RADIUS: Authentication and Authorization

In RADIUS (Remote Authentication Dial In User Services), authentication and authorization are performed in a single step. When the user logs on to the network, the Network Access Server (NAS) prompts the user for their user name and password. The NAS then sends the request to the RADIUS security server. In addition, it may include a proposed configuration and additional attributes for the user. For example, the NAS may propose that the user goes into the Point-to-Point Protocol (PPP) mode immediately upon login and be assigned a certain IP address and subnet mask. The NAS request may also include attributes telling the security server the user's caller ID, the port they are using, or other attributes.

Based on the information in the request, the security server returns either a permit or a deny response to the NAS. In the case of a permit response, the security server may also tell the NAS to apply other attributes to the user. For example, the security server may tell the NAS to use a different IP address, or to apply a certain access filter or timeout value to the user.

Note: The attributes submitted by the NAS are only a proposal. The attributes returned by the security server are the actual attributes used. These can be:

The same attributes as those proposed by the NAS
Alternative attributes over-riding the attributes proposed by the NAS
Additional attributes to the attributes proposed by the NAS

In practice, any attributes that the NAS proposes are determined by the configuration of the NAS. Similarly, the attributes that the security server returns are determined by the configuration of the security server. If the NAS cannot execute the attributes returned by the security server for any reason, it denies permission to the user.

Configuration

The user connects to the NAS over PPP, using the Password Authentication Protocol (PAP) or the Challenge-Handshake Authentication Protocol (CHAP), or provides his number over Caller ID or Calling Line Identification (CLI).

The existing security level of the PAP and CHAP protocols is maintained. However, if the NAS does not find a match for the authentication request in the local circuit table and RADIUS is enabled, the NAS does not authenticate the user locally. Instead, it sends the authentication request to the RADIUS server over UDP. (RADIUS does not affect circuit tables on installed ShivaIntegrators that have already had circuits configured on them. This is because ShivaIntegrator checks the static circuit table first - even if RADIUS is enabled.)

The NAS sends an Access-Challenge packet to the server. If this authentication request is accepted, configuration information for the user is returned by the RADIUS server as part of the Access-Accept packet. Using this information, a RADIUS circuit and association are created. RADIUS circuits are named "radius<n>-<mm>", where "n" is the interface slot number, and "mm" is the two-digit channel on which the user is connecting. On Basic Rate Interfaces "mm" will be 01 or 02; on Primary Rate Interfaces it will be from 01 or 30 (from 01 to 23 in North America). On Dialup interfaces, "mm" is always 01.

Related Information

Security and Accounting

Authentication, Authorization and Accounting

RADIUS: Overview

RADIUS: Accounting Records

[ Top of Page... ]