Security and authentication mechanisms, Basic message exchange process of radius – H3C Technologies H3C SecPath F1000-E User Manual
Page 410
2
Security and Authentication Mechanisms
Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared
key, which is never transmitted over the network. This enhances the information exchange security. In
addition, to prevent user passwords from being intercepted on insecure networks, RADIUS encrypts
passwords before transmitting them.
A RADIUS server supports multiple user authentication methods, for example, the Password
Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) of the
Point-to-Point Protocol (PPP). Moreover, a RADIUS server can act as the client of another AAA server to
provide authentication proxy services.
Basic Message Exchange Process of RADIUS
illustrates the interaction of the host, the RADIUS client, and the RADIUS server.
Figure 2 Basic message exchange process of RADIUS
The following is how RADIUS operates:
1.
The host initiates a connection request carrying the username and password to the RADIUS client.
2.
Having received the username and password, the RADIUS client sends an authentication request
(Access-Request) to the RADIUS server, with the user password encrypted by using the
Message-Digest 5 (MD5) algorithm and the shared key.
3.
The RADIUS server authenticates the username and password. If the authentication succeeds, it
sends back an Access-Accept message containing the user’s authorization information. If the
authentication fails, it returns an Access-Reject message.
4.
The RADIUS client permits or denies the user according to the returned authentication result. If it
permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.