RADIUS Authentication and Accounting

Internet Authentication Service (IAS) fully supports the Remote Authentication Dial-In User Service (RADIUS) protocol. The RADIUS protocol is the de facto standard for remote user authentication.

The following diagram shows an authenticating client ("User") connecting to a Network Access Server (NAS) over a dial-up connection, using the Point-to-Point Protocol (PPP). In order to authenticate the User, the NAS contacts a remote server running IAS. The NAS and the IAS server communicate using the RADIUS protocol.

Remote user authentication

A NAS operates as a client of a server or servers that support the RADIUS protocol. Servers that supports the RADIUS protocol are generally referred to as the RADIUS servers. The RADIUS client, that is, the NAS, passes information about the User to designated RADIUS servers, and then acts on the response that the servers return. The request sent by the NAS to the RADIUS server in order to authenticate the User is generally called an "authentication request."

If a RADIUS server authenticates the User successfully, the RADIUS server returns configuration information to the NAS so that it can provide network service to the user. This configuration information is composed of "authorizations".

The RADIUS server also collects a variety of information sent by the NAS that can be used for accounting and for reporting on network activity. The RADIUS client sends information to designated RADIUS servers when the User logs on and logs off. The RADIUS client may send additional usage information on a periodic basis while the session is in progress. The requests sent by the client to the server to record logon/logoff and usage information are generally called "accounting requests."

While the RADIUS server is processing the authentication request, it can perform authorization functions such as verifying the user's telephone number and checking whether the user already has a session in progress. The RADIUS server can determine whether the user already has a session in progress by contacting a state server.

A RADIUS server can act as a proxy client to other RADIUS servers. In these cases, the RADIUS server contacted by the NAS passes the authentication request to another RADIUS server that actually performs the authentication.

Windows 2000:  IAS does not support RADIUS Proxy because it is based on the Option Pack version.

For more information on RADIUS authentication and accounting, see RFC 2865 and RFC 2866.

Send comments about this topic to Microsoft

Build date: 10/1/2007

Community Additions