More about Server-based user authentication protocols

RADIUS was initially created by a company called Livingston and later became an International Engineering Task Force (IETF) standard defining an authentication protocol between network access points and an authentication server.

Before authentication servers existed, user names and passwords had to be stored locally at every network access point. That created enormous management overhead because any change to the user database had to be manually replicated over a potentially large number of devices.

It was also a source of security problems because password databases were less protected at the edge of the network. Furthermore, mistakes by systems administrators updating files manually were common.

The objective of the RADIUS protocol is to centralize storage of the user database and passwords, which simplifies management, facilitates policy enforcement, and consequently enhances security.

The equipment receiving the access request uses the RADIUS protocol to authenticate the user against the centralized authentication server.

TACACS (and its XTACACS and TACACS+ variants) is a protocol designed by Cisco Systems with similar functionality and objectives as RADIUS. It was originally meant to be a Cisco proprietary protocol, but support for TACACS has been added by many other network equipment vendors.

RADIUS has two software components: the client portion runs on the access equipment and the server portion runs on the authentication server. When users request a network connection, the RADIUS client requests the user name and password information.

The client then initiates a login request transaction with the server, which then checks the database and determines whether or not to allow access. The transaction is encrypted so that someone watching the traffic between client and server cannot easily retrieve the password information.

Initially designed only for authentication against a centralized database, RADIUS and TACACS servers evolved to enable the enforcement of access policies (such as selective access to network resources by different users, different access privileges dependent on the authorization level or time of day, etc.) and to generate billing and auditing information (record of the user activity).

RADIUS server software can be found both in commercial and open source form. An example of open source server software that runs in most operating systems is the popular FreeRADIUS package found at http://www.freeradius.org.