Remote Authentication Dial-In User Service (RADIUS)

  • Designed for Centralized AAA Service: RADIUS is a widely deployed protocol enabling centralized authentication, authorization, and accounting (AAA) for network access. Originally developed for dial-up remote access. However,  RADIUS is now supported by virtual private network (VPN) servers, wireless access points, authenticating Ethernet switches, Digital Subscriber Line (DSL) access, and other network access types.
  • Working on Client / Server model: RADIUS is a client/server protocol that runs in the application layer, using UDP as transport. The Remote Access Server, the Virtual Private Network server, the Network switch with port-based authentication, and the Network Access Server (NAS), are all gateways that control access to the network, and all have a RADIUS client component that communicates with the RADIUS server.
  • Listening on UDP ports: RADIUS messages are sent as User Datagram Protocol (UDP) messages. UDP port 1812 is used for RADIUS authentication messages and UDP port 1813 is used for RADIUS accounting messages. Some access servers might use UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages. Only one RADIUS message is included in the UDP payload of a RADIUS packet.
  • Secured RADIUS Traffic: To provide security for RADIUS messages, the RADIUS client and the RADIUS server are configured with a common shared secret. The shared secret is used to secure RADIUS traffic and is commonly configured as a text string on both the RADIUS client and server.

For Point-to-Point Protocol (PPP) authentication protocols such as Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), and MS-CHAP version 2 (MS-CHAP v2), the results of the authentication negotiation between the access server and the access client are forwarded to the RADIUS server for verification.

Reference URL: http://technet.microsoft.com/en-us/library/bb742489.aspx

RADIUS Packet Format

  • Attribute Value Pairs (AVPs)
    imageThe RADIUS Attribute Value Pairs (AVP) carry data in both the request and the response for the authentication, authorization, and accounting transactions. 
  • Authenticator (16 octets string) In order to secure the RADIUS traffic, Authenticator attribute, which is a randomly generated 16 octets string, is required for all Access-Request Messages. While in Access-Accept or Access-Reject, Authenticator attribute is MD5 Hash value of the whole response message concatenated with the Authenticator attribute of relevant Access-Request value and the pre-shared secret.
    However, using Authenticator along with MD5 is not very secure yet, more strong security technologies such as IPSec Tunnel, should be employed here to further secure the traffic. (for example, attacker accidently both captured Access-Request and Access-Accept can launch an exhaustive attack on the Pre-shared secret)
    About how the RADIUS traffic is secured using a pre-shared secret and its vulnerabilities, refer to : http://www.untruth.org/~josh/security/radius/radius-auth.html