Search code examples
databaseradius

What exactly is RADIUS?

I have heard a lot about RADIUS. But I am still asking myself questions about it. In Wikipedia, it is said that it is a network protocol that provides Authentication, Authorization, and account management for users. How does it really work ? Why should I choose RADIUS instead of a simple database ?

Solution

  • RADIUS is a protocol for carrying Authentication, Authorization and Accounting data.

    In RADIUS authentication data flows from a NAS (Network Access Server) to a RADIUS server in Access-Request packets.

    Authorization data flows from the RADIUS server from the NAS in Access-Accept, Access-Reject, CoA-Request, and Disconnect-Request packets.

    Accounting data flows from the NAS to the RADIUS server in Accounting-Requests.

    There are many reasons why RADIUS is more suited in its role than a generic database interface like ODBC.

    • It's extremely light weight. There's no connection setup, teardown or maintenance in UDP based RADIUS. The attribute encoding is simple and compact. No big and complex SQL statements, or result encodings.
    • As a result of its simplicity, RADIUS clients typically have far lower memory, cpu and storage requirements than SQL clients or ODBC connectors. This is important as many RADIUS clients run on switches, routers or other embedded devices.
    • On POSIX systems, using connectionless UDP, there are no issues with running out of file descriptors. In a network environment where everything talks to central RADIUS servers, you may have many thousands of devices communicating with the RADIUS server.
    • RADIUS supports multihop routing of AAA information based on various attributes in the packet. This is used to great effect in federations like Eduroam.
    • Attributes are well defined and in a standard format. This supports interoperability. You couldn't point a network device at an SQL database and have it just work, you can with a network device and a RADIUS server.
    • RADIUS supports more complex conversations than SQL, it's more than just a request/response protocol. The RADIUS server can maintain the state of an ongoing authentication attempt which progresses over multiple rounds of requests/responses. This allows complex authentication methods like EAP to work over RADIUS.
    • RADIUS supports asynchronous signalling. i.e. you can change authorization state of users on the fly, by signalling the NAS with CoA and DM packets.

    and many many more... They're suited for very different things.