As part of securing a network, access to your devices needs to be restricted and monitored.
This includes direct access to routers, switches and servers but it can extend to allowing users to log on to particular services such as logging on to your ISP. It would be a tedious task if, for example, on every new router you added to the network you had to configure every single username and password. This is where AAA – Authentication, Authorization and Accounting comes into play.
Authentication – you want to confirm the user identity
Authorization – you want to define what permissions a particular user can have
Accounting – you want to track some information from your users
How can you achieve this? One of the solutions is Radius (Remote Authentication Dial-In User Service), originally developed by Livingston Enterprises and later standardized. The specifications can be found in RFC2865 and RFC2866. It is a client/server protocol where a client sends requests to a remote server (Unix or Windows), which typically has a database (it can be internal or external to the Radius server) holding user information. It uses UDP at the transport layer and has officially been assigned ports 1812 for authentication and 1813 for authorization.
How does the Radius protocol work?
The user that needs to gain access to a particular resource will send a request to the Access Server with its credentials and then access can be granted with specific privileges or denied. The communication flow is as follows:
In the “Access Request” the client will send information such as username, password (encrypted), IP and port of the Access Server. In response the Radius Server will check its database with user information and either accept or reject the user. A message may accompany the “Access Reject” with an explanation the cause. If the user is accepted it will be sent attributes (as part of the authorization step) to define the type of access. Such attributes may include an IP address, Vendor-Specific information, session timeout and access lists. The “Access Challenge” is optional and the Radius Server may request further information before granting access. Once the user is authenticated and authorized, accounting will start. Packets will be exchanged to signal when the user connection started and ended together with specific user information to uniquely identify them.
A Practical Example on Cisco and Juniper
So let’s say you have a Cisco or Juniper router in your network and you want to use Radius to control access to your device, in this case the router would be the client and it would contact the Radius Server for user information.
How would you go about configuring it? Just follow the commands outlined below.
Radius on Cisco
Router1# conf t
Router1(config)#aaa new-model
This enables AAA on the Cisco
Router1(config)#radius-server host x.x.x.x auth-port yyyy acct-port zzzz
The IP address of the radius server is configured and optionally the ports used for authentication and authorization can be defined. This needs to match on the Radius Server.
Router1(config)#radius-server key 0 xxxxxx
A password is specified to secure the communication between the Cisco and the Radius Server. This needs to match on the Radius Server.
Router1(config)#radius-server retransmit x
(Optional) Specify the number of times the Cisco tries to contact the radius server.
Router1(config)#radius-server timeout x
(Optional) Specify the number of seconds the Cisco waits before resending the request.
Router1(config)#radius-server deadtime x
(Optional) Specify the number of minutes the Cisco waits before considering the Radius Server down.
Router1(config)#aaa authentication login default group radius local
This enables Radius for login access to the Cisco. In case the Radius Server is down or unreachable it will resort to using the local Cisco configuration for access.
Router1(config)#ip radius source-interface xxxx
Specify the interface to use for communication to the Radius Server.
Radius on Juniper
Below is the equivalent configuration for a Juniper device:
[edit system]
authentication-order [radius password];
radius-server x.x.x.x {
accounting-port xxxx;
port yyyy;
retry x;
secret xxxxxx;
source-address y.y.y.y;
timeout x;
Conclusion
Radius authentication protocol can be used in various scenarios, from restricting access to your network devices to an ISP as a way to authenticate and authorize its ADSL customers. As of 2012 there is an option to use Radius with TCP as well, which was standardized in RFC6613. Besides Radius there are other protocols such as TACACS or Kerberos for authentication and Diameter, which was designed as the successor to Radius.
To read about Radius alternative, Tacacs+, check out this other great article!
2 Responses
Thanks for the article and nice Explanation.
Thanks for the great contribution, Nadia!