Mastering Network Security: A Step-by-Step Guide to RADIUS Server
Radius stands for remote access dial-in user service. Radius server is a protocol that is primarily used for restricting network access. It authenticates the user who wants to access the device or network. Further, it also authorizes users, what they can do. And at the last, it also responsible for what the user did during his/her login time? It tracks the user when accessing the device or network how much time he spends, and when he logs out.
It was developed in 1991 by Levingston Enterprises. IETF standardized it in 2000 under RFC 2865. It is an open standard. So, we can use it on every vendor’s device. It uses UDP port numbers 1812 and 1813. The radius server combines both the authentication and authorization traffic. It only encrypts the password. Also, the radius server combines the authentication and authorization processes.
Lab topology for Radius server
Configure the IP address of a router
Configure Telnet on the Router
Enable the AAA radius authentication on the router
Configure the AAA Radius Server in packet tracer
Ping and telnet the router from one of the PCs to check the connectivity
PC1 successfully ping and telnet the router.
Now we are going to disconnect the AAA radius server from the network and will check whether PC1 can telnet the router or not.
Now, telnet the router from PC1.
PC1 is not able to telnet into the router, because the router doesn’t authenticate its username and password from the AAA server. Router R1 is not also able to get its console session as below in the screenshot:
Again, enable the AAA radius server.
Check again, whether R1 is accessible or not from PC1, because it is now connected with the AAA radius server.
We are going to configure such a AAA radius authentication that when the AAA server is not accessible, then we can access to the router. So, remove the existing AAA authentication and rewrite it again with local authentication. Anyhow, when the AAA server shuts down, or when it is not accessible, then the router will be accessible.
Create one more user user2
Again, telnet Router R1 from PC1 through user1. User2 will not access the router, because we didn’t create user2 in the AAA server, but created it in the local router database.
Shutdown AAA server interface. So, we will try to telnet the router from both user1 and user2. We will check who can log into it and why.
Try to access the router through user2 telnet. R2 will access the router now because user2 is in the local database of a router. The router first looks up it in the AAA server, but the AAA server is down. So, it then looks up in its local database.
Again, enable the interface of a AAA radius server
This time, both the AAA server remote authentication and local authentication are enabled on the router. So which user, whether user1 or user2, will logged into the router? Let’s check below in the screenshot:
As AAA is up, so router will find user2 in the AAA server. When the router doesn’t find it in the AAA server, then it will not allow user2 to log in to the router.