RADIUS Protocol and Components
Applies To: Windows Server 2008
RADIUS protocol and components
Remote Authentication Dial-In User Service (RADIUS) is an industry standard protocol described in Request for Comments (RFC) 2865, "Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866, "RADIUS Accounting." RADIUS is used to provide network authentication, authorization, and accounting services.
Network Policy Server (NPS) is a RADIUS server that complies with industry standards.
RADIUS attributes are described in RFC 2865, RFC 2866, RFC 2867, RFC 2868, RFC 2869, and RFC 3162. RFCs and Internet drafts for vendor-specific attributes (VSAs), such as RFC 2548, "Microsoft Vendor-specific RADIUS Attributes," define additional RADIUS attributes.
RADIUS infrastructure components
The following components are part of the RADIUS authentication, authorization, and accounting infrastructure:
Access servers (RADIUS clients)
User account databases
These components are shown in the following illustration.
An access client is a device that requires some level of access to a larger network. Examples of access clients are dial-up or virtual private network (VPN) clients, wireless clients, or LAN clients connected to a switch.
Access servers (RADIUS clients)
An access server is a device that provides some level of access to a larger network. An access server using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server. The following are examples of access servers:
Network access servers that provide remote access connectivity to an organization network or the Internet. An example is a computer running Windows Server® 2003 and the Routing and Remote Access service and providing either traditional dial-up or virtual private network (VPN) services to an organization's intranet.
Wireless access points that provide physical layer access to an organization's network, using wireless-based transmission and reception technologies.
Switches that provide physical layer access to an organization's network, using traditional LAN technologies, such as Ethernet.
Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.
A RADIUS proxy is a device that forwards or routes RADIUS connection requests and accounting messages between RADIUS clients (and RADIUS proxies) and RADIUS servers (or RADIUS proxies). The RADIUS proxy uses information within the RADIUS message, such as the User-Name or Called-Station-ID RADIUS attributes, to route the RADIUS message to the appropriate RADIUS server.
A RADIUS proxy can be used as a forwarding point for RADIUS messages when the authentication, authorization, and accounting must occur at multiple RADIUS servers in different organizations.
A RADIUS server is a device that receives and processes connection requests or accounting messages sent by RADIUS clients or RADIUS proxies. In the case of connection requests, the RADIUS server processes the list of RADIUS attributes in the connection request. Based on a set of rules and the information in the user account database, the RADIUS server either authenticates and authorizes the connection and sends back an Access-Accept message or sends back an Access-Reject message. The Access-Accept message can contain connection restrictions that are implemented by the access server for the duration of the connection.
User account databases
The user account database is the list of user accounts and their properties that can be checked by a RADIUS server to verify authentication credentials and user account properties containing authorization and connection parameter information.
The user account databases that NPS can use are the local Security Accounts Manager (SAM), a Microsoft Windows NT 4.0 domain, or Active Directory® Domain Services (AD DS). For AD DS, NPS can provide authentication and authorization for user or computer accounts in the domain in which the NPS server is a member, two-way trusted domains, and trusted forests with domain controllers running Windows Server® 2008; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
If the user accounts for authentication reside in a different type of database, NPS can be configured as a RADIUS proxy to forward the authentication request to a RADIUS server that does have access to the user account database. Different databases for AD DS include untrusted forests, untrusted domains, or one-way trusted domains.
A RADIUS client (typically a dial-up server, VPN server, 802.1X authenticating switch, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The RADIUS server authenticates and authorizes the RADIUS client request, and sends back a RADIUS message response. RADIUS clients also send RADIUS accounting messages to RADIUS servers. Additionally, the RADIUS standards support the use of RADIUS proxies. A RADIUS proxy is a computer that forwards RADIUS messages between RADIUS-enabled computers.
RADIUS messages are sent as User Datagram Protocol (UDP) messages. Only one RADIUS message is included in the UDP payload of a RADIUS packet.
UDP port 1812 is used for RADIUS authentication messages and UDP port 1813 is used for RADIUS accounting messages. Some network access servers might use UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages. By default, NPS supports receiving RADIUS messages destined to both sets of UDP ports.
RFCs 2865 and 2866 define the following RADIUS message types:
Sent by a RADIUS client to request authentication and authorization for a connection attempt.
Sent by a RADIUS server in response to an Access-Request message. This message informs the RADIUS client that the connection attempt is authenticated and authorized.
Sent by a RADIUS server in response to an Access-Request message. This message informs the RADIUS client that the connection attempt is rejected. A RADIUS server sends this message if either the credentials are not authentic or the connection attempt is not authorized.
Sent by a RADIUS server in response to an Access-Request message. This message is a challenge to the RADIUS client that requires a response.
Sent by a RADIUS client to specify accounting information for a connection that was accepted.
Sent by the RADIUS server in response to the Accounting-Request message. This message acknowledges the successful receipt and processing of the Accounting-Request message.
A RADIUS message consists of a RADIUS header and zero or more RADIUS attributes. Each RADIUS attribute specifies a piece of information about the connection attempt. For example, there are RADIUS attributes for the user name, the user password, the type of service requested by the user, and the IP address of the access server. RADIUS attributes are used to convey information between RADIUS clients, RADIUS proxies, and RADIUS servers. For example, the list of attributes in the Access-Request message includes information about the user credentials and the parameters of the connection attempt. In contrast, the Access-Accept message includes information about the type of connection that can be made, connection constraints, and any VSAs.