CertiGuide to Security+  9  Chapter 2:  Communication Security (Domain 2.0; 20%)       9  2.1  Remote Access

2.1.2  VPN 1 2.1.4  TACACS/XTACACS/TACACS+

Remote Authentication Dial In User Service, or RADIUS, is the de-facto standard client/server protocol that authenticates and authorizes users connecting to a network, to access the network’s resources, utilizing a centralized database. If you use a dial-up ISP, it’s highly likely that RADIUS is used to validate your logon information when you connect.

You can think of it as protecting the “radius” of a network by not letting in those who are unauthorized to be there. Its client/server architecture allows centralized administration of a user database, even if users’ locations may span an entire organization, town, state, country, etc. Being the de-facto standard, as specified in RFC 2865, the RADIUS protocol is supported by just about every device out there, new and legacy.

In general, the way RADIUS based authentication works is:

• A user dials in (via modem, DSL, etc.) as a client to a remote access server, and provides credentials (user/password) in response to the remote access server’s request
  
  
• The remote access server (itself a client to a RADIUS server) communicates the credentials to the RADIUS server, after encrypting it by computing an MD5 hash (see chapter 4) of it using a “secret” shared between client and server (this is an example of one way in which credentials are communicated)
  
  
• The RADIUS server uses a user/password database or perhaps integration with a network-based authentication system like Windows passwords or LDAP to validate the password, and returns the results to the remote access server
  
  
• The remote access server then accepts or denies the connection

More info on how RADIUS works can be found in the footnote¹⁴⁴. It is regarded by many as providing more security during remote access user authentication than its main competitors, LDAP and TACACS+.¹⁴⁵

2.1.2  VPN 1 2.1.4  TACACS/XTACACS/TACACS+