Answer: (1) RADIUS (Remote Authentication Dial-in User Service) is an industrial standard that provides registration and authentication functions in dial-up networks.

(2) It is a C/S security protocol proposed by Lucent Company, which has become the formal protocol standard of the Internet and the popular AAA (Authentication, Authorization and Accounting) protocol.

(3) is a common protocol between network access server (NAS) and background server (RADIUS server with DB), which makes dialing and authentication on two separate network devices.

characteristics of radius

(1) the radius protocol uses UDP as the transmission protocol. Use two UDP ports for authentication (and authorization of users after authentication) and billing respectively. Number 1812 is the authentication port, and number 1813 is the billing port.

(2) RADIUS server can support multiple authentication methods. When users submit their user names and passwords, RADIUS servers can support PPP PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Protocol), UNIX Login and other authentication methods.

authentication process of RADIUS

(1) The access server obtains the user name and password (PAP password or CHAP encrypted password) from the user, and types them into RADIUS data packets with some other information of the user (such as calling number, access number, occupied port, etc.) and sends them to the RADIUS server, which is usually called authentication request packet.

(2) after receiving the authentication request packet, the radius server first checks whether the access server is registered, and then verifies whether the user is legal according to the user name, password and other information in the packet. If the user is illegal, an access rejection packet is sent to the access server; If the user is legitimate, the RADIUS server will package the user's configuration information (such as user type, IP address, etc.) and send it to the access server. This package is called an access acceptance package.

(3) When the access server receives the access accept/reject packet, it must first judge whether the signature in the packet is correct, and if it is not correct, it will be considered that it has received an illegal packet. If the signature is correct, the access server will accept the user's online request and use the received information to configure and authorize the user (the access acceptance package has been received); Or reject the user's internet request (received an access denial package).