What is RADIUS?

RADIUS (Remote Authentication Dial-In User Service) is a client-server networking protocol. It runs in the application layer. RADIUS being an AAA protocol that manages network access provides centralized Authentication, Authorization, and Accounting for users who use network services.

RADIUS uses two types of packets to manage the AAA process: 

  1. Access-Request – this manages authentication and authorization; and
  2. Accounting-Request – this manages accounting.

RADIUS Protocol uses RADIUS Server and RADIUS Clients: 

RADIUS Server – these are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to authenticate the user. One RADIUS server can act as a proxy client for the other RADIUS servers or any other kind of authentication server.

RADIUS Client – these are networking devices (like a VPN concentrator, router, switch) that are used to authenticate users.

What is AAA?

AAA – Authentication, Authorization, and Accounting

Authentication

This refers to the confirmation of the user which can be accomplished via presenting identity and credentials (for example: username and password or OTP or digital certificates.)

Authorization

This refers to the granting of specific types of services or resources based on the authentication process of the user. This helps in giving restricted permissions to the users. These restrictions may be based on the physical location, IP address, or time of access.

Accounting

This refers to the tracking of consumption of resources by the users. This feature can be used independently of RADIUS authentication or authorization. This may be used for management, planning, billing, etc.

RADIUS Server Authentication methods

The RADIUS server supports various methods to authenticate users. When it is provided with the username and original password given by the user, it can support PAP, CHAP, MS-CHAP, EAP, EAP_TLS, UNIX login, and other authentication mechanisms.

  • PAP – Password Authentication Protocol (PAP) authentication uses the PPP configuration files and PAP database for setting up authentication. The operation of PAP is similar to the UNIX login program, though PAP does not grant shell access to the user.
  • CHAP – Challenge-Handshake Authentication Protocol (CHAP) authentication uses challenge and response, which means that the authenticator challenges the caller (authenticatee) to prove its identity. The challenge includes the unique ID generated by the authenticator and a random number. The caller uses the ID, random number, and its CHAP security credentials to generate the response (handshake) to send to the peer.
  • MS-CHAP – is the Microsoft version of the Challenge-Handshake Authentication Protocol (CHAP). It is used as an authentication option in Microsoft’s implementation of the PPTP protocol for VPNs.
  • EAP – Extensible Authentication Protocol (EAP) is an authentication framework, used in wireless networks and point-to-point connections.

How RADIUS Server Authentication Works?

miniOrange accomplishes this by acting as a RADIUS server, It will accept the username/password of the user/client as a RADIUS request. The request is then validated against the user store (such as Azure AD) or database. Once verified it prompts the user for the two-factor authentication and based on that it will either grant/revoke access. By acting as RADIUS server miniOrange secures any VPN with multi-factor authentication (MFA).

RADIUS Server Authentication VPN MFA Flow

 

Working of the RADIUS Server Authentication can be described as follows:

  1. Initially, the RADIUS Client tries to authenticate to the RADIUS server using the username and password i.e. user credentials.
  2. The Client then sends an Access-Request message to the RADIUS Server. The Access-Request message has a username and password (which is always encrypted) in it.
  3. The RADIUS Server reads the information from the request received and authenticates it against the User Store(can be Active Directory or any other Database).
  4. If a match is found, the RADIUS Server extracts additional details of the user from the user database.
  5. The RADIUS server checks if there is an access policy or a profile that matches the user credentials. Once the access policy is found for that user, the user will be then prompted for MFA(if enabled). For this, an Access-Challenge Request is initiated.
  6. The response to the Access-Challenge request will be provided by the user by entering an OTP or accepting a push notification, depending on the 2FA method, that response will be validated by the Radius Server.
  7. If the response gets validated successfully, the RADIUS Server sends an Access-Accept message to the device.
  8. If there is no matching access policy or invalid response, then the server will send an Access-Reject message. The RADIUS transaction will end, and the user will be denied access to the system.
  9. The Access-Accept message consists of a Filter ID attribute and a shared secret. If the shared secret does not match, the RADIUS Client rejects the message.
  10. If the shared secret matches, the Client reads the value of the Filter ID attribute. The RADIUS Client then connects the user to a particular RADIUS Group using this Filter ID.
  11. The user is finally authenticated and authorized and will obtain access to the RADIUS Client.

Conclusion

A RADIUS Server eliminates the possibility of leak of the private information of your organization to snooping outsiders. It also allows easy depreciation capabilities and enables individual users to be assigned with unique network permissions. It can integrate into your existing system without any significant changes.

Further Reading

Leave a Reply

Your email address will not be published. Required fields are marked *