RADIUS

RADIUS (Remote Authentication Dial-In User Service) is a widely used AAA protocol that provides centralized network authentication through a dedicated RADIUS server.  

AAA (Authentication, Authorization, and Accounting) is a security framework for controlling access to network resources. This is carried out by granting or denying user access, determining user privileges, and logging network activity.  

As the “Dial-In” part of the name implies, RADIUS has been around since the 90’s, but thanks to its security, ease of use, and reliability, it has stood the test of time and remains one of the gold standards for network authentication.  

RADIUS works using three major components:

• Supplicant: The user device or application requesting access
• Authenticator: The network device being accessed (i.e., router, WAP, Switch, VPN concentrator)
• Authentication Server: (RADIUS Server)

Whenever an employee attempts to login into a network device, the supplicant provides its login credentials or digital certificate to the authenticator (I.e., a switch or WAP), which then forwards the request to the RADIUS Server. The RADIUS server will check with the Identity Provider (think Azure or Google Workspace) and, if it finds a match, will then let you Authenticate.

It will also determine what resources you have access to, so for instance if you are in HR you will get access to HR resources - perhaps a database of employees and salary information. This is called role-based access and is the Authorization part of AAA.

Lastly, it will keep a record of what you did while you were connected - the Accounting.

Both are similar in that they are AAA (Authentication, Authorization, and Accounting) protocols, and you can absolutely use RADIUS to handle access to all of your devices from server to routers to switches. When it comes to networking equipment, though, that’s where TACACS really shines – it allows you to specify what a user can do down to the individual command level. This is invaluable when dealing with something like Cisco’s IOS which has 16 different privilege levels ranging from “Log in only” (level 0) to “No one can stop me!” (level 15.) TACACS will also provide an audit log of each and every command run by each user; RADIUS accounting logs are not as detailed.

Active Directory is an Identity Provider – basically a repository of usernames, passwords, and roles. Its primary function is to store and organize all of the people and computers in your organization.

RADIUS is a protocol that’s primary responsibility is managing the AAA (Authentication, Authorization, and Accounting) requests.

Your switch has no way of talking to your Active Directory database, so without a RADIUS server you would have to just leave your network open to anyone who wanted to connect (which is, of course, a terrible idea.) To keep your network secure, it’s crucial to only allow known users access, and to make sure that those users only have access to the resources they need for their job (so no one goes snooping through HR files or uses the Finance spreadsheets to give themselves a raise.)