Configuring the AAA and RADIUS Protocols 275
As mentioned above, AAA is a management framework, so it can be implemented
by some protocols. RADIUS is frequently used.
Remote Authentication Dial-In User Service, RADIUS for short, is distributed
information switching protocol in Client/Server architecture. RADIUS can prevent
the network from an interruption of unauthorized access, and it is often used in
the network environments requiring both high security and remote user access.
For example, it is often used for managing a large number of scattering dial-in
users who use serial ports and modems. RADIUS system is the important auxiliary
part of Network Access Server (NAS).
After RADIUS system is started, if the user wants to access other networks or use
network resources through connection to NAS (dial-in access server in PSTN
environment or Ethernet switch with access function in Ethernet environment),
NAS, namely RADIUS client end and will transmit user AAA request to the RADIUS
server. RADIUS server has a user database recording all the information of user
authentication and network services. When receiving user’s request from NAS,
RADIUS server performs AAA through user database query and update, and
returns the configuration information and accounting data to NAS. NAS then
controls supplicant and corresponding connections, while RADIUS protocol
regulates how to transmit configuration and accounting information between
NAS and RADIUS.
NAS and RADIUS exchange the information with UDP packets. During the
interaction, both sides encrypt the packets with keys before uploading user
configuration information (like password etc.) to avoid being intercepted or stolen.
RADIUS server generally uses a proxy function of the devices, like access server, to
perform user authentication. The operation process is as follows:
1 Send client username and encrypted password to RADIUS server.
2 User receives one of the following response messages:
■ ACCEPT: Indicates that the user has passed the authentication
■ REJECT: Indicates that the user has not passed the authentication and needs to
input username and password again, otherwise he will be rejected from access.
Implementing AAA/RADIUS on the Switch 8800
By now, we understand that in the Switch 8800, serving as the user access device
or NAS, is the client end of RADIUS. In other words, the AAA/RADIUS concerning
client-end is implemented on The Switch 8800. The figure below illustrates the
RADIUS authentication network.