Radius – H3C Technologies H3C S12500-X Series Switches User Manual

2

The device performs dynamic password authentication.

155B

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that

uses a client/server model. It can protect networks against unauthorized access and is often used in
network environments that require both high security and remote user access.
The RADIUS authorization process is combined with the RADIUS authentication process, and user

authorization information is piggybacked in authentication responses. RADIUS uses UDP port 1812 for

authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access, and has been extended to support additional
access methods, such as Ethernet and ADSL.

336B

Client/server model

The RADIUS client runs on the NASs located throughout the network. It passes user information to

RADIUS servers and acts on the responses to, for example, reject or accept user access requests.
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network service access. It receives authentication, authorization, and

accounting requests from RADIUS clients, performs user authentication, authorization, or accounting,

and returns user access control information (for example, rejecting or accepting the user access request)

to the clients. In addition, the RADIUS server can act as the client of another RADIUS server to provide
authentication proxy services.
The RADIUS server maintains the following databases: Users, Clients, and Dictionary.

Figure 2 RADIUS server databases

•

Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.

•

Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.

•

Dictionary—Stores RADIUS protocol attributes and their values.

337B

Information exchange security mechanism

The RADIUS client and server exchange information between them with the help of shared keys, which

are pre-configured on the client and server. A RADIUS packet has a 16-byte field called Authenticator.

This field includes a signature generated by using the MD5 algorithm, the shared key, and some other

information. The receiver of the packet verifies the signature and accepts the packet only when the
signature is correct. This mechanism ensures the security of information exchanged between the RADIUS

client and server.
The shared keys are also used to encrypt user passwords that are included in RADIUS packets.

338B

User authentication methods

The RADIUS server supports multiple user authentication methods, such as PAP, CHAP, and EAP.