Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
41424344454647484950
1-28
Access Control Concepts
Network Access Control Technologies
RADIUS
As mentioned earlier, RADIUS is an industry-standard protocol for providing
AAA services. However, this section describes the RADIUS protocol in its
most limited sense, as the standard for communications between PEPs
(devices such as switches and APs that offer users network access) and
RADIUS servers (the authentication and possibly accounting server).
RADIUS Messages. A PEP sends two types of messages:
Access request—The PEP requests authentication and authorization for
a user attempting to connect to the network.
Accounting request—The PEP transmits accounting information to the
RADIUS server. For example, the PEP sends an accounting message when
it connects a user to the network. This message both acknowledges the
message sent by the RADIUS server that allowed the user to connect and
also provides more information about the connection.
The RADIUS server sends four types of messages:
Access challenge—The server responds to access requests, necessary
when it requires more information from the user, needs to resolve incom-
plete or conflicting user information, or wants the user to retry authenti-
cation.
Access accept messages—The server responds to access requests,
informing the PEP that the user is authenticated, and optionally specifying
additional authorization instructions such as the user’s VLAN assignment.
Access reject messages—The server responds to access requests,
informing the PEP that the user failed authentication.
Accounting responsesThe server acknowledges accounting requests.
As a UDP protocol, RADIUS is stateless and connectionless. That is, servers
and PEPs can send each other messages without first setting up the conver-
sation. By default, PEPs send access requests on UDP port 1812 and account-
ing messages on UDP port 1813, and RADIUS servers listen on these ports.
However, you can configure some devices to send and listen on private ports.
RADIUS Attribute-Value Pairs (AVPs). RADIUS messages consist of a
header and zero or more AVPs, which contain various types of information.
For example, AVPs in access-request messages specify users’ credentials and
other information about where, when, and how the user is accessing the
network. AVPs in access-accept messages, on the other hand, often commu-
nicate authorization instructions.