Remote Authentication Dial-In User Service
Remote Authentication Dial-In User Service ( RADIUS , German authentication service for dial-in users ) is a client-server protocol that is used for authentication , authorization and accounting ( triple A system ) of users with dial-up connections in a computer network . RADIUS is the de facto standard for the central authentication of dial-up connections via modem , ISDN , VPN , WLAN ( IEEE 802.1X ) and DSL .
A further development is the so far less widespread protocol Diameter , which includes additional functions but is not fully downward compatible.
functionality
A RADIUS server is a central authentication server to which services for the authentication of clients in a physical or virtual network ( VPN ), e.g. Remote Access Services (RAS) from Windows clients, can also be accessed via a RADIUS proxy server , depending on the configuration , turn.
The RADIUS server takes on the authentication for the service, i.e. checking the user name and password. Furthermore, parameters for the connection to the client are provided. The RADIUS server takes the data used for this from its own configuration files, its own configuration databases, or it determines these through queries to other databases or directory services in which the access data such as user name and password are stored.
In this way, all user settings can be managed centrally, regardless of the network infrastructure. The RADIUS server can, for example, pass on upstream and downstream speeds of DSL connections, the maximum number of B channels for ISDN or parameters such as IP , routing or MPLS parameters to the RAS service.
The advantage of this procedure lies in the one-time registered access data of the users, which are available in distributed networks everywhere and at any time and can be registered and changed at a central point with simple administrative interventions. A disadvantage of the method is that in the event of a fault, all services are affected at the same time. B. Internet access, IP telephony and IPTV.
In combination with DHCP and PPP , the dial-in systems can be configured automatically with RADIUS.
history
RADIUS was originally developed by Livingston Enterprises for the PortMaster series of network access servers . In 1997 it was published as RFC 2058 and RFC 2059 . Current in 2008 (Official Internet Protocol Standards, as of February 2006) are:
- RFC 2865 Remote Authentication Dial In User Service (RADIUS)
- RFC 2866 RADIUS accounting
- RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support
- RFC 2868 RADIUS Attributes for Tunnel Protocol Support
- RFC 2869 RADIUS Extensions.
There are now various proprietary and free RADIUS implementations in which the individual capabilities can vary. As the successor to the RADIUS protocol, Diameter is standardized ( RFC 3588 and others).
See also
Web links
- untruth.org - An Analysis of the RADIUS Authentication Protocol
- freeRADIUS.org - open source RADIUS server for various Unix derivatives
- freeRADIUS.net - Windows distribution based on freeRADIUS.org (page no longer accessible)
- IAS Internet Authentication Service - RADIUS server integrated into Microsoft Windows Server 2003 - on MSDN
- Network Policy Server - RADIUS server integrated into Microsoft Windows Server 2008 - on Microsoft TechNet