Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.1  Remote Access

Previous Topic/Section
2.1.2  VPN
Previous Page
Pages in Current Topic/Section
Next Page
Next Topic/Section

2.1.3  RADIUS

Remote Authentication Dial In User Service, or RADIUS, is the de-facto standard client/server protocol that authenticates and authorizes users connecting to a network, to access the network’s resources, utilizing a centralized database. If you use a dial-up ISP, it’s highly likely that RADIUS is used to validate your logon information when you connect.

You can think of it as protecting the “radius” of a network by not letting in those who are unauthorized to be there. Its client/server architecture allows centralized administration of a user database, even if users’ locations may span an entire organization, town, state, country, etc. Being the de-facto standard, as specified in RFC 2865, the RADIUS protocol is supported by just about every device out there, new and legacy.

In general, the way RADIUS based authentication works is:

  • A user dials in (via modem, DSL, etc.) as a client to a remote access server, and provides credentials (user/password) in response to the remote access server’s request

  • The remote access server (itself a client to a RADIUS server) communicates the credentials to the RADIUS server, after encrypting it by computing an MD5 hash (see chapter 4) of it using a “secret” shared between client and server (this is an example of one way in which credentials are communicated)

  • The RADIUS server uses a user/password database or perhaps integration with a network-based authentication system like Windows passwords or LDAP to validate the password, and returns the results to the remote access server

  • The remote access server then accepts or denies the connection

More info on how RADIUS works can be found in the footnote144. It is regarded by many as providing more security during remote access user authentication than its main competitors, LDAP and TACACS+.145


RADIUS is a client/server protocol that authenticates users connecting to a network, usually by consulting a centralized database of users. RADIUS is a widely supported and popular authentication protocol, which many users consider providing better authentication security than its main alternatives, TACACS+ and unencrypted LDAP alone.

[spacer]RADIUS Performance

Recent scalability and performance advancements have included “Distributed RADIUS” in which multiple tiers of RADIUS servers are connected together and “forward authentication” in which requests goes up the RADIUS server tree via a proxy RADIUS protocol.

Figure 18: Security Databases are centralized in RADIUS.




145. Hill, Joshua, “An Analysis of the RADIUS Authentication Protocol,”

Previous Topic/Section
2.1.2  VPN
Previous Page
Pages in Current Topic/Section
Next Page
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.