What is RADIUS Protocol ?

What is RADIUS protocol?

RADIUS stands for Remote Authentication Dial-In User Service. It is networking protocol that authorizes and authenticates users who access a remote network.
It is a de facto industry standard for controlling the remote access of users to your network.

RADIUS performs three basic functions:

1. Authentication
RADIUS authenticates devices or users prior to allowing them to access a network.

2. Authorization
RADIUS authorizes devices or users, allowing them to use specific services on the network.

3. Accounting
RADIUS accounts for the number of resources used—such as packets, bytes, and the time expended—during the session.


According to John Vollbrecht, founder of Interlink Networks and a central figure in the emergence of the RADIUS protocol, the RADIUS story began in 1987 when the National Science Foundation (NSF) awarded a contract to Merit Network Inc. to expand NSFnet (i.e., the precursor to the modern internet).

Merit Network Inc. was a non-profit corporation hosted at the University of Michigan that had been developing a proprietary network authentication protocol to connect universities throughout Michigan.

At the time, most networks leveraged proprietary protocols and were exclusive in this way. And Merit’s MichNet had its own proprietary protocol...

The NSF contract to expand NSFnet was an effort to bring the internet to the public. In order to do so, however, Merit’s proprietary network had to be CONVERTED to the IP-based network protocol for NSFnet.

Merit then solicited proposals from vendors to develop a protocol that could support Merit’s dial-in authentication approach but for IP-based networks.

They received a response from a company called Livingston Enterprises, whose proposal basically contained the description of the RADIUS protocol.

Merit Networks Inc. accepted the proposal from Livingston Enterprises in 1991, and the RADIUS protocol was born.

By 1995, it was adopted by IETF as the industry standard for internet draft and was immediately picked up by most network(ing) vendors and became a de facto industry standard, even though a numbers of security concerns were raised about it.

How Does RADIUS Work?

RADIUS is a client/server protocol.

The RADIUS client is typically a NAS and the RADIUS server is usually a daemon process running on a UNIX or Windows Server machine.

The client passes user information to designated RADIUS servers and acts on the response that is returned.

RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver service to the user.

A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.

A typical interaction between a user and the RADIUS Client/Server will basically follows the following sequence:
1. User initiates PPP authentication to the Network Access Server (NAS).
2. NAS prompts for username and password (if Password Authentication Protocol [PAP]) or challenge (if Challenge Handshake Authentication Protocol [CHAP] or EAP).
3. User replies.
4. RADIUS client sends username and 'encrypted password' to the RADIUS server.
5. RADIUS server responds with Accept, Reject, or Challenge. Each of these responses can be passed to the user in a return webpage.
6. The RADIUS client acts upon services and services parameters bundled with Accept or Reject.

Authentication and Authorization with RADIUS

A RADIUS Client (or Network Access Server) is a networking device (like a VPN concentrator, router, switch) that is used to authenticate users.

A RADIUS Server is a background process that runs on a UNIX or Windows server. This server bases its operation on the User Datagram Protocol (UDP). It lets you maintain user profiles in a central database. It can support a variety of methods to authenticate a user. When it is provided with the username and original password given by the user, it can support PPP, PAP or CHAP, UNIX login, and other authentication mechanisms.

Typically, a user login consists of a query (read, Access-Request) from the NAS to the RADIUS server. The Access-Request packet contains the username, encrypted password, NAS IP address, and port. And a corresponding response from the server would come in the form of Access-Accept or Access-Reject. The user can connect to the RADIUS Client only if the RADIUS Server authenticates and authorizes the user.

Officially assigned port number for RADIUS is 1812 & 1813. Port number 1812 is used for Authentication and Authorization, whereas port number 1813 is used for Accounting.

The format of the request is important here as it provides information about the type of session that the user wants to initiate. For example, if the query is presented in character mode, the inference is "Service-Type = Exec-User," but if the request is presented in PPP packet mode, the inference is "Service Type = Framed User" and "Framed Type = PPP."

When the RADIUS server receives the Access-Request from the NAS, it searches its database for the username listed. If the username does not exist in the database, either a default profile is loaded or the RADIUS server immediately sends an Access-Reject message. This Access-Reject message can be accompanied by a text message indicating the reason for the refusal.

