What is Radius Server?

When we say Radius Server in networking, what does it really mean? 

According to Wikipedia, Radius Server is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect and use a network service.

Livingston Enterprises developed RADIUS Server in 1991 as an access server used for authentication and accounting protocols (AAA).

They commonly use radius servers in telecommunication networks for user authentication, authorization, and accounting, and are better known for their availability, scalability, and redundancy in networking.

Radius Server ensures the user has access to the network and what permissions they may have access to on the network.

It is also a client/server protocol that runs in the application layer and can be used either TCP or UDP in a networking environment. Home Network Access Servers (NAS) also have a radius client that communicates with the radius server in order for the system to perform the full task of AAA. 

I know the RADIUS server well for its 802.1X authentication and is usually a background process running on UNIX or Microsoft Windows.

How Does the Radius Server Work? 

Earlier, we discussed that radius server is a protocol, which means it uses' protocol to communicate with its network clients,

Now let's explain how radius servers communicate with their clients with their so-called protocol.

Authentication and authorization:

How does the RADIUS server check that the information is correct using authentication schemes such as PAP, CHAP or EAP?

First, the user's proof of identification will be verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status, and specific network service access privileges.

Historically, RADIUS servers checked the user's information against a locally stored flat-file database. Modern RADIUS servers can do this, or can refer to external sources—commonly SQL, Kerberos, LDAP, or Active Directory servers to verify the user's credentials.

RADIUS Authentication and Authorization Flow,
The RADIUS server then returns one of three responses to the NAS:

Access Reject:
They unconditionally deny the user access to all requested network resources, and the reasons may include failure to provide proof of identification or an unknown or inactive user account.

Access Challenge:

Requests additional information from the user, such as a secondary password, PIN, token, or card. It also uses access challenge in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the NAS.

Access Accept:

User has been granted access. Once the user is authenticated, the RADIUS server will often check that the user may use the network service requested. A user may be allowed to use a company's wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server, or may be looked up in an external source such as LDAP or Active Directory.
Each of these three RADIUS responses may include a Reply-Message attribute which may give a reason for the rejection, the prompt for the challenge, or a welcome message for the acceptance. It can pass the text in the attribute on to the user on the return web page.

 

We can define a radius Server as –> Remote Authentication Dial-In User Service Server.