Information Technology Reference
In-Depth Information
5
Authentication systems
5.1
RADIUS
Remote authentication dial-in user service (RADIUS) is a system of
authentication and account management used by many Internet service
providers to authenticate their users. RADIUS is also suitable for wireless
authentication. As the name suggests, it was developed to serve remote users
through dial-in (e.g. remote access). Radius simply authenticates users. A
very important part of RADIUS is its interoperability, which enables the
server to communicate with other servers that are based around the same
protocol.
5.1.1
Configuring the RADIUS
In client-server mode, the user communicates with the network access server
(NAS) and, in turn, the NAS acts as a client on the RADIUS server. The
NAS and RADIUS server communicate with each other via a network or a
point-to-point protocol. As previously mentioned one of the features of
RADIUS is that you can communicate with other servers, based or not on the
same protocol. The basic idea is to have a central source of information for
authentication. The user is prompted to provide the information to the NAS
server for authentication, such as username, password and PPP package for
authentication. At this point the client (NAS) has access to RADIUS, creating
a request access message and sending it to the RADIUS node (server). This
message contains information about the user, which are called attributes.
Attributes are defined by the system manager of RADIUS and may therefore
vary. They can be password, the user ID, the destination port, the client ID
etc. If the attributes contain important information they must be protected
through the MD5 algorithm. Additionally, all transactions between the client
and the RADIUS server must be authenticated and the password exchanged
between the two devices must be encrypted.
5.1.2
Exchanging messages
The server and the client must share a secret key. As the access request to the
RADIUS server is received, the server verifies to have the secret key for the
client, if this is not the case the request is discarded. Once the initial check is
over, the server queries a database that contains information needed to
authenticate the user. If authentication is compliant with all requests, the
server sends a response to the user as a message to reply. The client in turn
can relay the answer to the form of a prompt and, in any case, it must send
the message again to request for access, with a few different fields, the main
of which is a reply to the encrypted response from the server (Figure 4).
