RADIUS


Remote Authentication Dial-In User Service is a networking protocol, operating on port 1812, that provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises, Inc. in 1991 as an access server authentication and accounting protocol and later brought into the Internet Engineering Task Force standards.
RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP as transport. Network access servers, the gateways that control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication as well.
The RADIUS server is usually a background process running on a UNIX or Microsoft Windows server.

Protocol components

RADIUS is an AAA protocol that manages network access. AAA stands for authentication, authorization and accounting. RADIUS uses two packet types to manage the full AAA process; Access-Request, which manages authentication and authorization; and Accounting-Request, which manages accounting. Authentication and authorization are defined in RFC 2865 while accounting is described by RFC 2866.

Authentication and authorization

The user or machine sends a request to a Network Access Server to gain access to a particular network resource using access credentials. The credentials are passed to the NAS device via the link-layer protocol—for example, Point-to-Point Protocol in the case of many dialup or DSL providers or posted in an HTTPS secure web form.
In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.
This request includes access credentials, typically in the form of username and password or security certificate provided by the user. Additionally, the request may contain other information which the NAS knows about the user, such as its network address or phone number, and information regarding the user's physical point of attachment to the NAS.
The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP or EAP. The user's proof of identification is verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status, and specific network service access privileges. Historically, RADIUS servers checked the user's information against a locally stored flat file database. Modern RADIUS servers can do this, or can refer to external sources—commonly SQL, Kerberos, LDAP, or Active Directory servers—to verify the user's credentials.
The RADIUS server then returns one of three responses to the NAS: 1) Access Reject, 2) Access Challenge, or 3) Access Accept.
; Access Reject: The user is unconditionally denied access to all requested network resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account.
; Access Challenge: Requests additional information from the user such as a secondary password, PIN, token, or card. Access Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the NAS.
; Access Accept: The user is granted access. Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested. A given user may be allowed to use a company's wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server, or may be looked up in an external source such as LDAP or Active Directory.
Each of these three RADIUS responses may include a Reply-Message attribute which may give a reason for the rejection, the prompt for the challenge, or a welcome message for the accept. The text in the attribute can be passed on to the user in a return web page.
Authorization attributes are conveyed to the NAS stipulating terms of access to be granted. For example, the following authorization attributes may be included in an Access-Accept:
When a client is configured to use RADIUS, any user of the client presents authentication information to the client. This might be with a customizable login prompt, where the user is expected to enter their username and password. Alternatively, the user might use a link framing protocol such as the Point-to-Point Protocol, which has authentication packets which carry this information.
Once the client has obtained such information, it may choose to authenticate using RADIUS. To do so, the client creates an "Access- Request" containing such Attributes as the user's name, the user's password, the ID of the client and the Port ID which the user is accessing. When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5.

Accounting

Accounting is described in RFC 2866.
When network access is granted to the user by the NAS, an Accounting Start is sent by the NAS to the RADIUS server to signal the start of the user's network access. "Start" records typically contain the user's identification, network address, point of attachment and a unique session identifier.
Periodically, Interim Update records may be sent by the NAS to the RADIUS server, to update it on the status of an active session. "Interim" records typically convey the current session duration and information on current data usage.
Finally, when the user's network access is closed, the NAS issues a final Accounting Stop record to the RADIUS server, providing information on the final usage in terms of time, packets transferred, data transferred, reason for disconnect and other information related to the user's network access.
Typically, the client sends Accounting-Request packets until it receives an Accounting-Response acknowledgement, using some retry interval.
The primary purpose of this data is that the user can be billed accordingly; the data is also commonly used for statistical purposes and for general network monitoring.

Roaming

RADIUS is commonly used to facilitate roaming between ISPs, for example:
RADIUS facilitates this by the use of realms, which identify where the RADIUS server should forward the AAA requests for processing.

