Security and authentication mechanisms, Radius basic message exchange process – H3C Technologies H3C SecPath F1000-E User Manual

151

Security and authentication mechanisms

RADIUS uses a shared key that is never transmitted over the network to authenticate information

exchanged between a RADIUS client and the RADIUS server, enhancing the information exchange
security. In addition, to prevent user passwords from being intercepted on insecure networks, RADIUS

encrypts passwords before transmitting them.
A RADIUS server supports multiple user authentication methods, such as the Password Authentication

Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP) of the Point-to-Point
Protocol (PPP). Moreover, a RADIUS server can act as the client of another AAA server to provide

authentication proxy services.

RADIUS basic message exchange process

Figure 131

illustrates the interaction between the host, the RADIUS client, and the RADIUS server.

Figure 131 RADIUS basic message exchange process

RADIUS operates in the following manner:

1.

The host initiates a connection request that carries the user's username and password to the
RADIUS client.

2.

Having received the username and password, the RADIUS client sends an authentication request
(Access-Request) to the RADIUS server, with the user password encrypted by using the
Message-Digest 5 (MD5) algorithm and the shared key.

3.

The RADIUS server authenticates the username and password. If the authentication succeeds, the
server sends back an Access-Accept message containing the user's authorization information. If

the authentication fails, the server returns an Access-Reject message.

4.

The RADIUS client permits or denies the user according to the returned authentication result. If it
permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.

5.

The RADIUS server returns a start-accounting response (Accounting-Response) and starts
accounting.