RADIUS (Remote Access Dial-In User Service)

RADIUS (Remote Access Dial-In User Service) is a central authentication service. It works in a client/server architecture. A client is a network device that supports authentication. A server is a system that saves authentication details for clients. When a user sends his login information to the client, the client does not authenticate the user itself. It forwards that login detail to the RADIUS server. The RADIUS server allows or denies the login access.

Why should you use a RADIUS server?

If you have a small network, you can use local authentication. But if you have thousands of devices, managing local authentication would be nearly impossible as you’d have to configure each device by hand. For example, if you want to change a password, it could take hours to update your network. Since maintaining the local database for each network device is complex and tedious, you can use a RADIUS server to manage all login credentials. A RADIUS server allows you to manage all authentication from a single place. For example, if you want to change a login password, you only need to update it on the RADIUS server.

How does a RADIUS server work?

RADIUS uses UDP. It combines authentication and authorization services into a single process. It implements a client/server architecture. Network devices such as routers, switches, or APs work as clients. A Windows or Linux system running RADIUS service works as a server. The authentication process goes through the following three distinct stages.

  • The user enters his username and password on the client.
  • The client encrypts the password and sends it with the username to the RADIUS server.
  • The RADIUS server checks the username and password in its database and replies with one of the following:
Accept Username and password are correct. Allow the user to log in.
Reject Username and password are invalid. Deny the user to log in.
Challenge Needs additional information.
Change Password Prompt the user to select a new password.

RADIUS only encrypts the password. It exchanges the remaining information unencrypted.

RADIUS configuration (Packet Tracer Example)

Create a Packet Tracer lab and assign IP configurations as shown in the following image.

Download the pre-configured practice lab.

practice lab

RADIUS Server configuration

Click Server0, click Services, click AAA, and enable the service.

enable RADIUS

After enabling the RADIUS service, we create a database of client devices, including associated user accounts. The Network Configuration section adds client accounts. The User Setup section adds user accounts.

In this lab, we have two routers: R1 and R2. We will use R1 as the client device and R2 as an end device for testing.

The Network Configuration requires the following information.

Field Name Description Value
Client Name Name of the client device R1
Client IP IP address of the client device 192.168.1.1
Secret Password to authentication client device Cisco (You can pick any password of your choice)
ServerType AAA supports two services: RADIUS and TACACS. RADIUS

network configuration

After filling values in all fields, click Add to add an entry for R1.

network client added

Add user accounts for R1. You can pick any names and passwords of your choice.

add users

Click Add to add the user account.

user account added

The RADIUS server uses this database to authenticate client devices and their users.

RADIUS service configuration

RADIUS client configuration

Access the CLI prompt of R1 and run the following commands.

Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#aaa new-model
R1(config)#username admin secret pass
R1(config)#radius host 192.168.1.3 key Cisco
R1(config)#aaa authentication login default group radius
R1(config)#aaa authentication login default group radius local
R1(config)#aaa authentication enable default group radius
R1(config)#aaa authentication enable default group radius local
R1(config)#ip domain-name cisco.com
R1(config)#ip ssh version 2
R1(config)#crypto key generate rsa
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#login authentication default
R1(config-line)#

Let us understand the above commands in detail. We used the following commands to set the hostname to R1 and enter Global configuration mode.

Router>enable
Router#configure terminal
Router(config)#hostname R1

The following command immediately applies local authentication to all lines and interfaces except line console 0. The line console 0 allows you to access the router in case you haven't set up a local user account.

R1(config)#aaa new-model

The following command configures a local username (admin) and password (pass).

R1(config)#username admin secret pass

The following command configures the RADIUS server. It needs two parameters: the IP address of the RADIUS server and the password you used in the secret field when adding an entry for it on the RADIUS server.

R1(config)#radius host 192.168.1.3 key Cisco

Routers and switches support two levels of authentication. On the first level, it uses the login authentication. Login authentication allows you to connect to the device. On the second level, it uses the enable authentication. Enable authentication allows you to execute commands on the router.

The following command configures the router to use the RADIUS server for the login authentication.

R1(config)#aaa authentication login default group radius

The following command configures the router to use the local username and password for the login authentication if the RADIUS server is not accessible.

R1(config)#aaa authentication login default group radius local

The following command configures the router to use the RADIUS server for the enable authentication.

R1(config)#aaa authentication enable default group radius

The following command configures the router to use the local username and password for the enable authentication if the RADIUS server is not accessible.

R1(config)#aaa authentication enable default group radius local

We have configured the router to use the RADIUS server and local login for authentication. Now, we need to configure a remote management protocol. SSH is the default remote management protocol on all Cisco devices.

The following commands enable and configure SSH. You can choose any domain name of your choice. SSH uses RSA keys. RSA keys need a domain name.

R1(config)#ip domain-name cisco.com
R1(config)#ip ssh version 2
R1(config)#crypto key generate rsa

A router accepts remote connections on VTY lines. By default, all VTY lines are disabled. The following command enables all VTY lines and configures them to use the authentication in the default order. In the default order, it first tries the RADIUS server. If the RADIUS server is down, it uses the local database as a backup.

R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#login authentication default
R1(config-line)#

The following image shows the above configuration on R1.

R1 Configuration

Download the configured practice lab.

Testing the RADIUS server

To test the RADIUS server configuration, open an SSH connection from R1 to R2. Use the user account that you configured on the RADIUS server.

RADIUS server testing 1

As we can see in the above image, the connection opened successfully. It verifies that R1 used the RADIUS server for authentication.

If the RADIUS server is up, R1 will not use the local database. To verify it, close the opened SSH connection and open a new connection. This time use the username and password you configured on R1 for login.

RADIUS server testing 2

As the above image shows, R1 does not allow the local login until the RADIUS server is up.

Turn off the switch port connected to the RADIUS server.

turn off switch port

R1 has lost connectivity with the RADIUS server. Now try to log in again from R2 using the username and password you configured on R1.

using local database

As the above image shows, R1 accepted the connection this time. It verifies if the RADIUS server is not accessible, R1 will use the local database for authentication.

Conclusion

RADIUS is a remote authentication service. It allows us to authenticate users from a single location. It is an open standards service. It works in client/server architecture. It uses UDP to exchange information between clients and the server. It encrypts only passwords when it exchanges the information between the client and server.

ComputerNetworkingNotes CCNA Study Guide RADIUS (Remote Access Dial-In User Service)