Realms

A realm is commonly appended to a user's user name and delimited with an '@' sign, resembling an email address domain name. This is known as postfix notation for the realm. Another common usage is prefix notation, which involves prepending the realm to the username and using '\' as a delimiter.
Modern RADIUS servers allow any character to be used as a realm delimiter, although in practice '@' and '\' are usually used.
Realms can also be compounded using both prefix and postfix notation, to allow for complicated roaming scenarios; for example, somedomain.com\username@anotherdomain.com could be a valid username with two realms.
Although realms often resemble domains, it is important to note that realms are in fact arbitrary text and need not contain real domain names. Realm formats are standardized in RFC 4282, which defines a Network Access Identifier in the form of 'user@realm'. In that specification, the 'realm' portion is required to be a domain name. However, this practice is not always followed. RFC 7542 replaced RFC 4282 in May 2015.

Proxy operations

When a RADIUS server receives an AAA request for a user name containing a realm, the server will reference a table of configured realms. If the realm is known, the server will then proxy the request to the configured home server for that domain. The behavior of the proxying server regarding the removal of the realm from the request is configuration-dependent on most servers. In addition, the proxying server can be configured to add, remove or rewrite AAA requests when they are proxied over time again.
Proxy Chaining is possible in RADIUS and authentication/authorization and accounting packets are usually routed between a NAS Device and a Home server through a series of proxies. Some of advantages of using Proxy chains include scalability improvements, policy implementations and capability adjustments. But in roaming scenarios, the NAS, Proxies and Home Server could be typically managed by different administrative entities. Hence, the trust factor among the proxies gains more significance under such Inter-domain applications. Further, the absence of end to end security in RADIUS adds to the criticality of trust among the Proxies involved. Proxy Chains are explained in.

Security

Roaming with RADIUS exposes the users to various security and privacy concerns. More generally, some roaming partners establish a secure tunnel between the RADIUS servers to ensure that users' credentials cannot be intercepted while being proxied across the internet. This is a concern as the MD5 hash built into RADIUS is considered insecure.

Packet structure

The RADIUS packet data format is shown to the right. The fields are transmitted from left to right, starting with the code, the identifier, the length, the authenticator and the attributes.
RADIUS Codes are assigned as follows:
CodeAssignment
1Access-Request
2Access-Accept
3Access-Reject
4Accounting-Request
5Accounting-Response
11Access-Challenge
12Status-Server
13Status-Client
40Disconnect-Request
41Disconnect-ACK
42Disconnect-NAK
43CoA-Request
44CoA-ACK
45CoA-NAK
255Reserved

The Identifier field aids in matching requests and replies.
The Length field indicates the length of the entire RADIUS packet including the Code, Identifier, Length, Authenticator and optional Attribute fields.
The Authenticator is used to authenticate the reply from the RADIUS server, and is used in encrypting passwords; its length is 16 bytes.

