Remote Authentication Dial In User Service overview

The RADIUS client-server model has a Network Access Server (NAS) operating as a client to a RADIUS server. The system, acting as the NAS, sends user and connection information to a designated RADIUS server using the RADIUS standard protocol defined in RFC 2865.

RADIUS servers act on received user connection requests by authenticating the user and then return all configuration information necessary to the NAS, so that the NAS (the system) can deliver authorized services to the authenticated dial-in user.

If a RADIUS server cannot be reached, the system can route authentication requests to an alternate server. This enables global enterprises to offer their users a dial-in service with a unique login user ID for corporate-wide access, no matter what access point is being used.

When an authentication request is received by the RADIUS server, the request is validated; then the RADIUS server decrypts the data packet to access the user name and password information. The information is passed onto the appropriate security system that is supported. This might be UNIX password files, Kerberos, a commercial security system, or even a custom-developed security system. The RADIUS server sends back to the system any services that the authenticated user is authorized to use, such as an IP address. RADIUS accounting requests are handled in a similar manner. Remote user's accounting information can be sent to a designated RADIUS accounting server. The RADIUS accounting standard protocol is defined in RFC 2866. The RADIUS accounting server acts on received accounting requests by logging the information from the RADIUS accounting request.