Introduction
RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) for users who connect to network services.
This comprehensive guide covers RADIUS protocol mechanics, attributes, implementation, and enterprise deployment.
What is RADIUS?
RADIUS is a client-server protocol that enables network access servers to authenticate users and authorize access to network resources.
Key Features
Centralized AAA: Single point of authentication.
Attribute-Based: Flexible policy enforcement.
Proxy Support: Cascaded RADIUS servers.
Accounting: Track usage and session data.
Protocol Mechanics
Message Types
| Type | Code | Description |
|---|---|---|
| Access-Request | 1 | Client authenticates user |
| Access-Accept | 2 | Authentication approved |
| Access-Reject | 3 | Authentication denied |
| Accounting-Request | 4 | Start/stop accounting |
| Accounting-Response | 5 | Acknowledgment |
Authentication Flow
User NAS RADIUS Server
| | |
| Connect | |
|------------------->| |
| | Access-Request |
| |--------------------->|
| | |
| | Access-Accept/Reject|
| |<---------------------|
| Access Granted | |
|<-------------------| |
Attributes
Common Attributes
| ID | Name | Description |
|---|---|---|
| 1 | User-Name | Username |
| 2 | User-Password | Password |
| 4 | NAS-IP-Address | Network Access Server IP |
| 5 | NAS-Port | Port number |
| 6 | Service-Type | Type of service |
| 26 | Vendor-Specific | Vendor-specific |
| 31 | Calling-Station-ID | Caller ID |
| 32 | NAS-Identifier | NAS identifier |
Cisco VSA
# Cisco AV-Pair
attribute = 'Cisco-AVPair="shell:priv-lvl=15"'
Implementation
Python Client
import pyrad.client
import pyrad.packet
from pyrad.client import Client
from pyrad.packet import AccessRequest, AccountingRequest
class RADIUSClient:
def __init__(self, server, secret, auth_port=1812, acct_port=1813):
self.client = Client(
server=server,
secret=secret.encode(),
auth_port=auth_port,
acct_port=acct_port
)
def authenticate(self, username, password, nas_identifier='NAS'):
req = self.client.CreateAuthPacket(
code=AccessRequest,
UserName=username,
NASIdentifier=nas_identifier
)
req['User-Password'] = password
reply = self.client.SendPacket(req)
if reply.code == pyrad.packet.AccessAccept:
return True, reply
return False, reply
def accounting(self, username, session_id, status_type,
input_octets=0, output_octets=0):
req = self.client.CreateAcctPacket(
username=username,
session_id=session_id,
status_type=status_type,
input_octets=input_octets,
output_octets=output_octets
)
reply = self.client.SendPacket(req)
return reply.code == pyrad.packet.AcctResponse
FreeRADIUS Server
# /etc/freeradius/3.0/mods-enabled/ldap
ldap {
server = 'ldap.example.com'
identity = 'cn=admin,dc=example,dc=com'
password = secret
base_dn = 'dc=example,dc=com'
}
# /etc/freeradius/3.0/sites-enabled/default
authorize {
ldap
pap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
Use Cases
WiFi Authentication
# WPA2 Enterprise WiFi authentication
# User provides username/password
# RADIUS validates against LDAP/AD
VPN Authentication
# Cisco VPN, Juniper, OpenVPN
# Connect to NAS
# NAS sends Access-Request to RADIUS
# RADIUS validates credentials
# Returns Access-Accept/Reject
Best Practices
- Use RADIUS over TLS (RadSec) for security
- Implement accounting for billing
- Use redundant RADIUS servers
- Monitor failed authentication attempts
Conclusion
RADIUS remains essential for centralized network access control in enterprise environments.
Comments