Radius, Client/server model, Security and authentication mechanisms – H3C Technologies H3C SecBlade LB Cards User Manual
Page 49: Basic radius message exchange process
38
AAA can be implemented through multiple protocols. The device supports RADIUS and HWTACACS, of
which RADIUS is most often used.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that
uses a client/server model. It can protect networks against unauthorized access and is often used in
network environments that require both high security and remote user access.
RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, such as Ethernet. RADIUS provides
access authentication, authorization, and accounting services. The accounting function collects and
records network resource usage information.
Client/server model
RADIUS clients run on NASs located throughout the network. NASs pass user information to RADIUS
servers, and determine to reject or accept user access requests depending on the responses from RADIUS
servers.
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network access. It receives connection requests, authenticates users,
and returns access control information (for example, rejecting or accepting the user access request) to the
clients.
The RADIUS server typically maintains the following databases: Users, Clients, and Dictionary.
See
Figure 21 RADIUS server databases
•
Users—Stores user information, such as usernames, passwords, applied protocols, and IP
addresses.
•
Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•
Dictionary—Stores RADIUS protocol attributes and their values.
Security and authentication mechanisms
The RADIUS client and the RADIUS server use a shared key to authenticate RADIUS packets and encrypt
user passwords exchanged between them. For security, this key must be manually configured on the
client and the server.
RADIUS servers support multiple authentication protocols, including PAP and CHAP. A RADIUS server
can also act as the client of another AAA server to provide authentication proxy services.
Basic RADIUS message exchange process
illustrates the interactions between the host, the RADIUS client, and the RADIUS server.
RADIUS servers
Users
Clients
Dictionary