When you protect your network with RADIUS for the Cloud Authentication Service, the authentication process works as follows:
- The user provides authentication information to a RADIUS client, such as a VPN server or firewall.
- The RADIUS client sends an Access-Request message to a RADIUS server hosted on an identity router in your deployment. The request provides information about the client and the user, such as:
- User ID
- User password (encrypted)
- Client ID
- Port ID
- The RADIUS server validates the client using a password shared between the client and server, known as a shared secret. If the client does not provide the correct shared secret, authentication is not possible.
- The RADIUS server checks requirements (known as checklist attributes) that must be met for the user to access the resource. Checklist attributes may include:
- Clients through which the user can access a resource
- Ports on which the user can access
- The RADIUS server forwards the request to the Cloud Authentication Service.
- The Cloud Authentication Service accepts, challenges, or rejects the request.
- The RADIUS server sends one of three responses to the client:
- Access-Accept. The RADIUS server allows access and returns a set of attributes (known as return list attributes) to the client for session control.
- Access-Challenge. The RADIUS server returns the additional (step-up) authentication methods the user must satisfy, such as Approve, Authenticate Tokencode, or SecurID Token.
- Access-Reject. Authentication methods or policy conditions are not satisfied, so access is denied.
- When authentication succeeds, the RADIUS server sends return list attributes to the client to manage the user session.
RADIUS clients control user access at the network perimeter. The following figure shows how a RADIUS server runs as a service on an identity router and connects to RADIUS clients and other components in a typical deployment.