Radius Server><br>
<td width=149 valign=top background=http://www.arlinx.com/orangeBorder.jpg>
<img src=http://www.arlinx.com/leftBorder.jpg width=150 alt=
Radius Server Appliance Radius Server Applications Linux Radius Server Platform Contact Radius Server Appliance Platform

Radius Server AAA Authentication Authorization Accounting

RADIUS Server AAA Authentication Authorization Accounting


NOTE: Diameter is the proposed successor of the RADIUS protocol.
Go to Arlinx Diameter Page

Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization and accounting) protocol for applications such as network access or IP mobility. It is intended to work in both local and roaming situations.

Most ISPs (commonly modem, DSL, or wireless 802.11 services) require you to enter a username and password in order to connect on to the Internet. Before access to the network is granted, this information is passed to a Network Access Server (NAS) device over the link-layer protocol (for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers), then to a RADIUS server over the RADIUS protocol. The RADIUS server checks that the information is correct using authentication schemes like PAP, CHAP or EAP. If accepted, the server will then authorize access to the ISP system and select an IP address, L2TP parameters, etc.

Even when used with PAP, RADIUS protocol does not transmit passwords in cleartext between NAS and RADIUS server, but in hidden, using a rather complex operation instead, which involves MD5 hashing and shared secret, as described in references.

RADIUS is also commonly used for accounting purposes. The NAS can use RADIUS accounting packets to notify the RADIUS server of events such as

  • The user's session start
  • The user's session end
  • Total packets transferred during the session
  • Volume of data transferred during the session
  • Reason for session ending
The primary purpose of this data is so that the user can be billed accordingly; the data is also commonly used for statistical purposes and for general network monitoring.

Additionally RADIUS is widely used by VoIP service providers. It is used to pass login credentials of a SIP end point (like a broadband phone) to a SIP Registrar using digest authentication, and then to RADIUS server using RADIUS. Sometimes it is also used to collect call detail records (CDRs) later used, for instance, to bill customers for international long distance.

RADIUS was originally specified in an RFI by Merit Network in 1991 to control dial-in access to NSFnet. Livingston Enterprises responded to the RFI with a description of a RADIUS server. Merit Network awarded the contract to Livingston Enterprises that delivered their PortMaster series of Network Access Servers and the initial RADIUS server to Merit. RADIUS was later (1997) published as RFC 2058 and RFC 2059 (current versions are RFC 2865 and RFC 2866). Now, several commercial and open-source RADIUS servers exist. Features can vary, but most can look up the users in text files, LDAP servers, various databases, etc. Accounting records can be written to text files, various databases, forwarded to external servers, etc. SNMP is often used for remote monitoring. RADIUS proxy servers are used for centralized administration and can rewrite RADIUS packets on the fly (for security reasons, or to convert between vendor dialects).

RADIUS is a common authentication protocol utilized by the 802.1X security standard (often used in wireless networks). Although RADIUS was not initially intended to be a wireless security authentication method, it improves the WEP encryption key standard, in conjunction with other security methods such as EAP-PEAP.

RADIUS is extensible; many vendors of RADIUS hardware and software implement their own variants using Vendor-Specific Attributes (VSAs).

RADIUS uses UDP ports 1812 or 1645 for Authentication and 1813 or 1646 for Accounting. For example, Microsoft RADIUS servers default to the higher ports but Cisco devices default to the lower ports. Juniper Networks' RADIUS servers also defaults to the lower ports. The official IETF port number assignment is the higher port numbers 1812 and 1813.

The DIAMETER protocol is the planned replacement for RADIUS. DIAMETER uses SCTP or TCP while RADIUS uses UDP as the transport layer.


AAA: Authentication Authorization Accounting
Diameter the proposed successor to RADIUS
EAP: Extensible Authentication Protocol

Technical Documentation

RADIUS Technical Description RFC 2865
RADIUS Accounting Modifications Tunnel Protocol Support RFC 2867
RADIUS Accounting RFC 2866
RADIUS Accounting Server Management Information Base RFC 2621
RADIUS Attributes Tunnel Protocol Support-RFC 2868
RADIUS Authentication Server Management Information Base RFC 2619
RADIUS Extensions RFC 2869

IEEE 802.1X Remote Authentication Guidelines RFC 3580.html

Open Source

Open Diameter
Open1x and xsupplicant

Apache RADIUS AAA module, Radius client implementation for Apache to allow basic authentication and authorization through RADIUS.

Radiusclient, FreeRADIUS Client, a framework and library for writing RADIUS Clients

radiusclient-ng, library support for RADIUS