Attribute value pairs

The RADIUS Attribute Value Pairs carry data in both the request and the response for the authentication, authorization, and accounting transactions. The length of the radius packet is used to determine the end of the AVPs.
AVP typeAssignment
1User-Name
2User-Password
3CHAP-Password
4NAS-IP-Address
5NAS-Port
6Service-Type
7Framed-Protocol
8Framed-IP-Address
9Framed-IP-Netmask
10Framed-Routing
11Filter-Id
12Framed-MTU
13Framed-Compression
14Login-IP-Host
15Login-Service
16Login-TCP-Port
18Reply-Message
19Callback-Number
20Callback-Id
22Framed-Route
23Framed-IPX-Network
24State
25Class
26Vendor-Specific
27Session-Timeout
28Idle-Timeout
29Termination-Action
30Called-Station-Id
31Calling-Station-Id
32NAS-Identifier
33Proxy-State
34Login-LAT-Service
35Login-LAT-Node
36Login-LAT-Group
37Framed-AppleTalk-Link
38Framed-AppleTalk-Network
39Framed-AppleTalk-Zone
40Acct-Status-Type
41Acct-Delay-Time
42Acct-Input-Octets
43Acct-Output-Octets
44Acct-Session-Id
45Acct-Authentic
46Acct-Session-Time
47Acct-Input-Packets
48Acct-Output-Packets
49Acct-Terminate-Cause
50Acct-Multi-Session-Id
51Acct-Link-Count
52Acct-Input-Gigawords
53Acct-Output-Gigawords
55Event-Timestamp
56Egress-VLANID
57Ingress-Filters
58Egress-VLAN-Name
59User-Priority-Table
60CHAP-Challenge
61NAS-Port-Type
62Port-Limit
63Login-LAT-Port
64Tunnel-Type
65Tunnel-Medium-Type
66Tunnel-Client-Endpoint
67Tunnel-Server-Endpoint
68Acct-Tunnel-Connection
69Tunnel-Password
70ARAP-Password
71ARAP-Features
72ARAP-Zone-Access
73ARAP-Security
74ARAP-Security-Data
75Password-Retry
76Prompt
77Connect-Info
78Configuration-Token
79EAP-Message
80Message-Authenticator
81Tunnel-Private-Group-ID
82Tunnel-Assignment-ID
83Tunnel-Preference
84ARAP-Challenge-Response
85Acct-Interim-Interval
86Acct-Tunnel-Packets-Lost
87NAS-Port-Id
88Framed-Pool
89CUI
90Tunnel-Client-Auth-ID
91Tunnel-Server-Auth-ID
92NAS-Filter-Rule
94Originating-Line-Info
95NAS-IPv6-Address
96Framed-Interface-Id
97Framed-IPv6-Prefix
98Login-IPv6-Host
99Framed-IPv6-Route
100Framed-IPv6-Pool
101Error-Cause Attribute
102EAP-Key-Name
103Digest-Response
104Digest-Realm
105Digest-Nonce
106Digest-Response-Auth
107Digest-Nextnonce
108Digest-Method
109Digest-URI
110Digest-Qop
111Digest-Algorithm
112Digest-Entity-Body-Hash
113Digest-CNonce
114Digest-Nonce-Count
115Digest-Username
116Digest-Opaque
117Digest-Auth-Param
118Digest-AKA-Auts
119Digest-Domain
120Digest-Stale
121Digest-HA1
122SIP-AOR
123Delegated-IPv6-Prefix
124MIP6-Feature-Vector
125MIP6-Home-Link-Prefix
126Operator-Name
127Location-Information
128Location-Data
129Basic-Location-Policy-Rules
130Extended-Location-Policy-Rules
131Location-Capable
132Requested-Location-Info
133Framed-Management-Protocol
134Management-Transport-Protection
135Management-Policy-Id
136Management-Privilege-Level
137PKM-SS-Cert
138PKM-CA-Cert
139PKM-Config-Settings
140PKM-Cryptosuite-List
141PKM-SAID
142PKM-SA-Descriptor
143PKM-Auth-Key
144DS-Lite-Tunnel-Name
145Mobile-Node-Identifier
146Service-Selection
147PMIP6-Home-LMA-IPv6-Address
148PMIP6-Visited-LMA-IPv6-Address
149PMIP6-Home-LMA-IPv4-Address
150PMIP6-Visited-LMA-IPv4-Address
151PMIP6-Home-HN-Prefix
152PMIP6-Visited-HN-Prefix
153PMIP6-Home-Interface-ID
154PMIP6-Visited-Interface-ID
155PMIP6-Home-IPv4-HoA
156PMIP6-Visited-IPv4-HoA
157PMIP6-Home-DHCP4-Server-Address
158PMIP6-Visited-DHCP4-Server-Address
159PMIP6-Home-DHCP6-Server-Address
160PMIP6-Visited-DHCP6-Server-Address
161PMIP6-Home-IPv4-Gateway
162PMIP6-Visited-IPv4-Gateway
163EAP-Lower-Layer
164GSS-Acceptor-Service-Name
165GSS-Acceptor-Host-Name
166GSS-Acceptor-Service-Specifics
167GSS-Acceptor-Realm-Name
168Framed-IPv6-Address
169DNS-Server-IPv6-Address
170Route-IPv6-Information
171Delegated-IPv6-Prefix-Pool
172Stateful-IPv6-Address-Pool
173IPv6-6rd-Configuration
174Allowed-Called-Station-Id
175EAP-Peer-Id
176EAP-Server-Id
177Mobility-Domain-Id
178Preauth-Timeout
179Network-Id-Name
180EAPoL-Announcement
181WLAN-HESSID
182WLAN-Venue-Info
183WLAN-Venue-Language
184WLAN-Venue-Name
185WLAN-Reason-Code
186WLAN-Pairwise-Cipher
187WLAN-Group-Cipher
188WLAN-AKM-Suite
189WLAN-Group-Mgmt-Cipher
190WLAN-RF-Band

Vendor-specific attributes

RADIUS is extensible; many vendors of RADIUS hardware and software implement their own variants using Vendor-Specific Attributes. Microsoft has published some of their VSAs. VSA definitions from many other companies remain proprietary and/or ad-hoc, nonetheless many VSA dictionaries can be found by downloading the source code of open source RADIUS implementations, for example FreeRADIUS or openRADIUS.

