In a RADIUS-protected network, the authentication process works as follows:
The user provides authentication information to a RADIUS client.
The RADIUS client sends an “Access-Request” to server, which could include the following:
User password (encrypted)
RSA RADIUS validates the client using a shared secret. If no secret exists, the request is ignored.
RSA RADIUS checks requirements that must be met for the user to access the resource. The requirements are known as RADIUS attributes and may include the following:
Clients through which the user can access a resource
Ports on which the user can access
RSA RADIUS forwards the request to Authentication Manager.
Authentication Manager allows or denies the request.
RSA RADIUS sends one of three responses:
Access-Accept. RSA RADIUS allows access and returns a set of RADIUS attributes to the client.
Access-Challenge. RSA RADIUS issues a challenge to which the user must respond, for example, with a passcode.
Access-Reject. The conditions are not met so access is denied.
Each authentication attempt must be completed within the maximum timeout period of 10 minutes or less.
RADIUS clients control user access at the network perimeter. RADIUS clients, which can be VPN servers, wireless access points, or Network Access Servers connected to dial-in modems, interact with RSA RADIUS for user authentication and to establish appropriate access control parameters. When authentication succeeds, RSA RADIUS returns a set of attributes to RADIUS clients for session control.
The following figure shows how an RSA RADIUS server runs as a service on an Authentication Manager instance. The RADIUS service handles the requests from the clients and communicates with the Authentication Manager, which processes the authentications and grants or denies access to the user.