u
1-3
T
HEORY
O
F
O
PERATION
RADIUS Authentication in a network acts as a distributed security system
which uses an authentication server to address the issues of Secure Access to
central services through dial-in devices called Network Access Servers
(NAS). By their nature, Dial-In devices are a point of vulnerability for a
network, since anyone can acquire the telephone or ISDN number of the
service, and with the appropriate calling device (such as a modem, ISDN TA
or personal Router), can attempt to gain access to the service.
RADIUS provides a secure mechanism by which NAS devices can
authenticate incoming calls at a central unit before allowing the Account
access to any part of the network. When an Account is granted access, the
RADIUS Server can configure the NAS to customise the services.
Distributed Security allows the separation of the communications process
from the user authentication. This allows a central point of authentication,
configuration, and a single database which many NAS devices can access
without the need to hold the authentication information for all dial-in
Accounts at the NAS (these Accounts can potentially run into several
thousand). The use of this central repository makes RADIUS more secure and
more scaleable than systems based upon many distributed points.
RADIUS authenticates users through a series of communications which take
place from Account (User) to NAS where the RADIUS Client resides, then
from RADIUS Client to RADIUS Server wher the Account Authentication is
processed. The results are then passed onto the RADIUS Client. This
separation of communication activity is another level of security preventing
access at any point to the network in order to maintain its integrity.
As with all standards, RADIUS includes the facility to add extended attributes
so that specific features of different manufacturers’ products may be
supported.
Additionally, RADIUS supports an Accounting mechanism, which records all
connection/disconnection events and bandwidth utilisation by each Account.
Accounting information is reliably delivered by the RADIUS protocol.