RADIUS Authentication Architecture

The RADIUS server provided with the Sun Directory Services is an authentication and authorization information server for a Network Access Server (NAS). A NAS is a device that provides an access point to the network for remote users connecting using SLIP, PPP, or any other remote access protocol. The NAS transmits the information provided in the connection request from the remote user to the RADIUS server. The RADIUS server checks this information against the entry for the remote user in the directory. It then returns to the NAS an authorization or denial for the remote user connection. It can also provide the appropriate connection parameters for the remote user connection.

The RADIUS server logs information on remote user access requests in the dsradius.log file in the directory /var/opt/SUNWconn/ldap/log.

A NAS is also often referred to as a remote access server or RAS.

The authentication architecture is illustrated in Figure 7-1.

Figure 7-1 RADIUS Authentication Architecture

The user is the entity requesting access to network resources. In the directory database, a user is identified by a unique uid. The uid attribute, and all other attributes describing a remote user, are defined in the remoteUser object class.

The Network Access Server, also called a client, is the device to which remote users connect. The client queries the RADIUS server for authentication status, user profiles and authorizations. In the directory database, a client is identified by a unique ipHostNumber. The ipHostNumber attribute, and all other attributes describing a RADIUS client are defined in the nas object class.

The RADIUS server authenticates the NAS, then checks the remote user's identity and authorization in the directory database. It returns the user's status and configuration information to the NAS.

If the RADIUS server is unable to authenticate the NAS, the request from the NAS is ignored. The RADIUS server does not respond, even with a connection rejection.