Introduction to radius, Client/server model – H3C Technologies H3C S7500E Series Switches User Manual

1-2

When a user tries to establish a connection to the NAS or obtain the rights to access other networks or

some network resources, the NAS authenticates the user or the corresponding connection. The NAS

can transparently pass the user’s AAA information to the server (RADIUS server or HWTACACS

server). The RADIUS/HWTACACS protocol defines how a NAS and a server exchange user

information between them.

In the AAA network shown in

Figure 1-1

, there is a RADIUS server and an HWTACACS server. You

can choose authentication, authorization and accounting methods flexibly as required. For example,

you can use the HWTACACS server for authentication and authorization, and the RADIUS server for

accounting.

The three security functions are described as follows:

z

Authentication: Identifies remote users and judges whether a user is legal.

z

Authorization: Grants different users different rights. For example, a user logging in to the server

can be granted the permission to access and print the files in the server.

z

Accounting: Records all network service usage information of users, including the service type,

start time, and traffic. The accounting function not only provides the information required for

charging, but also allows for network security surveillance.

You can use AAA to provide only one or two security functions, if desired. For example, if your

company only wants employees to be authenticated before they access specific resources, you only

need to configure an authentication server. If network usage information is expected to be recorded,

you also need to configure an accounting server.

As described above, AAA provides a uniform framework to implement network security management.

It supports authorizing specific users to access specific resources and keeping track of the operations

of users and therefore features excellent scalability. With AAA, you can implement centralized user

information management easily. Thanks to all these benefits, AAA has gained wide application.

AAA can be implemented through multiple protocols. Currently, the device supports using RADIUS,

and HWTACACS for AAA, and RADIUS is often used in practice.

Introduction to RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol

that uses the client/server model. RADIUS can protect networks against unauthorized access and is

often used in network environments where both high security and remote user access are required.

RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and 1813 for

accounting.

RADIUS was originally designed for dial-in user access. With the diversification of access methods,

RADIUS has been extended to support more access methods, for example, Ethernet access and

ADSL access. It uses authentication and authorization in providing access services and uses

accounting to collect and record network resource usage information.

Client/Server Model

z

Client: The RADIUS client runs on the NASs located throughout the network. It passes user

information to designated RADIUS servers and acts on the responses (for example, rejects or

accepts user access requests).