In short RADIUS means Remote Authentication Dial-In User Service server or proxy. Is used for centralised accounting, authorisation and most of all, authentication. This technology will help you control who will be able to connect to your network and who will not be granted the access.
It can control the access for all sorts of networks, wireless, VPN, dial-up, direct device to device like router to router connections, basically wherever you put it the middle of communication he can do the control.
There is also RADIUS proxy configuration where proxy only receives and accepts the connection requests but for the decision making it will be connected to other server who will do the RADIUS role.
There are two major ways to deploy radius server and that are:
- Deployment of FreeRADIUS server on UNIX servers. This is by many network engineers basically a best daemon which implements radius protocol and makes your UNIX server a RADIUS enabled server.
- Deployment of IAS role – Internet Authentication Service on Windows Server machine will allow you to make your Windows Server machine respond to RADIUS requests and act as a real RADIUS server. It includes some AD stuff implemented in so it will be able to authenticate the users from Active Directory domain. Which is his biggest advantage over UNIX deployment of course if you have AD deployed in you organization, and you have surely.
RADIUS server connects to user account database which is Active Directory in Windows Server or some normal user database in UNIX. Can be normal SQL table with users in it and can checks access credentials. If the user is authorized to access some network that is secured with RADIUS, he will authorize the access for that user and writes a log of the user entrance to the network.
Components of a RADIUS infrastructure
These are the components of RADIUS infrastructure. As you can also see from the picture you will realize what every of them is doing:
- RADIUS server
- RADIUS clients or Access servers the same thing
- Access clients
- RADIUS proxies
- User account databases
It is a computer, phone, tabled or some other IP enabled network device who wants to connect to your network.
I will skip this one as it’s explained in the intro part of this article above. RADIUS server processes connection requests or accounting messages from RADIUS clients and grants the connection of some devices to our network or not.
RADIUS clients or Access servers
Is a device through which the access client will enter your network. Access client will connect to this access server and it will use it as a next hop to reach your network resources. This can be any sort of Wireless access points, Network access server that supports VPN remote access services or old but still good dial-in method. Access server can be also every switch or router that supports physical normally Ethernet connection to your network.
A RADIUS proxy is a mediator between RADIUS clients and servers. It will receive connection requests and accounting messages from Access server and forward those messages to RADIUS Server.
User account database
This is a list of users with some attributes by which the RADIUS can decide who can get into the network and who cannot. It can be based on some user group membership, password configuration or some other attribute defined for the users. User database can be some simple SQL database if we speak about UNIX deployment or Active Directory in we use Windows Server.