RADIUS Facts Assignment

RADIUS Overview

In a normal network access solution, network policies are stored on individual network access servers (for example, wireless access points,VPN servers, and dial-up network access servers). This means that if you want the same policy to be used on different servers, you mustcreate it on each server.

With RADIUS, network managers can centrally manage connection authentication, authorization, and accounting (sometimes referred to asAAA) for many types of network access, such as VPN or wireless access points. This means that when a remote user wants to connect to anetwork, RADIUS first authenticates their identity to determine whether they are allowed to access the network. Once authenticated, RADIUSauthorizes the user to use specific network services or connect to specific network resources. The accounting feature maintains a record ofwhat has taken place so you can track the use of the services.

RADIUS is an acronym for Remote Authentication Dial-In User Service.

NPS as a RADIUS Server

Network Policy Server (NPS) is Microsoft's implementation of RADIUS and is installed on Windows 2016 as a role and then configuredusing the Network Policy Server console accessible from Server Manager (Tools > Network Policy Server).

NPS enables the use of a heterogeneous set of wireless, switch, remote access, or VPN equipment. When using Microsoft’s Active Directory,NPS uses the directory service as its user account database for its authentication and authorization process. After the authentication process iscomplete, the RADIUS server authorizes the user's access based on specified conditions you set while configuring RADIUS. Then thenetwork access connection is logged in an accounting log file.

RADIUS Components

The following table describes the components a RADIUS solution uses.

Remote Access ClientsRemote access clients initiate connections to remote access servers. The client supplies authentication credentials to the remoteaccess server. The remote access client is unaware that a RADIUS server is being used.
RADIUS ClientA RADIUS client is a remote access server that is configured to forward authentication requests to a RADIUS server. Remoteaccess clients connect to the RADIUS client (the remote access server), and the logon credentials supplied are forwarded to theRADIUS server for authentication. A RADIUS client is also called an access server.

Client computers, such as laptops and other computers running client operating systems, are not RADIUS clients.RADIUS clients are network access servers such as wireless access points, 802.1X authenticating switches, virtualprivate network (VPN) servers, and dial-up servers. They use the RADIUS protocol to communicate with RADIUSservers such as Network Policy Server (NPS) servers
RADIUS ServerThe RADIUS server accepts authentication credentials from the RADIUS clients (remote access servers) and uses networkpolicies stored on the server to authenticate users. The RADIUS server lets the RADIUS client know whether the connectionshould be allowed or denied
RADIUS ProxyA RADIUS proxy server routes connection requests and accounting data between RADIUS clients (which may include otherRADIUS proxies) and RADIUS servers. It does this by using information from the RADIUS message itself (using the User-Name or Called-Station-ID attributes) to send the message to the appropriate RADIUS server. RADIUS proxies are particularlyuseful when authentication, authorization, and accounting occur on multiple RADIUS servers.

A RADIUS proxy is configured as a RADIUS client to a RADIUS server and can also be configured as a RADIUSserver for other RADIUS clients. The proxy can process authentication requests as a RADIUS server or forwardrequests to another RADIUS server.
RemoteRADIUS Server GroupA remote RADIUS server group is a group of RADIUS servers typically configured on a RADIUS proxy. Authenticationrequests received by the proxy are forwarded to the server(s) defined in one of the remote server groups.
Network PoliciesNetwork policies are configured on the RADIUS server to identify users who can connect to the network and the conditions thatmust be met for the connection to succeed. Without a RADIUS server, network policies are configured on each remote accessserver; with a RADIUS server, network policies are configured only on the RADIUS server.
ConnectionRequest PoliciesConnection request policies are used to determine whether the authentication request is forwarded to a RADIUS server orprocessed locally on the RADIUS proxy. A connection request policy is similar to a network policy, but is used to identifywhich server or server group will be used for authentication, not to provide the authentication conditions.
RADIUS AccountingRADIUS accounting includes event logging and user authentication and accounting request logging. NPS can send accountingdata to a log file, an SQL server, or both.
NPS TemplatesNPS templates allow you to create pre-configured elements, such as RADIUS clients or remote RADIUS servers. You can reusethese elements on the local NPS server or export them to other NPS servers. Templates can be created and configured withoutactually altering the NPS server functionality until the template is selected.
User Account DatabasesThe user account database contains the list of user accounts and their properties that a RADIUS server can use to verifyauthentication and authorization. NPS can use the following databases:
  • Security Accounts Manager (SAM)
  • Windows NT 4.0 domain
  • Active Directory Domain Services (AD DS)

When using AD DS, NPS can provide authentication and authorization for user and computer accounts in the followingdomains:

  • The domain in which the NPS server is a member
  • Two-way trusted domains
  • Trusted forests if the DCs are running Windows Server 2016, Windows Server 2008, or Windows Server 2003
RADIUS Messages

RADIUS messages are the actual communications exchanged between RADIUS clients, proxies, and servers. RADIUSmessages contain attributes that are used during the authentication process.

Attributes include:

  • Username
  • User password
  • Type of service requested by user
  • Access server's IP address

The attributes can change according to the type of RADIUS message. An Access-Request message, for example, containsattributes that specify user credentials and requested connection parameters, and an Access-Accept message contains attributesthat specify the allowed connection and its constraints. RADIUS messages are sent as UDP (User Datagram Protocol)messages. RADIUS authentication messages use UDP port 1812; RADIUS accounting messages use port 1813.

The RADIUS Authentication, Authorization, and Accounting Process Overview

The follow steps outline the basic process used by RADIUS to authenticate, authorize, and log accounting information. For these steps, theRADIUS client is a VPN server.

  1. A remote user sends a connection request to a RADIUS client (a network access server).
  2. The VPN server asks the remote user for its login credentials (such as the user name and password).
  3. The remote user sends the login credentials.
  4. The VPN server sends the connection request to the RADIUS server, which includes the credentials.
  5. After examining the request, the RADIUS server performs one of the following:
    • Accepts the request and authenticates the remote user based on the network policies configuration.
    • Asks for more information (such as a PIN number, etc.).
    • Rejects the request if the credentials sent are incorrect or missing.
  6. Once the request is accepted, the RADIUS server checks the user account databases (such as Active Directory) and determines which resources theuser can use.
  7. The RADIUS server then authorizes the user for all resources available to the user.
  8. The accounting feature begins to track information when the VPN sends and Accounting Start packet and stops when the session ends and aAccounting Stop packet is received.