Introduction to AAA Server
RADIUS Overview
Chapter 14
transaction between a RADIUS AAA server and a client (a NAS in this example). When the
user’s workstation connects to the client, the client sends an Access-Request RADIUS data
packet to the AAA server.
Figure 1-2 Client-Server RADIUS Transaction
When the server receives the request, it validates the sending client. If the client is permitted
to send requests to the server, the server will then take information from the Access-Request
and attempt to match the request to a user profile. The profile will contain a list of
requirements that must be met to successfully authenticate the user. Authentication usually
includes verification of a password, but can also specify other information, such as the port
number of the client or the service type that has been requested, that must be verified.
If all conditions are met, the server will send an Access-Accept packet to the client; otherwise,
the server will send an Access-Reject. An Access-Accept data packet often includes
authorization information that specifies what services the user can access and other session
information, such as a timeout value that will indicate when the user should be disconnected
from the system.
When the client receives an Access-Accept packet, it will generate an Accounting-Request to
start the session and send the request to the server. The Accounting-Request data packet
describes the type of service being delivered and the user that will use the service. The server
will respond with an Accounting-Response to acknowledge that the request was successfully
received and recorded. The user’s session will end when the client generates an
AAA Server
User Connects
Client
(NAS)
User
Access-Request
User Disconnects
Access-Reject
Or
Access-Accept
Accounting-Request (Start)
Accounting-Response
Accounting-Request (Stop)
Accounting-Response
Session Starts
Session Ends
User Disconnected