Remote Authentication Dial-In User Service (RADIUS)
Remote Authentication Dial-In User Service (RADIUS) a Cisco security protocol that utilizes a distributed security strategy and runs in the application layer.
RADIUS was brought into the Internet Engineering Task Force’s (IETF) standards in 1991 and has been commercially available ever since. Its primary goal is to secure remote access to networks and to prevent unauthorized network access.
It is composed of by three main components; a client, a server, and a protocol that has a frame format that uses User Datagram Protocol (UDP)/IP.
The server is established on a central computer which is typically at the customer’s site and the clients usually reside in the dial-up access servers in order to be distributed throughout the network. There is also a client/server model of set-up where a network access server (NAS) runs as a client of RADIUS.
The client is then responsible for passing the user information to predetermined RADIUS servers and then it acts upon the response it receives. The RADIUS servers, however, are responsible for receiving the user connection requests, authenticating the data, and transmitting all of the configuration information necessary for the client to then transmit it to the user. Its job is to basically act as a proxy authenticator for servers.
The transmissions are authenticated via employment of a shared secret. The secret is never at any time shared over the network, and, in addition, all user passwords are encrypted between the RADIUS server and the client in request. This means that an unwanted user who is snooping for passwords will be found wanting.
The RADIUs server will also support a range of methods to authenticate a user such as Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), UNIX login, and more. The RADIUS server is generally a background process running on a UNIX or Microsoft Windows server.