RADIUS stands for "Remote Authentication Dial-In User Service" and is referred to as a "triple-A protocol". The three "A"s stand for
- Authentication
- Authorization
- Accounting (billing)
This protocol allow you to grant users access to a network, to assign them certain rights and to track their actions. Where necessary, the RADIUS server can also be used in the billing of user services such as WLAN hot spots. For every action performed by the user, the RADIUS server can run an authorization procedure releasing or blocking access to network resources on a per user basis.
3 different devices are required for RADIUS to work.
- Client: This is a device (PC, notebook etc.) from which the user wishes to dial in to the network.
- Authenticator: A network component positioned between network and client and which forwards on the authorization. This task can be performed by an access point, for example. The authenticator is referred to as the Network Access Server (NAS).
- Authentication server: RADIUS server on which user data is configured. This is usually located within the same network for which it issues access authorizations. It is accessible to the client via the authenticator. Some scenarios may also allow the use of an access point for this task.
The authenticator has no initial information on the clients wanting to register. This is all stored in a database on the RADIUS server. The registration information the RADIUS server needs for the authentication process is stored in the database there and can vary from network to network. The authenticator has just the one task, that of transferring the information between the client and the RADIUS server.
Access to a RADIUS server can be configured in several ways:
- Using PPP when dialing into a network
- Via WLAN
- Via a public spot for users who register using a browser
- Via the 802.1X protocol
