Pricing  Get Quote
 
 
Blog

What is RADIUS authentication?

Explore MFA solution

Written by Ashwin KumarMFA2 min read

On this page
  • Understanding RADIUS authentication
  • Why do you need RADIUS authentication?
  • Verification factors available in RADIUS authentication
  • Prerequisites to implement RADIUS authentication
  • How does RADIUS authentication work?
  • Use RADIUS for MFA through ADSelfService Plus
  • People also ask

Understanding RADIUS authentication

Remote Authentication Dial-In User Service (RADIUS) is a protocol that facilitates communication between network devices, remote access servers, and a central database, allowing users and devices to be authenticated to access networks. RADIUS was initially created to verify the identities of users who access corporate networks remotely through modem pools and serial line connections.

Remote network users using RADIUS have to connect to their networks through a network access server (NAS). The NAS queries the RADIUS server, which is a central authentication server with the details of the clients who connect to the NAS, to get the details of the respective client and complete the verification.

Why do you need RADIUS authentication?

Devices such as routers, switches, wireless access points, and VPNs are the major gateways through which crucial data of organizations are communicated. These devices need to authenticate users and devices attempting to access the network. RADIUS authenticates their credentials, ensuring that only authorized users and devices can access the critical components of an organization's network infrastructure.

What sets RADIUS apart from other protocols is that it offers capabilities beyond authentication. RADIUS provides extensive logging and accounting features that track user activities in the network. These logs are useful for monitoring network usage, detecting suspicious behavior, and conducting forensic analysis in the event of a security incident.

RADIUS can also be integrated into MFA solutions, thereby authorizing not only network access but also access to other resources like apps and machines.

Verification factors available in RADIUS authentication

RADIUS can authenticate users using two different methods of authorization. They are:

  • Password Authentication Protocol (PAP): This method is used by remote users to connect to corporate networks. The RADIUS client sends the credentials (i.e., the username and password) of the remote user to the RADIUS server, where it is verified with the stored data. If the authentication is successful, the user is authorized to access the network. This process can also be made more secure with a TOTP generated by the RADIUS server.
  • Challenge Handshake Authentication Protocol (CHAP): This method is used by network devices and remote users when they need to connect to corporate networks without using a typical text-based authentication method. The authentication process relies on the clients using an encrypted shared secret to authenticate to the RADIUS server. When the secret is verified, they are authorized to access the network.

PAP is predominantly used when RADIUS is employed as an additional factor in MFA solutions. The focus of these solutions is to authorize users to access other resources, and PAP is much easier to integrate with them.

Prerequisites to implement RADIUS authentication

RADIUS authentication uses a centralized architecture to deliver consistent and secure authentication across all network devices and services.

Before implementing RADIUS authentication, certain prerequisites must be met to ensure a smooth and successful setup. Here are the essential requirements:

  • NAS devices: Devices such as routers, switches, VPN concentrators, or wireless access points that will communicate with the RADIUS server to authenticate users.
  • Network infrastructure: The network infrastructure must support RADIUS communication. This includes having a reliable network connection between the NAS devices and the RADIUS server.
  • RADIUS server: A database that contains the credentials and profiles of the users who will be authenticated to access the network. This database can be a separate server or integrated with an existing directory, such as Active Directory.
  • RADIUS server software : An application to manage the RADIUS server. Popular options include FreeRADIUS, Microsoft Network Policy Server (NPS), and Cisco Access Control Server (ACS).
  • Security certificates: When using a certificate-based authentication method for the CHAP implementation of RADIUS, the necessary security certificates must be installed and configured on both the RADIUS server and client devices.
  • Authentication protocols: The authentication protocol that will be used (PAP or CHAP). Both the RADIUS server and NAS devices must support the chosen protocol.
  • Firewall configuration: Firewall rules must be configured to allow RADIUS traffic (typically UDP ports 1812 for authentication and 1813 for accounting).

How does RADIUS authentication work?

