Radius, Client/server model – H3C Technologies H3C SecPath F1000-E User Manual

150

accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and

a remote server exchange user information between them.
In the network shown in

Figure 129

, there is a RADIUS server and an HWTACACS server. You can

choose different servers for different security functions. For example, you can use the HWTACACS server

for authentication and authorization, and the RADIUS server for accounting.
You can choose the three security functions provided by AAA as needed. For example, if your company
only wants employees to be authenticated before they access specific resources, configure an

authentication server. If network usage information is needed, configure an accounting server.
AAA can be implemented through multiple protocols. The firewall supports using RADIUS and

HWTACACS. RADIUS is often used in practice.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that

uses a client/server model. It can protect networks against unauthorized access and is often used in
network environments where both high security and remote user access are required.
RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813

for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, such as Ethernet and ADSL. RADIUS

provides access authentication and authorization services, and its accounting function collects and

records network resource usage information.

Client/server model

The RADIUS client runs on the NASs located throughout the network. It passes user information to
designated RADIUS servers and acts on the responses (for example, rejects or accepts user access

requests).
The RADIUS server runs on the computer or workstation at the network center and maintains information

related to user authentication and network service access. It listens to connection requests, authenticates
users, and returns user access control information (for example, rejecting or accepting the user access

request) to the clients.
In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary.

See

Figure 130

.

Figure 130 RADIUS server components

•

Users—Stores user information such as the usernames, passwords, applied protocols, and IP
addresses.

•

Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.

•

Dictionary—Stores RADIUS protocol attributes and their values.