RADIUS overview

Remote Authentication Dial In User Service (RADIUS) is an Internet standard protocol which provides centralized authentication, accounting and IP management services for remote access users in a distributed dial-up network.

The RADIUS client-server model has a Network Access Server (NAS) operating as a client to a RADIUS server. The iSeries™ Server, acting as the NAS, sends user and connection information to a designated RADIUS server using the RADIUS standard protocol defined in RFC 2865.

RADIUS servers act on received user connection requests by authenticating the user and then returns all configuration information necessary, to the NAS, so that the NAS (iSeries Server) can deliver authorized services to the authenticated dial-in user.

If a RADIUS server cannot be reached, the iSeries server can route authentication requests to an alternate server. This enables global enterprises to offer their users a dial-in service with a unique login user ID for corporate wide access, no matter what access point is being used.

When an authentication request is received by the RADIUS server, the request is validated, then the RADIUS server decrypts the data packet to access the user name and password information. The information is passed onto the appropriate security system being supported. This might be UNIX® password files, Kerberos, a commercial security system, or even a custom-developed security system. The RADIUS server sends back to the iSeries server any services the authenticated user is authorized to use, such as an IP address. RADIUS accounting requests are handled in a similar manner. Remote user's accounting information can be sent to a designated RADIUS accounting server. The RADIUS Accounting standard protocol is defined in RFC 2866. The RADIUS accounting server acts on received accounting requests by logging the information from the RADIUS accounting request.

Related reference
Scenario: Authenticate dial-up connections with RADIUS NAS