Introduction
Over the past few decades, the security threat has been potentially considered the cause of an unwanted event that is likely to damage a network or a system. To combat cyber-related attacks, there exists an essential need for deploying high-end security systems to certify that several folds maintain confidentiality, integrity and availability. Companies could use several security mechanisms to safeguard networks from unauthorised users, such as demilitarized zone, intrusion detection systems, sandboxing, dedicated firewalls, and network segmentation. One of the most effective security mechanisms which can be used on the network is the RADIUS server. An acronym used for RADIUS is ‘Remote Authentication Dial-In User service’, a remote authentication protocol developed by Livingston Enterprises Inc. to provide authentication, authorisation and accounting. The working of the RADIUS server is based on a central database primarily used for authenticating remote users, where a unique encryption key is used for each user. Also, the working of this server is based on two ports, 1812 for authentication and 1813 for authorisation. As unauthorised attempts were increasing on the network and administrators could not monitor it, this security mechanism assisted them in managing network access to stop unauthorised users from infiltrating the network. Therefore, to overcome the potential threats of unauthorised attempts on the web, the RADIUS server is being used nowadays.
What is RADIUS Server?
The RADIUS server is primarily configured on the network to protect unauthorised users as every user is verified before granting access. The configuration of the RADIUS protocol is done on the RADIUS server, which is considered a connectionless service. All issues associated with availability, timeouts and retransmission can be handled by RADIUS-enabled devices rather than any transmission protocol (Bhatt, 2019). Also, this server bases its operations on UDP protocol, also known as User Datagram Protocol and is a daemon application that they can execute on Windows and Unix-based machines. Herein, daemon refers to the programs performed on the system as a background process (Bhatt, 2019). Furthermore, the working of the RADIUS server is based on four different packet types, which are explained below in a detailed manner.
- Packet type 1: Access-Request
This type of packet is sent from the client to a server to begin with, a new authentication conversation or respond to a previous response to provide request information. In addition, this packet type always contains user credentials, i.e. user name and password. It has an optional state field to indicate whether or not a conversation needs to be initiated.
- Packet type 2: Access-Accept
The access-Accept packet type mainly focuses on sending packets from a server to the client to indicate successful authentication (ForgeRock, 2022).
- Packet type 3: Access-Reject
In case of failed authentication, the Access-Reject packet type is done where packets are sent from the server to a client. Unlike the access-request packet, this packet type also has a state field that is associated with existing conversation.
- Packet type 4: Access-Challenge
The last type is based on soliciting more information about the user being authenticated on the network by sending packets from the server to a client. More knowledge hers refers to SMS-related one-time password through which users needs to verify their identity.
How does the RADIUS server work?
As RADIUS is a lightweight datagram-based protocol, it is supported by several devices and servers for external authentication. The working of the RADIUS server is based on different packet types, as mentioned in the previous section. In the RADIUS authentication process, the Authentication module, also known as AM, plays a significant role as it acts as a RADIUS client, delegating authentication to a RADIUS server (Fortinet, 2022). To clearly understand the working of the RADIUS server, the following diagram must be referred which shows how the user is authenticating and how the RADIUS server is providing authorisation.
- Step 1: In the above-given diagram, the user first generates an authentication request (access-request) forwarded to the authentication module.
- Step 2: The request received by the authentication module responds to users so that users can enter valid user names and passwords.
- Step 3: The details entered by the user are again forwarded to the authentication module so they can be submitted to the RADIUS server (ForgeRock, 2022).
- Step 4: In this step, the authentication module will forward the authentication request to the RADIUS server using the access-request packet.
- Step 5: Upon verifying users, the external server reverts with the access-accept packet to the authentication module. In case of invalid login details, the server provides the authentication module with an access-reject packet (ForgeRock, 2022).
- Step 6: The next step after generation of the access-accept packet is assigning an SSO token, also known as a Single Sign-on token, to provide access to users.
- Step 7: If multi-factor authentication is enabled on the RADIUS server, then the accept-challenge packet type is used, prompting users to provide more information for successful authentication.
Configuration of RADIUS Server
There are several ways RADIUS server configuration can be done. Herein, different ways to configure the RADIUS server on a Cisco Packet Tracer are provided. On the Cisco packet tracer software, the AAA option must be accessed where the RADIUS port and Client IP address must be assigned. The client’s name and secret code must also be provided.
Basic wireless settings for the router have been performed here (Elias & Ali, 2014).
When a RADIUS server is configured on a network, there is a need for configuring a wireless router, too, where the RADIUS server IP address must be assigned concerning its port number.
To check the work of the RADIUS server, laptop0 (user) is connected to the wireless network by providing valid login credentials (Elias & Ali, 2014).
Conclusion
To conclude, the RADIUS server significantly assists in making sure that the network is safeguarded from malicious attempts and that only authorised users are permitted access. The working of this security mechanism is based on AAA capabilities and ensures that the user is properly authenticated and authorised. The use of different types of packet requests certainly helps in proper authenticating the user on the network.
References
- Bhatt, M. (2019). RADIUS Server (RADIUS Authentication) and How it Works. Foxpass.com. Retrieved 22 January 2022, from https://www.foxpass.com/blog/radius-server-and-how-it-works.
- ForgeRock. (2022). What Is the RADIUS Protocol? | Fortinet. Backstage.forgerock.com. Retrieved 22 January 2022, from https://www.fortinet.com/resources/cyberglossary/radius-protocol.
- Fortinet. (2022). What Is the RADIUS Protocol? | Fortinet. https://www.fortinet.com. Retrieved 22 January 2022, from https://www.fortinet.com/resources/cyberglossary/radius-protocol.
- Elias, M., & Ali, A. (2014). Survey on the Challenges Faced by the Lecturers in Using Packet Tracer Simulation in Computer Networking Course. Procedia – Social And Behavioral Sciences, 131, 11-15. https://doi.org/10.1016/j.sbspro.2014.04.070