Introduction – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

RADIUS Introduction and Configuration

Software Reference for x310 Series Switches

46.2

AlliedWare Plus

TM

Operating System - Version 5.4.4C

C613-50046-01 REV A

Introduction

The main purpose of RADIUS (Remote Authentication Dial In User Service) is to enable the
authentication of network users stored in a database on a server known as a RADIUS
Server.

When users connect to the network, the switch the users connect to can challenge the
users for authentication, and pass on the authentication to the RADIUS server to check.
Based on the result of the check against the database, the RADIUS Server informs the
switch whether or not to allow the connected user access to the network.

A RADIUS Server can do more than allow or deny access to the network. A RADIUS Server
can send back parameters to the connected users, such as an IP address for the user, or a
VLAN for the user, or a privilege level for a session. RADIUS also provides an accounting
service. Switches can inform the RADIUS Server how long a user has been connected to
the network, and how much traffic the user has sent and received while connected to the
network.

The original use for RADIUS was for the authentication of users dialling into an ISP
(Internet Service Provider). A PPP (Point-to-Point Protocol) connection would be
established between the remote client and the ISP's access switch. The ISP's access switch
would receive the client's username and password using PAP (Password Authentication
Protocol) or using CHAP (Challenge Handshake Authentication Protocol) and pass on the
client's username and password to the RADIUS server to authenticate the client. The
RADIUS Server's response to the authentication request would be sent back to the client
as a PAP or CHAP allow or deny.

RADIUS has been adapted to network access authentication applications. Network access
authentication using RADIUS follows a similar method to the PPP dial-up application for
ISPs. For general network access authentication there is the RADIUS Server where the
database of user authentication data is stored and a NAS (Network Access Server), which is
the switch that user connects to first. The RADIUS Server and the NAS communicate with
each other through exchanging attributes. Usernames and passwords are treated as
attributes in RADIUS packets to and from a RADIUS Server and a NAS. The RADIUS Server is
configured with a list of valid NASs that are allowed to send authentication requests to the
RADIUS Server.

The RADIUS Server will not accept authentication requests from a NAS that is not on the
list of valid NASs. Each NAS has a shared secret, which is a shared key with the RADIUS
Server that is used to authenticate requests. The RADIUS Server has access to a list of user
authentication data, stored within the RADIUS Server or accessed from another server.

Communication between the NAS and RADIUS Server uses the RADIUS protocol. The
RADIUS protocol uses UDP packets. There are two UDP ports used as the destination port
for RADIUS authentication packets (ports 1645 and 1812). Note that port 1812 is in more
common use than port 1645 for authentication packets. UDP ports (ports 1646 and 1813)
are used for RADIUS accounting separately from the ports used for RADIUS authentication.