Security

The RADIUS protocol transmits obfuscated passwords using a shared secret and the MD5 hashing algorithm. As this particular implementation provides only weak protection of the user's credentials, additional protection, such as IPsec tunnels or physically secured data-center networks, should be used to further protect the RADIUS traffic between the NAS device and the RADIUS server. Additionally, the user's security credentials are the only part protected by RADIUS itself, yet other user-specific attributes such as tunnel-group IDs or vlan memberships passed over RADIUS may be considered sensitive or private information as well. The RadSec protocol claims to solve aforementioned security issues.

History

As more dial-up customers used the NSFnet a request for proposal was sent out by Merit Network in 1991 to consolidate their various proprietary authentication, authorization and accounting systems. Among the early respondents was Livingston Enterprises and an early version of the RADIUS was written after a meeting. The early RADIUS server was installed on a UNIX operating system. Livingston Enterprises was acquired by Lucent and together with Merit steps were taken to gain industry acceptance for RADIUS as a protocol. Both companies offered a RADIUS server at no charge. RADIUS was in 1997 published as RFC 2058 and RFC 2059, current versions are RFC 2865 and RFC 2866.
The original RADIUS standard specified that RADIUS is stateless and should run over the User Datagram Protocol. For authentication it was envisaged that RADIUS should support the Password Authentication Protocol and the Challenge-Handshake Authentication Protocol over the Point-to-Point Protocol. Passwords are hidden by taking the MD5 hash of the packet and a shared secret, and then XORing that hash with the password. The original RADIUS also provided more than 50 attribute or value pairs, with the possibility for vendors to configure their own pairs.
The choice of the hop-by-hop security model, rather than end-to-end encryption, meant that if several proxy RADIUS servers are in use, every server must examine, perform logic on and pass on all data in a request. This exposes data such as passwords and certificates at every hop. RADIUS servers also did not have the ability to stop access to resources once an authorisation had been issued. Subsequent standards such as RFC 3576 and its successor RFC 5176 allowed for RADIUS servers to dynamically change a users authorization, or to disconnect a user entirely.
Now, several commercial and open-source RADIUS servers exist. Features can vary, but most can look up the users in text files, LDAP servers, various databases, etc. Accounting records can be written to text files, various databases, forwarded to external servers, etc. SNMP is often used for remote monitoring and keep-alive checking of a RADIUS server. RADIUS proxy servers are used for centralized administration and can rewrite RADIUS packets on the fly for security reasons, or to convert between vendor dialects.
The Diameter protocol was intended as the replacement for RADIUS. While both are Authentication, Authorization, and Accounting protocols, the use-cases for the two protocols have since diverged. Diameter is largely used in the 3G space. RADIUS is used elsewhere. One of the largest barriers to having Diameter replace RADIUS is that switches and Access Points typically implement RADIUS, but not Diameter. Diameter uses SCTP or TCP while RADIUS typically uses UDP as the transport layer. As of 2012, RADIUS can also use TCP as the transport layer with TLS for security.

