RADIUS protocol (Remote Authentication Dial-In User Service) was developed in 1991 as an access server authentication and accounting protocol. It was later brought into the Internet Engineering Task Force (IETF) standards. RADIUS is the underlying authentication and access protocol used by the majority of network and computing systems.
RADIUS is commonly used to facilitate roaming between ISPs.
How does RADIUS work?
1) Device sends a request to a Network Access Server (NAS) to gain access to a network resource. This request includes access credentials (such as a username and password) which are passed via the link-layer protocol. The request may contain other information about the user, such as network address, phone number, or physical attachment to the NAS.
2) The RADIUS server checks that the information is correct using an authentication protocol (ex: PAP, CHAP, EAP). The RADIUS server returns with one of three responses: Access Reject, Access Challenge, or Access Accept. Each of these responses can be passed to the user in a return webpage.
3) Once the user is authenticated, the RADIUS server will check that the user is authorized for the specific network service.
Optionally, RADIUS accounting can be enabled on an SSID that's using WPA2-Enterprise with RADIUS authentication. When enabled, "start" and "stop" accounting messages are sent from the AP to the specified RADIUS accounting server.