RADIUS: Secure Authentication Services at Your Service
RADIUS ensures that remote users are who they say they are, keeps track of their network usage, and secures your network infrastructure from intrusion. Learn how deploying RADIUS in-house or as a managed service can benefit you and your company's network.
Isn’t it wonderful that we can connect to ISPs or office networks from anywhere, using any access technology? Have you ever wondered how ISPs and office networks know whether or not a user has a legitimate account? And how does a provider keep track of a user's access time anyway? The answer is very likely RADIUS, the most widely deployed example of an Authentication, Authorization, and Accounting system (sometimes called AAA systems).
RADIUS is a set of AAA standards that has been implemented by many vendors. It has been around for ages, quietly providing services that keep networks secure from unauthorized use. Let's delve in and learn more about this useful capability and how it can benefit you and your company's network.
Thirty years ago, ARPANET, the predecessor to the Internet, was built to permit dumb terminals to access remote computing resources. In the days before PCs and LANs, the hardwired connection between the terminal and computer was managed by a Terminal Interface Processor, or TIP. But even then, managers, developers, and users wanted to be able to work from home or on the road (dial-up via an acoustically-coupled modem). Bandwidth was scarce and expensive, and people wanted to protect the network, and the mainframes and minicomputers on it, from unauthorized access and possible disruption.
It quickly became apparent that the use of unlisted dial-in numbers was not a secure answer. Was there something that could be done to further protect the network from unauthorized access? TACACS, the original AAA system, was developed for the ARPANET to solve that problem. Later, commercial companies adopted and extended the technology in open and proprietary ways. With experience and the expanding use of data networks, the limitations of the original TACACS architecture became apparent.
RADIUS was originally developed by Steve Wilens of Livingston Enterprises and then later acquired by Lucent Technologies in 1992, and is now an IETF standard. The most recent version is RFC 2865 (June 2000), which covers both authentication and authorization. A companion IETF document, RFC 2866, describes how to extend RADIUS to implement accounting services.
What Is It Used For?
The need for AAA systems has grown tremendously over the years. Corporations (and carriers) still support dial-up lines of course, but now remote users also access networks via VPNs and broadband, while employees and guests connect to internal wireless networks simply by powering up their laptops and PCs. Today's AAA systems must be highly robust, scaleable, secure, and easily manageable to meet the needs of a modern IT environment.
Basic RADIUS implementations provide access control by authenticating end users and authorizing their requests, while extended implementations include user accounting. Depending on the RADIUS product, you can:
- Centrally administer access to your network resources, perhaps with fine control over access based on time of day or by regulating the number of simultaneous log-ins by a single user
- Utilize the function and information from your other access control systems, such as the Netware NDS and Windows Active Directory
- Allow your dial-in or VPN service vendors to query your access control database, so any changes you make are automatically available to them
- Create central summary or real-time reports that can audit usage for tracking and billing
If you have not already implemented RADIUS in your network, new technologies like wireless Ethernet should prompt you to consider it for the future.