RADIUS

Radius (Remote Authentication Dial In User Service) is a multi-user SNMP enabled client-server security tool used in computer networks to provide remote user authentication and accounting. The RADIUS software can read several kinds of password databases, and use several kinds of authentication schemes like PAP and CHAP.

The client is the entity holding username and password information, while the server is the entity that has access to a database that can validate the mapping between the username and the password.

Accounting is built in and can provide text file, unix style and SQL logs. These logs track user's activity. Other schemes can be supported by extending RADIUS.

RADIUS is currently (2003) the de-facto standard for remote authentication. It provides :

• some protection against sniffing an active attack.
• centralised administration.

Authorization is defined by RFC 2865 Accounting services is defined by RFC 2866.

External references:

• http://www.gnu.org/software/radius/radius.html#introduction
• http://advancedradius.com/on_line_doc/Introduction.htm
• http://www.untruth.org/~josh/security/radius/radius-auth.html

--- (Sample CISCO configuration)

• http://www.cisco.com/warp/public/480/http-3.html

--- (RADIUS implementation for Windows 2000)

• http://www.microsoft.com/windows20/server/default.asp?url=/windows20/server/sag_rap_intro.htm

Compare to: TACACS+ and LDAP

DIAMETER is the planned(?) IETF replacement for RADIUS.