Sunday, April 18, 2010

22.Remote Authentication Dial-in User Service (RADIUS)

RADIUS is used to provide centralized authentication for remote users connecting to the internal network of an organization through simple dial-up, VPN, or wireless connection. When a remote user needs access to the internal resources of an organization, he must provide his credentials to the Network Access Server (NAS). The NAS, in turn, sends the user’s credentials to the RADIUS server for authentication. If the RADIUS server authenticates the user, the connection request is accepted; otherwise, it is refused.

A RADIUS server can either work as a standalone server to authenticate all connection requests coming from outside users, or it can be a part of a distributed RADIUS setup. Larger organizations deploy multiple RADIUS servers to distribute the authentication load among multiple RADIUS servers. RADIUS servers support several popular protocols such as PAP, PPP, CHAP, and EAP. When a remote or wireless user sends a connection request, the RADIUS authentication process takes place as follows:
1.When the user attempts to connect to the RAS server, he is asked to supply his credentials, which in most cases are the username and password.
2.The RAS server encrypts the credentials of the user and forwards the request to the RADIUS server.
3.The RADIUS server makes an attempt to verify the user’s credentials against a database.
4.If the user’s credentials match those stored in the centralized database, the server responds with an access-accept message. If the user’s credentials do not match the stored credentials, the server sends an access-reject message.
5.The RAS server acts upon receipt of access-accept or access-reject messages and grants or denies a connection to the remote user appropriately.
6.If the connection is granted, the RADIUS server may also be configured to automatically assign an IP address to the remote client.

No comments:

Post a Comment