Remote Authentication Dial-In UserService (RADIUS) is a client-server based security protocol for authentication and network access control. Radius works with the challenge-response method and supports the central administration ofuser data such as user IDs, passwords, phone numbers, access rights and also account data and consists of an accounting and authentication protocol.
The Radius protocol can be based on Unix and Windows NT servers and provides one or more Remote Access Serv ers (RAS) with the desired authentication data on request. Radius checks the database of the authentication server for a corresponding entry and sends a confirmation message to the RAS server if the user profile is positively verified.
In the Radius protocol, the Access Server sends an Access Request to the Radius server asking for the user's authentication. The response from the Radius server is via Access Challenge, which can be used to make the authentication dependent on further information. With the Access Accept, the Radius server gives the Access server the authentication of the user. This data packet contains the user profile in which the user-specific Authentication, Authorization, and Accounting (AAA) is defined. In Radius communication, only the password of the user authenticated during communication between the Radius client and server is encrypted. All other information is transmitted in plain text.
The Radius protocol is based on the connectionless UDP protocol, whereas TACACs+ is based on the connection-oriented TCP protocol. This has the disadvantage that with the Radius protocol, transmission errors such as packet loss or exceeding time limits must be detected and corrected. The Radius protocol is described in RFCs 2058, 2059, 2865 and 4004.