Standards documentation

The RADIUS protocol is currently defined in the following IETF RFC documents.
RFCTitleDate publishedRelated articleRelated RFCsNotes
RFC 2058Remote Authentication Dial In User Service January 1997RADIUSObsoleted by RFC 2138
RFC 2059RADIUS AccountingJanuary 1997RADIUSObsoleted by RFC 2139
RFC 2138Remote Authentication Dial In User Service April 1997RADIUSObsoleted by RFC 2865
RFC 2139RADIUS AccountingApril 1997RADIUSObsoleted by RFC 2866
RFC 2548Microsoft Vendor-specific RADIUS AttributesMarch 1999RADIUS
RFC 2607Proxy Chaining and Policy Implementation in RoamingJune 1999
RFC 2618RADIUS Authentication Client MIBManagement information baseObsoleted by RFC 4668
RFC 2619RADIUS Authentication Server MIBManagement information baseObsoleted by RFC 4669
RFC 2620RADIUS Accounting Client MIBJune 1999Management information baseObsoleted by RFC 4670
RFC 2621RADIUS Accounting Server MIBJune 1999Management information baseObsoleted by RFC 4671
RFC 2809Implementation of L2TP Compulsory Tunneling via RADIUSApril 2000
RFC 2865Remote Authentication Dial In User Service June 2000RADIUSUpdated by RFC 2868, RFC 3575, RFC 5080This standard describes RADIUS authentication and authorization between a Network Access Server and a shared RADIUS authentication server. This protocol is also used to carry configuration information from the RADIUS server to the NAS.
RFC 2866RADIUS AccountingJune 2000RADIUSThis standard describes how accounting information is carried from the NAS to a shared RADIUS accounting server.
RFC 2867RADIUS Accounting Modifications for Tunnel Protocol SupportJune 2000RADIUSUpdates RFC 2866
RFC 2868RADIUS Attributes for Tunnel Protocol SupportJune 2000Updates RFC 2865
RFC 2869RADIUS ExtensionsJune 2000Updated by RFC 3579, RFC 5080
RFC 2882Network Access Servers Requirements: Extended RADIUS PracticesJuly 2000
RFC 3162RADIUS and IPv6August 2001
RFC 3575IANA Considerations for RADIUSJuly 2003
RFC 3576Dynamic Authorization Extensions to RADIUSJuly 2003Obsoleted by RFC 5176
RFC 3579RADIUS Support for EAPSeptember 2003Extensible Authentication ProtocolUpdates RFC 2869
RFC 3580IEEE 802.1X RADIUS Usage GuidelinesSeptember 2003802.1X
RFC 4014RADIUS Attributes Suboption for the DHCP Relay Agent Information OptionFebruary 2005
RFC 4372Chargeable User IdentityJanuary 2006
RFC 4590RADIUS Extension for Digest AuthenticationJuly 2006Obsoleted by RFC 5090
RFC 4668RADIUS Authentication Client MIB for IPv6August 2006Management information base
RFC 4669RADIUS Authentication Server MIB for IPv6August 2006Management information base
RFC 4670RADIUS Accounting Client MIB for IPv6August 2006Management information base
RFC 4671RADIUS Accounting Server MIB for IPv6August 2006Management information base
RFC 4675RADIUS Attributes for Virtual LAN and Priority SupportSeptember 2006
RFC 4679DSL Forum Vendor-Specific RADIUS AttributesSeptember 2006
RFC 4818RADIUS Delegated-IPv6-Prefix AttributeApril 2007
RFC 4849RADIUS Filter Rule AttributeApril 2007
RFC 5080Common RADIUS Implementation Issues and Suggested FixesDecember 2007Updates RFC 3579
RFC 5090RADIUS Extension for Digest AuthenticationFebruary 2008
RFC 5176Dynamic Authorization Extensions to RADIUSJanuary 2008
RFC 5607RADIUS Authorization for NAS ManagementJuly 2009
RFC 5997Use of Status-Server Packets in the RADIUS ProtocolAugust 2010Updates RFC 2866
RFC 6158RADIUS Design GuidelinesMarch 2011
RFC 6218Cisco Vendor-Specific RADIUS Attributes for the Delivery of Keying MaterialApril 2011
RFC 6421Crypto-Agility Requirements for Remote Authentication Dial-In User Service November 2011
RFC 6613RADIUS over TCPMay 2012Experimental
RFC 6614Transport Layer Security Encryption for RADIUSMay 2012Experimental
RFC 6911RADIUS Attributes for IPv6 Access NetworksApril 2013Standards track
RFC 6929Remote Authentication Dial-In User Service Protocol ExtensionsApril 2013Updates RFC 2865, RFC 3575, RFC 6158
RFC 7360Datagram Transport Layer Security as a Transport Layer for RADIUSSeptember 2014Experimental
RFC 7585Dynamic Peer Discovery for RADIUS/TLS and RADIUS/DTLS Based on the Network Access Identifier Oct 2015Experimental
RFC 8044Data Types in RADIUSJanuary 2017Updates: 2865, 3162, 4072, 6158, 6572, 7268