before allowing them access to a network
-
Authorizes those users or devices for specific network services
-
Accounts for the usage of those services
The RADIUS protocol is generally hidden inside of controlled networks, and is not seen directly by end users. i.e. it is run between trusted systems in the network.
History
In 1991, Merit Network, a non-profit internet provider, required a creative way to manage dial-in access to various Points-Of-Presence (POPs) across its network. In response to this need, RADIUS was created by Livingston Enterprises.
At the time RADIUS was created, network access systems were distributed across a wide area and were run by multiple independent organizations. Central administrators wanted to prevent problems with security and scalability, and thus did not want to distribute user names and passwords; instead, they wanted the remote access servers to contact a central server to authorize access to the requested system or service. In response to contact from the remote access server, the central server would return a "success" or "failure" message, and the remote machines would be in charge of enforcing this response for each end user.
The goal of RADIUS was, therefore, to create a central location for user authentication, wherein users from many locations could request network access.
The simplicity, efficiency, and usability of the RADIUS system led to its widespread adoption by network equipment vendors, to the extent that currently, RADIUS is considered an industry standard and is also positioned to become an Internet Engineering Task Force (IETF) standard.
Companies using RADIUS
A wide and varied array of businesses currently utilize the RADIUS protocol for their authentication and accounting needs. Some examples of RADIUS customers are:
-
Cellular network providers with millions of users
-
Small WISP start-up providing the local neighborhood with Internet connectivity
-
Enterprise networks implementing Network Access Control (NAC) using 802.1x to secure access to their network
-
Universities which give WiFi access to their students and staff
Benefits
The RADIUS client-server protocol contains many advantages for customers, including:
-
An open and scalable solution
-
Broad support by a large vendor base
-
Easy modification
-
Separation of security and communication processes
-
Adaptable to most security systems
-
Workable with any client device that supports the protocol
-
Very simple client implementation, usually only a few hundred lines of code
The RADIUS client-server architecture provides an open and scalable solution that is broadly supported by a large vendor base. It can be readily modified to meet a variety of situations. Customers can modify RADIUS-based authentication servers to work with a large number of security systems on the market. RADIUS servers work with any communications device that supports the RADIUS client protocol.
In addition, the flexibility of the RADIUS authentication mechanisms allows an organization to maintain any investment they may have made in an existing security technology: customers can modify the RADIUS server to run with any type of security technology. The flexible authentication mechanisms inherent in the RADIUS server facilitate its integration with existing and legacy systems when required.
Another advantage of the RADIUS architecture is that any component of a security system that supports the RADIUS protocols can derive authentication and authorization from the central RADIUS server. Alternatively, the central server can integrate with a separate authentication mechanism.
The utility of the RADIUS protocol extends beyond those systems that utilize network access devices and terminal servers for network access. RADIUS has been widely accepted by Internet Service Providers (ISPs) to provide Virtual Private Network (VPN) services. In this context, RADIUS technology allows an organization to use ISP infrastructure for communications securely.
The distributive nature of RADIUS effectively separates the security processes (carried out on the authentication server) from the communications processes (implemented by the modem pool or the Network Access Server (NAS)), allowing for a single centralized information store for authorization and authentication information. This centralization can significantly lessen the administrative burden of providing appropriate access control for a large number of remote users. If ensuring high availability is not a priority, then redundancy is not required; this centralization can thus be maximized, since all RADIUS-compatible hardware on a LAN can derive authentication services from a single server.