Manualshelf

R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
111112113114115116117118119120
114
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that
uses a client/server model. It can protect networks against unauthorized access and is often used in
network environments where both high security and remote user access are required.
RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813
for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, such as Ethernet. RADIUS provides
access authentication and authorization services, and its accounting function collects and records
network resource usage information.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
designated RADIUS servers and acts on the responses (for example, rejects or accepts user access
requests).
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network service access. It listens to connection requests, authenticates
users, and returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary.
See Figure 82.
Figure 82 RADIUS server components
Users: Stores user information such as the usernames, passwords, applied protocols, and IP
addresses.
Clients: Stores information about RADIUS clients, such as shared keys and IP addresses.
Dictionary: Stores RADIUS protocol attributes and their values.
Security and authentication mechanisms
RADIUS uses a shared key that is never transmitted over the network to authenticate information
exchanged between a RADIUS client and the RADIUS server, enhancing the information exchange
security. In addition, to prevent user passwords from being intercepted on insecure networks, RADIUS
encrypts passwords before transmitting them.
A RADIUS server supports multiple user authentication methods, such as the Password Authentication
Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP) of the Point-to-Point
Protocol (PPP). Moreover, a RADIUS server can act as the client of another AAA server to provide
authentication proxy services.
RADIUS basic message exchange process
Figure 83 illustrates the interaction between the host, the RADIUS client, and the RADIUS server.