How RADIUS Authentication Works [Step-by-Step Simplified]

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in the world of the Beehive honeybees stand as diligent guardians of their precious resources constantly Vigilant against the threat of robberies a colony survival depends on their Collective defense mechanisms at The Hive entrance guard bees Patrol with unwavering Focus they scrutinize every incoming beat distinguishing friends from foes through the combination of chemical and behavioral cues when a robber bee dares to approach a battle ensues the guard bees engage in Swift and coordinated attacks mobilizing the entire colony they form a buzzing Vortex enveloping the robbers in a symphony of stings and defensive Maneuvers the united front of the honeybees overwhelm their adversaries forcing them to retreat and defeat and in cyber security a parallel can be drawn to Radiance Authentication just as those guard be scrutinize every incoming bee radius meticulously examines and validates the identity of users seeking to access a network so let's talk about how radius authentication Works in cyber security remote authentication dial and user service or radius is a client server networking protocol that runs at the application layer of OSI the radius protocol uses a radius server and radius clients a radius client or a network access server is a network device like a VPN or a switch or a wireless access point that is used to authenticate users when you think of radius authentication I want you to think about radius being like the person at any ticketed event that you buy a ticket and go watch a ball game any kind of school event they're the person that stands there ask for your ticket ensure that you belong and allows you in radius server is a background process that can run on either windows or Linux servers and it lets you maintain user profiles in a central database this database is a list of users who are allowed to connect it could come from active directory they could be hard enter there are many ways that you can populate this database so if you have a radius server you can control who connects to your network a basic radius authentication process follows these steps a radius supplicant or the end user connects to a radius client and tries to authenticate to the radius server using user credentials a username and a password typically the client then sends an access requests message to the radius server that message comprises a shared Secret passwords are always encrypted in that access request message as they should stay secure step 3 the radius server reads that shared secret and ensures that that access request message is from an authorized client comparing against that user database if the access request is not from an authorized client the message is immediately discarded if the authentication method username and password for example is allowed the radio server then reads those user credentials from that message and it Compares those credentials against the user database the radius server then checks to see if there's an access policy or profile that matches the user credentials are they allowed to access During certain hours all of those kinds of things if there's not a matching policy then the server will send an access reject message authorization is denied even though authentication might have been successful the radius transaction ends and the user is denied access to the environment if there is a matching policy the radius server sends an access accept message to the device that access accept message consists of that shared secret a filter ID attribute if the shared secret doesn't match the radius client rejects that message as it is coming from someone trying to spoof the radius server the user is finally authenticated and authorized they have the correct credentials they have the correct access and then they finally obtain access to the radius client now let's talk about how accounting for radius server and radius authentication work radius servers are also used for accounting purposes keeping track of activities radius accounting collects data for network monitoring for billing or statistical purposes in a network environment and that accounting process typically starts when a user is granted access to the radius server however radius accounting can also be used separately and independently from the radius authentication and the authorization process this whole process starts back when the user is granted access to the radius server the radius client will send a radius accounting request packet known as an accounting start to the radius server that request packet has the user ID the network address and a session identifier and a point of access where did they get on the network now during this session the client might send additional accounting request packets known as interim updates to the radius server to extend their session time to get access to other resources and these packets include details like the current session duration data usage and those packets serves the purpose of updating the information about that user session to the radius server once that uses access to the server ends the radius client sends another accounting request packet known as an accounting stop to the radius server that packet includes information like the total time the data package transferred the reason for the disconnection and other information relevant to that user's session in the environment so to conclude radius is simply a mechanism for AAA a authentication authorization and accounting that helps organizations keep private information from being leaked to snooping Outsiders it allows for easy depreciation capabilities and helps users to be assigned with unique Network permissions inside of complex environments and typically it can integrate with existing systems without any big changes
Info
Channel: The Infosec Academy
Views: 28,267
Rating: undefined out of 5
Keywords: AAA, Authentication, Authorization, RADIUS, and Accounting, network access server, radius supplicant, remote access server, remote authentication dial-in user service
Id: LLrb3em-_po
Channel Id: undefined
Length: 6min 12sec (372 seconds)
Published: Sat Jul 01 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.