Overview#Remote Authentication Dial-In User Service (RADIUS) is a network protocol defined in RFC 2058 that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service.
Remote Authentication Dial-In User Service was developed by Livingston Enterprises, Inc. in 1991 as an access server authentication and accounting protocol and later brought into the Internet Engineering Task Force (IETF) standards
Remote Authentication Dial-In User Service can use either TCP or UDP as transport. Network Access Proxy, the gateways that control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server.
Remote Authentication Dial-In User Service is often the backend of choice for 802.1X authentication as well.
- Access Reject - The Access Request is unconditionally denied access to all requested network resources. Reasons may include failure to Authentication or an unknown or Administratively Disabled user account.
- Access Challenge - Requests additional information from the user such as a secondary password, PIN, token, or Smart Card. Access Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the Access Proxy.
- Access Accept - The Access Request is granted access. Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested.
A given Entity may be allowed to use a company's wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server, or may be looked up in an external source such as LDAP or Microsoft Active Directory or a Policy Retrieval Point and Policy Information Point