Remote Authentication Dial-In User Service (RADIUS) and DIAMETER
Remote Authentication Dial-In User Service (RADIUS) is a client/server-based system that supports authentication, authorization, and accounting (AAA) services for remote user access while safeguarding the system from unauthorized access. RADIUS organizes a centralized user administration by keeping record of all user profiles in one location that all remote services have access to.
To validate a RADIUS server, user credentials are required. That information is encrypted and sent to the RADIUS server in an Access-Request packet. Once credentials are received, the RADIUS server accepts, rejects or challenges the information. If credentials are accepted, the RADIUS server sends an Access-Accept packet and the user is authenticated. If the credentials are rejected, the RADIUS server sends an Access-Reject packet. If the information is challenged, it sends an Access-Challenge packet that requests additional information from the user the RADIUS server will use for authentication.
For remote dial-up access, RADIUS also supports callback security where the server will terminate the connection and establish a new connection by dialing a predefined telephone number attached to the user’s modem. Callback security works as an extra layer of protection from unwarranted access over dial-up connections.
Because of the success of RADIUS, DIAMETER was developed. An upgraded version of RADIUS, DIAMETER is designed for use on all methods of remote connectivity in addition to dial-up.
Terminal Access Controller Access Control System
The three versions of Terminal Access Controller Access Control System (TACACS) are:
- TACACS
- Extended TACACS (XTACACS)
- TACACS+
Each version authenticates users and prohibits access to those without a verified username/password pairing.
- TACACS combines the authentication and authorization functions.
- XTACACS allows the separation of the authentication, authorization, and auditing functions, giving administrators more discerning control over its deployment.
- TACACS+ also allows the division of the authentication, authorization, and auditing but also provides two-factor authentication.
The authentication process with TACACS is similar to RADIUS and it parallels in functionality. However, RADIUS follows an Internet standard, and TACACS is a proprietary protocol. This difference has made TACACS less popular than RADIUS.