RADIUS protocol

RADIUS protocol

RADIUS protocol (Remote Authentication Dial-In User Service) was developed in 1991 as an access server authentication and accounting protocol. It was later brought into the Internet Engineering Task Force (IETF) standards. RADIUS is the underlying authentication and access protocol used by the majority of network and computing systems.

RADIUS is commonly used to facilitate roaming between ISPs.

How does RADIUS work?

1) Device sends a request to a Network Access Server (NAS) to gain access to a network resource. This request includes access credentials (such as a username and password) which are passed via the link-layer protocol. The request may contain other information about the user, such as network address, phone number, or physical attachment to the NAS.

2) The RADIUS server checks that the information is correct using an authentication protocol (ex: PAP, CHAP, EAP). The RADIUS server returns with one of three responses: Access Reject, Access Challenge, or Access Accept. Each of these responses can be passed to the user in a return webpage.

3) Once the user is authenticated, the RADIUS server will check that the user is authorized for the specific network service.

RADIUS accounting

Optionally, RADIUS accounting can be enabled on an SSID that's using WPA2-Enterprise with RADIUS authentication. When enabled, "start" and "stop" accounting messages are sent from the AP to the specified RADIUS accounting server.

Password and Challenge-Handshake authentication

Password Authentication Protocol (PAP) is a password-based authentication protocol used by Point to Point Protocol (PPP) to validate users.

Challenge-Handshake Authentication Protocol (CHAP) authenticates a user or network host to an authenticating entity.

MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, CHAP. The protocol exists in two versions, MS-CHAPv1 and MS-CHAPv2.

EAP - Extensible Authentication Protocol

EAP is an authentication framework, not a specific authentication mechanism. It is used in network and internet connections and defined in RFC 3748. It provides some common functions and negotiation of authentication methods called EAP methods. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

EAP Tunneled Transport Layer Security is an EAP protocol that extends TLS. The client can, but does not have to be authenticated via a CA-signed PKI certificate to the server. This greatly simplifies the setup procedure since a certificate is not needed on every client.

Protected EAP (PEAP) adds a TLS layer on top of EAP in the same way as EAP-TLS, but it then uses the resulting TLS session as a carrier to protect other, legacy EAP methods.

Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication (between a wireless client and a RADIUS server). LEAP allows for clients to re-authenticate frequently; upon each successful authentication, the clients acquire a new WEP key. LEAP may be configured to use TKIP instead of dynamic WEP.

EAP-MD5 was the only IETF Standards Track based EAP method when it was first defined. It offers minimal security; the MD5 hash function is vulnerable to dictionary attacks, and does not support key generation, which makes it unsuitable for use with dynamic WEP, or WPA/WPA2 enterprise.

EAP Password (EAP-PWD), defined in RFC 5931, is a method which uses a shared password for authentication. The password may be a low-entropy one and may be drawn from some set of possible passwords, like a dictionary, which is available to an attacker. The underlying key exchange is resistant to active attack, passive attack, and dictionary attack.

EAP Protected One-Time Password (EAP-POTP), which is described in RFC 4793, is an EAP method developed by RSA Laboratories that uses one-time password (OTP) tokens, such as a handheld hardware device or a hardware or software module running on a personal computer, to generate authentication keys.

EAP-POTP can be used to provide unilateral or mutual authentication and key material in protocols that use EAP. The EAP-POTP method provides two-factor user authentication, meaning that a user needs both physical access to a token and knowledge of a personal identification number (PIN) to perform authentication.

Nimble out-of-band authentication for EAP (EAP-NOOB) is a generic bootstrapping solution for devices which have no pre-configured authentication credentials like IoT devices and which are not yet registered on any server. It is especially useful for gadgets and that come with no information about any owner, network or server. Authentication for this EAP method is based on a user-assisted out-of-band (OOB) channel between the server and peer.

EAP-NOOB supports many types of OOB channels such as QR codes, NFC tags, audio etc. and unlike other EAP methods, the protocol security has been verified by formal modeling of the specification.

EAP-NOOB performs an Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) over the in-band EAP channel. The user then confirms this exchange by transferring the OOB message. Users can transfer the OOB message from the peer to the server, when for example, the device is a smart TV that can show a QR code. Alternatively, users can transfer the OOB message from the server to the peer, when for example, the device being bootstrapped is a camera that can only read a QR code.

Server Authentication None Password hash Public Key (Certificate) Public Key (Certificate) Public Key (Certificate)
Supplicant Authentication Password hash Password hash Public Key (Certificate or Smart Card) CHAP, PAP, MS-CHAP(v2), EAP Any EAP, like EAP-MS-CHAPv2 or Public Key
Dynamic Key Delivery No Yes Yes Yes Yes