Symantec.com
VERITAS.com
Partners
About Symantec
cartCart
WelcomeProducts & ServicesSecurity ResponseSupportSolutions & IndustriesLicensingTrainingStore
Enterprise
Symantec.com > Enterprise > Support > Knowledge Base

PRINT THIS PAGE PRINT THIS PAGE

Overview of the RADIUS authentication protocol

Question/Issue:
This document provides a general overview of the RADIUS authentication protocol and is provided for your reference and general education. More details on this topic are available in a variety of reference material, both online and in print, provided by several vendors and technical working groups. The Technical Information section of this document provides a link to the RFC document that explains RADIUS.


Solution:
What is RADIUS
Short for Remote Authentication Dial-In User Service, RADIUS was initially developed as a lightweight standard identification and authentication system to authenticate users who dialed into banks of modems for remote access. Since then, RADIUS has grown into a commonly supported authentication method, used with many operating systems and network devices. RADIUS is considered the de facto standard for remote user authentication.

Authentication vs Authorization
It is important to point out the differences between authentication and authorization. Authentication verifies the existence of a user or a host and validates their request. Authorization, on the other hand, ensures that the response to an access request is not too permissive and not too restrictive. Both tasks are sometimes performed by the same systems or software, and understanding the difference creates less work during implementation and troubleshooting.

How it works
Radius is a relatively simple protocol. The essential components are the client host, the Network Access Server ( RADIUS client), and the RADIUS server. The client host requests access to resources from the Network Access Server. The Network Access Server authenticates the client against the RADIUS server and, if the credentials are valid, the Network Access Server then decided what authorization level is appropriate for the holder of the credentials, and grants access appropriately.
The communication between the Network Access Server and the RADIUS server is fairly secure, as RADIUS administrators are required to provide a shared secret on both systems. On the RADIUS server, each Network Access Server is defined, and a unique shared secret can be defined, along with other options such as address, filter-id group names, and more.
The RADIUS client is configured to point to the RADIUS server. The RADIUS server denies any Network Access Server that it is not configured to allow, or whose shared secret is incorrect. The shared secret is also used in the process of hashing the user credentials to ensure that they are not sent across the network in clear text. This helps keep credential information secure as it passes through the network.

The following list outlines each step in the RADIUS authentication process:

  1. Client sends a request for service to the network access server.
  2. Network Access Server responds to the client machine prompting for user name and password (or other authentication credentials, such as the hashed result of a random value).
  3. Client provides credentials
  4. Network Access Server sends RADIUS access request to RADIUS server. This request includes a hash of the user's credentials encoded with the shared secret that is entered on the RADIUS server and the Network Access Server
  5. Radius server fist verifies that the communication is coming from an authorized Network Access Server, and if so, it verifies the credentials against its database, then sends a response to the Network Access Server.
  6. The Network Access Server receives access_accept or access_reject from the RADIUS server, and uses this result to decide whether to allow or reject the client's access attempt.
Symantec products that support RADIUS include Symantec Enterprise Firewall, Symantec VelociRaptor, Symantec Gateway Security 300 Series and 5400 Series appliances and Symantec Web Security.



References:
For more information on the RADIUS protocol, read RFC 2865 - Remote Authentication Dial In User Service.

 

Available Translations:



Document ID: 2004041309223454
Last Modified: 01/18/2007
Date Created: 04/13/2004
Product(s): Symantec Enterprise Firewall 8.x
Release(s): Symantec Enterprise Firewall 8.0



Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2009 Symantec Corporation