Saturday 8 August 2015

Radius in detail

Following step-by-step procedure explains radius protocol in detail.

Step 1: User sends his/her credentials to Radius client

Step 2: Client receives credentials from user and creates an "Access-Request" contains user credentials, id of the radius client, and the Port ID which the user is accessing. Password is hidden using a method based on the RSA Message Digest Algorithm MD5.

Properly generated Access_Request packet sent to radius server.

If client didn’t receive any response from Radius server in given time, then client resends Access_Request packet to server.

If primary Radius server is unreachable/down, client sends Access_Request to any other available radius servers.

Step 3: Once Radius server receives “Access_Request” packet from Radius client, it validate Radius client. If radius client is valid, then Radius server validates user credentials against user store (database). The RADIUS server MAY make requests of other servers in order to satisfy the request, in which case it acts as a client.

If any Proxy_State attributes present in the Access_Request, they MUST be copied unmodified and in order into the response packet.

Depends on information in the Access_Request packet, Server can send Access-Accept, Access-Reject, Access-Challenge responses.

If server found invalid credentials, then server send Access-Reject response.

If server found valid credentials, server may issue a challenge to the user. User must respond to the challenge. Access_challenge may include a text message to be displayed by the client to the user prompting for a response to the challenge, and MAY include a State attribute.


Client receives Access_Challenge message and display the text message to the user, prompt user for a response. Once client receives response from user, client resubmits its original Access-Request with a new request ID, with the User-Password Attribute replaced by the response (encrypted). The server can respond to this new Access-Request with either an Access-Accept, an Access-Reject, or another Access-Challenge.



Prevoius                                                 Next                                                 Home

No comments:

Post a Comment