What are RADIUS AAA Servers?

According to Convery, S.(2007)1: “RADIUS was developed by Livingston Enterprises (now part of Alcatel-Lucent) in the early 1990s, became an Internet standard through the IETF in 1997, and today is the most widely accepted AAA protocol.

Another widely adopted AAA protocol, which predates RADIUS as an RFC by four years, is the Terminal Access Controller Access Control System (TACACS). Though never an Internet standard, TACACS evolved into XTACACS and then TACACS+, the latter of which is the only version of TACACS in use today.”

radius aaa servers

radius aaa servers

RADIUS AAA server is one of the most popular remote access technology components.  Its main functions are to:

  • consolidate the login request received by the remote network authenticator(s) within an organization,
  • verify the eligibility of the remote user’s right to access inside the corporate network, and
  • authenticate the user per the agreed-upon authentication methods.

The acronym AAA stands for Authentication, Authorization, and Accounting. The authentication process performs verification of a remote user’s identity, the authorization process determines what a remote user is allowed to do on the network, and the accounting process logs the user’s activities in relation to network access.  These actions are activities the RADIUS AAA server performs with other network remote access components within a corporate network environment.

RFC 28652 describes in detail the authentication methods and the packet format of a RADIUS server, and RFC 28663 describes a protocol for carrying accounting    information between a Network Access Server and a shared Accounting Server. It should be noted that RFC 2866 does not specify an Internet standard of any kind.

TACACS+ (Terminal Access Controller Access-Control System Plus) is another popular protocol that provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. The main difference between TACACS+ and RADIUS is that TACACS+ separates the two operations: authentication and authorization are combined within the RADIUS server.  Also, TACACS+ uses TCP to communicate, while RADIUS uses UDP. (Source: Wikipedia.org)4

1 Convery, S. (2007), Network Authentication, Authorization, and Accounting: Part One, The Internet Protocol Journal – Volume 10, No. 1, Available from: http://www.cisco.com/web/about/ac123/ac147/
archived_issues/ipj_10-1/101_aaa-part1.html  [Accessed 31 March 2008]

2 Rigney, C. Ed. (2000) Request for Comments: 2865, Network Working Group, Available from: http://rfc.net/rfc2865.html [Accessed 31 March 2008]

3 Rigney, C. (2000) Request for Comments: 2866, Network Working Group, Available from: http://rfc.net/rfc2866.html [Accessed 31 March 2008]

4 Wikipedia, the free encyclopedia (2008) TACACS+, Available from: http://en.wikipedia.org/wiki/TACACS%2B  [Accessed 31 March 2008]