A protocol for authentication, authorization, and accounting of remote access connections using dial-up networking and virtual private network (VPN) functionality. Remote Authentication Dial-In User Service (RADIUS) is typically implemented with the Point-to-Point Tunneling Protocol (PPTP).
RADIUS is a client/server protocol that centralizes the profile information of dial-up users in a central database on a RADIUS server, which runs special RADIUS software. The RADIUS server is generally separate from the network access server (NAS) that actually allows the client to make a dial-up connection. An RFC-compliant RADIUS server stores all user profile information in a flat-file ASCII database that is accessible by any NAS that needs it to authenticate users. Some RADIUS servers can also use UNIX password files, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), third-party security systems, and Network Information Services (NIS) for authenticating users. This improves the security of remote access to corporate networks through tunneling across the Internet and simplifies administration of remote users. RADIUS servers are also typically used to provide statistics for billing purposes.
In a typical session, a client dials in to a NAS at an Internet service provider (ISP) and submits its credentials, which the NAS reformats as RADIUS packets and forwards to the RADIUS server. The RADIUS server can authenticate the user directly or act as a proxy client to forward the authentication process to some other type of service or security device. Once the RADIUS server authenticates the client, it informs the NAS, which allows the client to complete its connection. All communication between the client and the RADIUS server is encrypted.
Graphic R-5. Remote Authentication Dial-In User Service (RADIUS).
RADIUS is supported by the Internet Authentication Service (IAS).