The beauty of RADIUS protocol is that it combines Authentication and Authorization in single process.

If the username is found and the password is correct, the RADIUS server returns an Access-Accept response, including a list of attribute-value pairs that describe the parameters to be used for this session. Typical parameters include service type (shell or framed), protocol type, IP address to assign the user (static or dynamic), access list to apply, or a static route to install in the NAS routing table. The configuration information in the RADIUS server defines what will be installed on the NAS.

Accounting with RADIUS
RADIUS Servers are also used for accounting purposes. RADIUS accounting collects data for network monitoring, billing, or statistical purposes. The accounting process typically starts when the user is granted access to the RADIUS Server. However, RADIUS accounting can also be used independently of RADIUS authentication and authorization.

The RADIUS accounting functions allow data to be sent at the start and end of sessions, indicating the amount of resources used (such as time, packets, bytes, and so on) during the session. An Internet service provider (ISP) might use RADIUS access control and accounting software to meet special security and billing needs.

A basic RADIUS accounting process includes the following steps:
1. The process starts when the user is granted access to the RADIUS Server.
2. The RADIUS Client sends a RADIUS Accounting-Request packet known as Accounting Start, to the RADIUS Server. The request packet comprises the user ID, network address, session identifier, and point of access.
3. During the session, the Client may send additional Accounting-Request packets known as Interim Update to the RADIUS Server. These packets include details like the current session duration and data usage. This packet serves the purpose of updating the information about the user's session to the RADIUS Server.
4. Once the user’s access to the RADIUS Server ends, the RADIUS Client sends another Accounting-Request packet known as Accounting Stop, to the RADIUS Server. The packet includes information such as total time, data, and packets transferred the reason for disconnection, and other information relevant to the user's session.

Here in the functionality of accounting RADIUS has a certain edge over TACACS+.

Some Limitations of Modern Implementation of RADIUS

There is no doubt that RADIUS protocol proved a success from the point of view of network security and control. But it presents a number of challenges too in the modern setups.

Historically, RADIUS was implemented for on-premise deployments that effectively required your existing Identity and Access Management (IAM) infrastructure to operate properly. It used your directory server, RADIUS server, your routers, switches, load-balancers, etc.)

However, most on-prem IAM infrastructure have been largely focused on Microsoft Windows, with Microsoft Active Directory (AD) acting as the core identity provider. To be fair, AD does offer its own ancillary RADIUS functionality (in the form of another server called Windows Server NPS – Network Policy Server). Right?

Since modern IT has diversified a lot. So much of cross-platform technologies are being used now a days. And most companies had opted for hybrid-cloud environments to their IT ecosystems. These developments are pushing these companies to move away from implementing Active Directory on premise approach.

Especially now during the COVID pandemic with remote work has become so critical. Remote employees need access to a company’s network, but this needs to be done securely, particularly because remote workers may use a variety of devices with varying levels of security. A zero-trust network access policy is one that assumes every connection can be malicious and requires authentication, across the board, regardless of the user trying to connect.

You can see that many companies are shifting their entire on-prem identity management infrastructure to the cloud with AD alternatives. This approach comes with a variety of benefits such as increased agility and reduced costs, but without anything on-prem, how do IT organizations continue to provide secure RADIUS authentication and keep their networks – whether WiFi or VPN - secure?

They are achieving this security with the help of next-generation 'Cloud-based' IAM solutions that are providing Cloud RADIUS as a microservice. Many of these new solutions are serving as a comprehensive cloud-based AD alternative. They are taking a cross-platform, vendor-neutral, protocol-driven approach to managing modern IT networks - whether they are remote or on-prem.

These solutions are making network admins free to leverage the best IT resources for their organization with the peace of mind that comes from knowing they can effectively manage the entire network using web-based RADIUS authentication.

A RADIUS protocol makes use of a RADIUS client, or network access server (NAS), and a RADIUS server. It performs some of the same functions as a Lightweight Directory Access Protocol (LDAP), and it provides local authentication services by maintaining an active directory of user credentials. Its security features put it on par with Transmission Control Protocol (TCP).