Enterprises need to manage access to their networks effectively now more than ever. Cyberattacks are increasing in every industry and there is added pressure on security teams to prevent and remedy any attacks.
Authentication and authorization through the RADIUS Server protocol is a trusted method of prevention. It allows for a centralized authorization protocol where all access requests go through a single server. RADIUS Accounting records and monitors all user actions to create transparency within the network.
What is RADIUS Server?
RADIUS is a networking protocol. It stands for Remote Authentication Dial-In User Service. This protocol uses a client-server communication method. It involves a server and clients.
A RADIUS client is a networking device like a router, used to connect to a network, or a VPN concentrator, which establishes VPN connections. The client authenticates users by contacting the server.
RADIUS Server is a background process that runs on a server application. It can store and maintain user profiles in a database, which means that it controls all access to a network.
When a user attempts to connect to a RADIUS client, it sends a request to the server. Only after the server authenticates and authorizes a user, will the server grant a user access to the RADIUS client.
Servers use the AAA (Authentication, Authorization, and Accounting) process to authenticate and authorize users.
Additionally, RADIUS Servers use a pull authorization sequence. This is where a user connects to a client, which contacts the server on behalf of the user. This contrasts with a push sequence where a user connects to a server directly and receives a ticket to use the client.
What is AAA?
The AAA process has made it easier for companies to authenticate and authorize users. Before AAA, other protocols used individual devices for authentication. For example, an employee’s workstation might use a different method of authentication compared to the manager’s smartphone.
This is problematic for scalability because someone would have to keep track of all the authentication methods. With the centralized AAA process, users can access a single server for authentication.
Now, let’s take a closer look at each part of the process.
This involves the process of verifying a user’s identity. Usually, a user provides a password, which is used as a form of authentication. Passwords are less secure than multi-factor authentication or digital certificates. So, enterprises are more likely to use these in addition to passwords.
Furthermore, the process allows a trust relationship between two objects. For example, a user’s computer and a server are both seen as valid users in the authentication process.
This is a collection of templates and sets of rules that dictate what a user can do on a network. For example, a member of the sales team can only access data that is relevant to their department or job role.
This is a process of monitoring, documenting, and measuring what a user does on a network. For instance, Accounting records which databases, files, and applications users access during a session.
Managers and employees can use these records to assess a network’s capacity. Also, IT teams can investigate any recurring reject-access requests to uncover potential cybercriminals.
RADIUS Server Authentication Process
Authentication begins when a user tries to connect to a RADIUS Client. They usually enter a username and password. The client then sends an Access-Request message to the Server. Passwords are always encrypted in the message and a shared secret is also included.
Next, the Server reads the shared secret and verifies that the Access-Request message is from an authorized Client. If the Client is unauthorized, the Server rejects the request. But, if the Client is authorized, the Server reads the authentication method and matches the user’s username and password against the user database.
The Server then sources more user information from the database and checks if there is an access policy or profile that matches the user. The transaction ends if there is no match.
With a match, the Server sends an Access-Accept message to the Client. The message contains a Filter ID attribute and a shared secret. The shared secret needs to match before the Client reads the Filter ID attribute.
The Client uses the Filter ID attribute (a string of text) to connect a user to a RADIUS Group of users with the same Filter ID attribute. Groups help to categorize users into functional groups (eg. different departments could be different groups). Once connected to a Group and authorized, the user gains access to the Client.
RADIUS Server authentication follows the AAA process, which allows for safe authentication through a single source. Additionally, with Accounting, businesses can take advantage of user access data. They can identify threats to their networks or determine prices for customers who use their networks.
Importantly, RADIUS Server integration is straightforward and is compatible with existing network configurations.ù
For more information about the comparison of different authentication protocols, check out our resource.