Spinning Around With RADIUS

Thursday Aug 9th 2001 by ServerWatch Staff

By M.A. Dockter With the instant information and communication available over the Internet, it ...

By M.A. Dockter

With the instant information and communication available over the Internet, it's easy to argue that the world is getting smaller. Enterprises not only have to deal with networks within their corporate offices, but also the "ordeal" of getting two different networks across the country to connect via a wide-area network (WAN). They also have to worry about employees' remote access to the WAN or LAN while away from the physical connection uplink to the switch in the closet on the floor where their cubicle resides -- without letting hackers or other malicious users into their network.

One of the most popular ways of allowing remote users to connect to the network is through a method bluntly called Network Authentication Service (NAS) with the assistance of Remote Authentication Dial-in User Service (RADIUS).

RADIUS works just as its name implies; it is a method of authenticating user access via a modem connection to the LAN.

RADIUS sounds simple when laid out on paper, but setting it up can be a network administrator's worst nightmare. In a normal dial-in setting, users will dial up via their modem to a network's access phone number, which is usually supported by a modem pool similar to that of many dial-up ISPs. Like an ISP, the network authentication server (also abbreviated as NAS) will prompt for a username and password that will be the deciding factor of whether a user is allowed to access the network via the dial-up connection.

This is the point where RADIUS becomes effective. The NAS communicates to the RADIUS server (which can be the same server if it is set up properly) and gives it the username, password, and other relevant information needed to determine a user's access rights. The RADIUS server will then take any means it knows to determine the user's access rights and eventually give that information back to the NAS server, which will act accordingly. For example, a system administrator can limit the username laumbeau.curly to be able to connect to the network via TCP/IP only, and not IPX or any other protocol.

In cases when the first RADIUS server does not have the user's information, it will more than likely have a pointer to another RADIUS server that does. In that case, it will forward the request for authentication to the second RADIUS server, and the first RADIUS server will act as a relay between the NAS and the RADIUS server with the user's information.

By M.A. Dockter

RADIUS is first and foremost a protocol, and it really doesn't show its benefits unless there is more than one RADIUS server on the network.

A RADIUS server at its simplest is a computer configured in a certain way that can "speak" the RADIUS language over the network with NAS and other RADIUS servers. All it takes is an NT Service or Linux Daemon properly configured for a computer to be a RADIUS server.

Combine this feature with what seems to be the corporate world's most popular authentication scheme, Windows 2000 Active Directory, and remote user authentication is greatly simplified. For example: "Z Inc." has domain controllers for each of its departments (e.g., accounting, shipping and receiving, and development). Each has its own unique domain name (e.g., accounting.z.net). The administrator can then set up a RADIUS server service (which is built into Windows 2000 server) on each domain controller, as well as one on the main controller of the forest.

Next, the administrator can set up a NAS server and modem pool to go along with it; set up the NAS to communicate with the main controller's RADIUS service; and set restrictions like, "accounting may only connect via TCP/IP, but development can connect via any protocol the server supports." This will yield a single-access number that allows any employee of Z Inc. to dial-up from home, or on the road, and use the same username and password he or she does every morning when logging in to the departmental domain and accessing work files, presentations, and other items needed for working out of the office.

If a user has a broadband connection at home or is lucky enough to have one while on the road, RADIUS can also integrate with a virtual private network (VPN). If the employee has a VPN client installed, she can simply connect to the VPN server via an IP address or DNS name and log in to the domain the same as from her office workstation.

In the above example we used Windows 2000 as the server operating system because of our personal familiarity with the operating system and comfort level with it -- as well as its inherent popularity. RADIUS is built into Windows 2000 Server but must be properly configured in Add/Remove programs or during the operating system setup.

There are, however, alternative RADIUS servers.

Interlink (formerly Merit) RADIUS Server is the leading alternative for the Sun Solaris platform. It includes such features as, dial-up, roaming, mobile IP, quality of service, Fax over IP, and Voice over IP.

Cistron RADIUS server (http://www.radius.cistron.nl/) is a very popular GNU GPL licensed version for Linux platforms. For a list of features, and about any other question we recommend, referring to http://www.radius.cistron.nl/faq/ for its extremely large FAQ.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved