Remote Authentication DialIn User Service RADIUS

RADIUS is a client/server-based system that secures a Cisco network against intruders. Implemented in IOS, RADIUS sends authentication requests to a RADIUS server. Radius was created by Livingston Enterprises and is now defined in RFC 2138/2139.

A RADIUS server is a device that has the RADIUS daemon or application installed. RADIUS must be used with AAA to enable the authentication, authorization, and accounting of remote users when using Cisco IOS routers.

When a RADUIS server authenticates a user, the following events occur:

1 The user is prompted for and enters a username and password.

2 The username and encrypted password are sent over the network to the RADIUS server.

3 The user receives one of the following responses from the RADIUS server: ACCEPT—The user is authenticated.

ACCEPT-REJECT—The user is not authenticated and is prompted to re-enter the username and password, or access is denied. The RADIUS server sends this response when the user enters an invalid username/password pairing.

CHALLENGE—A challenge is issued by the RADIUS server. The challenge collects additional data from the user.

CHANGE PASSWORD—The RADIUS server issues a request asking the user to select a new password.

An ACCEPT or REJECT response can contain additional information for services that the user can access, including Telnet, rlogin, or local-area transport (LAT) connections, and PPP, Serial Line Internet Protocol (SLIP), or EXEC services.

RADIUS is commonly used when PPP is used. Figure 5-2 displays a typical PPP connection request to a RADIUS server.

Figure 5-2 RADIUS Sequence Example

Network Access Server -Radius Server

Figure 5-2 RADIUS Sequence Example

Network Access Server -Radius Server

UDP port 1812 is used.

Username: Simon Password: Uy_%#!

UDP port 1812 is used.

User initiates connection with a packet type labeled ACCESS-REQUEST-username/password prompt is sent by Radius Server.

User enters username/password (username in cleartext password is encrypted).

RADIUS server accepts or rejects request with packet type ACCESS-ACCEPT/REJECT.

Optional Challenge response.

Username: Simon Password: Uy_%#!

-User is prompted with Username/Password.

The RADIUS server accepts or rejects a username and password pair. In some instances, a user might be asked to enter more information (this is called a challenge response). For example, if a user's password has expired, a RADUIS server will prompt the user for a new password.

Transactions between the client (end user) and the RADIUS server are authenticated through a shared secret. The username is sent as clear text. RADIUS supports both Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). PAP and CHAP are security protocols that allow users to gain access to remote devices with PPP. A RADIUS server will never send the user's password over the network in any circumstance. If the username/password pairing is entered incorrectly, the RADIUS server will send an ACCESS_REJECT response. The end user must re-enter the pairings or the connection will be rejected.

RADIUS supports a number of predefined attributes that can be exchanged between client and server, such as the client's IP address. RADIUS attributes carry specific details about authentication.

RFC 2138 defines a number of attributes. The following bulleted list provides details from the most common attributes:

• Attribute type 1—Username (defines usernames, such as numeric, simple ASCII characters, or a Simple Mail Transfer Protocol [SMTP] address)

• Attribute type 2—User Password (defines the password, which is encrypted using Message Digest 5 [MD5])

• Attribute type 3—CHAP Password (used only in access-request packets)

• Attribute type 4—NAS IP address (defines the NAS's IP address; used only in access-request packets)

• Attribute type 5—NAS Port (this is not the User Datagram Protocol (UDP) port number; it indicates the NAS's physical port number, ranging from 0 to 65,535)

• Attribute type 6—Service-Type (Type of service requested or type of service to be provided). Not supported by Cisco IOS.

• Attribute type 7—Protocol (defines required framing; for example, PPP is defined when this attribute is set to 1 and Serial Line Internet Protocol [SLIP] is set to 2)

• Attribute type 8—IP address (defines the IP address to be used by the remote user)

• Attribute type 9—IP subnet mask (defines the subnet mask to be used by the remote user)

• Attribute type 10—Routing

• Attribute type 13—Compression

• Attribute type 19—Callback ID

• Attribute type 26—Vendor-specific. Cisco (vendor-ID 9) uses one defined option: vendor type 1 named cisco-avpair; this attribute transmits TACACS+ A/V pairs

• Attribute type 61—NAS port type

Table 5-2 summarizes RADIUS protocol's main features

Table 5-2 Summary of Radius Protocol Features




Packets sent between client and server are UDP primarily because TCP's overhead does not allow for significant advantages. Typically, the user can wait for a username/password prompt.

UDP destination PORT

1812, port 1646 used for accounting. RADIUS is an industry standard defined in RFC 2138.


Attributes are used to exchange information between the NAS and client.


Client/server-based model where packets are exchanged in a unidirectional manner.

Encryption method

Password is encrypted using MD5; the username is not. RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is transmitted in clear text. A third party can capture other information, such as username, authorized services, and accounting.

Multiprotocol support

Does not support protocols such as AppleTalk, NetBIOS, or IPX. IP is the only protocol supported.

Now, examine the RADIUS configuration tasks required on a Cisco router.

Was this article helpful?

0 0

Post a comment