Radius services – Patton electronic 29XX User Manual

Configuring a RADIUS server

308

Access Server Administrators’ Reference Guide

C • Technical Reference

A RADIUS client consists of a Network Access Server (NAS)—such as your Patton RAS—which provides one or
more remote users with access to network resources. A single RADIUS Server can serve hundreds of RADIUS cli-
ents and up to tens of thousand of end users. Fault tolerance and redundancy concerns can be addressed by con-
figuring a RADIUS client to use one or more alternate RADIUS servers. A NAS (your Patton RAS) can access a
local RADIUS Server on the connected LAN, or a remote RADIUS Server via WAN connections.

RADIUS Services
AAA. RADIUS provides three network services, known as authentication, authorization, and accounting, or
AAA. These services give network managers an easy way to:

•

Identify remote users, and control which users can access the network (authentication)

•

Define what each user can do by controlling access to network resources (authorization)

•

Track what resources each user consumes in order to bill them for services (accounting)

RADIUS login procedures combine authentication and authorization services to provide security functions.

Authentication is essentially a login procedure involving a username and password: the process by which the net-
work validates a dial-in user’s identity—distinguishing a legitimate user from a malicious or mischievous hacker.
RADIUS supports multiple authentication protocols including password authentication protocol (PAP) and chal-
lenge handshake authentication protocol (CHAP) (RFC 1994), MS-CHAP V1 (RFC 2433), and MS-CHAP V2
(RFC 2759), as well as Unix login. PAP and CHAP are specified within the point-to-point protocol (PPP) authen-
tication procedures (RFC 1661). To prevent interception by snoopers on the network, RADIUS encrypts user
passwords for transmission between client and server.

A RADIUS authentication server will respond to requests from known clients and discard requests from
unknown clients. Before authenticating any users, the NAS (your Patton RAS) must validate its own identity
by authenticating with the RADIUS server using a common shared secret.

The shared secret is a text string configured on both the RADIUS client and server, and is never sent across the
network in its pure original form. During authentication, the RADIUS server sends a random number to the
NAS, which is combined with the shared secret using a hash-code algorithm (RSA Message Digest Algorithm
MD5), and then sent back to the RADIUS server. The RADIUS server will decode the received message for
validation against its own copy of the shared secret. The RAS will disconnect users that fail to authenticate with
the RADIUS server.

Authorization is the process of restricting and enabling what each user can do. RADIUS servers are responsible
for knowing which services and privileges a given user may legitimately access (for example, PPP, SLIP, Telnet,
rlogin), and returning that information to the communications server when the user successfully authenticates.

Accounting is the process of collecting and reporting statistics. The RADIUS accounting server collects and
stores the statistics sent by RADIUS clients and responds to client queries for statistics. These data include user
login times and durations, packets sent/received, bytes sent/received, and so on, and may be used for billing,
traffic and performance analysis, and troubleshooting.