Spinning Around With RADIUS
By M.A. Dockter
With the instant information and communication available over the Internet, it's easy to argue that the world is getting smaller. Enterprises not only have to deal with networks within their corporate offices, but also the "ordeal" of getting two different networks across the country to connect via a wide-area network (WAN). They also have to worry about employees' remote access to the WAN or LAN while away from the physical connection uplink to the switch in the closet on the floor where their cubicle resides -- without letting hackers or other malicious users into their network.By M.A. Dockter With the instant information and communication available over the Internet, it ...
One of the most popular ways of allowing remote users to connect to the network is through a method bluntly called Network Authentication Service (NAS) with the assistance of Remote Authentication Dial-in User Service (RADIUS).
RADIUS works just as its name implies; it is a method of authenticating user access via a modem connection to the LAN.
RADIUS sounds simple when laid out on paper, but setting it up can be a network administrator's worst nightmare. In a normal dial-in setting, users will dial up via their modem to a network's access phone number, which is usually supported by a modem pool similar to that of many dial-up ISPs. Like an ISP, the network authentication server (also abbreviated as NAS) will prompt for a username and password that will be the deciding factor of whether a user is allowed to access the network via the dial-up connection.
This is the point where RADIUS becomes effective. The NAS communicates to the RADIUS server (which can be the same server if it is set up properly) and gives it the username, password, and other relevant information needed to determine a user's access rights. The RADIUS server will then take any means it knows to determine the user's access rights and eventually give that information back to the NAS server, which will act accordingly. For example, a system administrator can limit the username laumbeau.curly to be able to connect to the network via TCP/IP only, and not IPX or any other protocol.
In cases when the first RADIUS server does not have the user's information, it will more than likely have a pointer to another RADIUS server that does. In that case, it will forward the request for authentication to the second RADIUS server, and the first RADIUS server will act as a relay between the NAS and the RADIUS server with the user's information.