Here's how the entire process of verifying remote users and network devices using RADIUS authentication works:

  • User or device request: A user or network device attempts to access a network through a NAS, which is connected to a RADIUS server.
  • Authentication method:
    • PAP: The user submits their credentials (i.e., username and password) to the NAS.
    • CHAP: The network device uses an encrypted shared secret to initiate the authentication process with the NAS.
  • NAS forwards credentials: The NAS forwards the received credentials to the RADIUS server for verification. In the case of PAP, the credentials are sent as-is, while for CHAP, an encrypted challenge response is sent.
  • Verification by the RADIUS server:
    • PAP: The RADIUS server compares the submitted username and password against its stored data. If the credentials match, the RADIUS server authenticates the user to access the network. The server can be configured to generate a TOTP for extra security.
    • CHAP: The RADIUS server verifies the encrypted challenge response using the shared secret. If the response is correct, the authentication is successful.
  • Authentication response:
    • If the authentication is successful, the RADIUS server authorizes the user or device to access the network.
    • If the authentication fails, the RADIUS server denies access to the network.
  • Authorization: Upon successful authentication, the RADIUS server checks the user's or device's permissions and assigns appropriate access levels based on predefined policies. This step ensures that only authorized resources and services are accessible.
  • Accounting: Throughout the session, the RADIUS server tracks the user's or device's activities and usage for accounting purposes. It sends periodic updates to log session duration, resources accessed, and data transferred.

Use RADIUS for MFA through ADSelfService Plus

ManageEngine ADSelfService Plus offers adaptive MFA with 20 different authenticators, including RADIUS authentication. You can use MFA to protect endpoints, such as on-premises and cloud application logins, computers, VPNs, OWA, and self-service password management tasks. With ADSelfService Plus, you can customize the MFA authentication process for various user accounts based on their OU and group memberships, allowing you to secure your privileged accounts and activities against cyberthreats.

Secure your organization with passwordless authentication using ADSelfService Plus
Explore now

People also ask

What is RADIUS authentication?

Remote Authentication Dial-In User Service (RADIUS) is a protocol that facilitates communication between network devices, remote access servers, and a central server, allowing for users and devices to be authenticated for network access. It was initially developed to authenticate a large base of users who connected remotely to corporate networks via dial-up connections.

What is the difference between RADIUS and LDAP?

One similarity between RADIUS and LDAP is that they use a centralized server to store and authenticate the credentials and data they receive. However, LDAP is primarily used to query for details on directory objects, like users, groups, and devices, and verify them, while RADIUS authorizes access to networks, which includes the networks in which LDAP queries are made. RADIUS can use LDAP to query for user credentials and device certificates that request access to the network.

What devices are authenticated by the RADIUS server?

RADIUS authenticates the credentials of users and various network resources, such as routers, switches, wireless access points, and VPNs, that try to connect to a network. It ensures that only authorized users and devices can access the critical components of an organization's network infrastructure.

What are the components required to implement RADIUS authentication?

The RADIUS authentication requires three major components to function:

  • A client device to connect to the network.
  • A NAS device to forward the credentials to be authenticated.
  • A RADIUS server to store and verify the credentials sent for authentication.

Other requirements include deciding the authentication protocol (PAP or CHAP), purchasing the RADIUS server software, and configuring your firewall to open ports for the RADIUS protocol to communicate with the network's devices.

How can I use Microsoft Authenticator?

When you sign in to your non-Microsoft accounts, you will be prompted for a TOTP to be entered on the login screen. You can find this TOTP in the Microsoft Authenticator app, which can be accessed after completing the device verification.

When you sign in to your Microsoft account, you will be prompted to approve the sign-in notification on the Microsoft Authenticator app, where you will use the device verification method that you registered with.

Does RADIUS support MFA?

While RADIUS can request an additional TOTP when using the PAP method and authenticate with a certificate using CHAP method, additional authentication methods are not supported. However, RADIUS can be used as an additional verification method in MFA solutions to authorize credentials and devices secured by the MFA solutions.

Can RADIUS servers be hosted in the cloud?

Yes, RADIUS servers can be hosted in the cloud. After hosting the server on the network or in the cloud platform, RADIUS can be used as a verification method to log in to the network or cloud platform.

 
 

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust
Password management Adaptive MFA Enterprise SSO Self-service & security Related products

A single pane of glass for complete self service password management

Free Trial Get Quote
Email Download Link