RADIUS Server Definition
A RADIUS server is a network server implementing RADIUS and RADIUS-based authentication protocols, such as PAP, CHAP, MS-CHAP, PEAP, EAP-TTLS, EAP-TTLS, SIP Digest. Cloudessa provides virtual RADIUS servers as SaaS and as a Virtual Appliance.
A RADIUS server implements RFC 2865 and RFC 2866 RADIUS authentication and accounting protocols, which are UDP-based protocols. During the RADIUS authentication phase a network client connects to a network access server (NAS) and provides authentication credentials. The NAS then uses the authentication credentials to issue a RADIUS authentication request to the RADIUS server. The RADIUS server and the NAS will then exchange RADIUS authentication messages.
Once the authentication completes, the RADIUS server passes an “Accept” or “Reject” message to the NAS. The NAS will then permit or reject connection of the client to the network.
Once the client is on the network the NAS will periodically send to the RADIUS server RADIUS accounting messages documenting client activity, such as the amount of data transferred to/from the client. When the client disconnects from the network, the NAS will send an accounting stop message to the RADIUS server.
RADIUS attributes can be added to any RADIUS message and can be used to exchange additional information between the NAS and the RADIUS server. As an example, the NAS can inform the RADIUS server about the MAC address of the client. The RADIUS server can pass back to the NAS security policies that the NAS needs to enforce for a particular client. There is a set of standard RADIUS attributes specified in the RADIUS protocol specifications. In addition to that, many vendors define their own, vendor-specific attributes (VSAs) that can be used to control network equipment originating from a particular vendor.
The communications between the NAS and the RADIUS server are protected using a shared secret string (RADIUS secret).
The more traditional RADIUS protocols include PAP, CHAP, MS-CHAP, and SIP Digest. They are typically used to authenticate network clients to VPNs, firewalls, VoIP servers and other network devices.
Newer RADIUS protocols are EAP/802.1X-based, meaning that RADIUS messages are used to encapsulate messages based on EAP/802.1X security protocols. EAP/802.1X protocols typically allow for higher levels of security and implement asymmetric cryptography.
For the EAP/802.1X protocols, the NAS (which is typically a wireless access point, a wired Ethernet switch or a 3G/4G network access server) relays the EAP/802.1X messages between the wireless or wired client and the RADIUS server. At the end of the EAP/802.1X authentication handshake the RADIUS server will typically send the master secret key to the NAS. The NAS will then use the master key to derive the data encryption keys, which are, in turn, used to encrypt bulk wireless or wired data flowing between the client and the network.
In the EAP/802.1X terminology the client is referred to as “the supplicant”.
Wi-Fi supplicants and 802.1X-enabled wired Ethernet switches typically implement EAP-PEAP (Microsoft, password-based authentication), EAP-TTLS (vendor-neutral, password-based and/or client-certificate-based) and EAP-TLS (client-certificate-based) protocols.
Cloudessa supports a comprehensive variety of RADIUS-based protocols, as well as functions as a bridge to non-RADIUS technologies such as Google Apps, Microsoft Active Directory, LDAP and SQL databases.