Skip to content

Overview

RADIUS (Remote Authentication Dial-In User Service) is a client-server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. 

The user or machine requests a Network Access Server (NAS) to access a particular network resource using access credentials. In turn, the NAS sends a RADIUS Access-Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol. 

The RADIUS server returns one of the three responses to the NAS:

  1. Access-Reject
  2. Access-Challenge 

  3. Access-Accept

Access Reject - The user is unconditionally denied access to all the requested network resources due to failure to provide proof of identification or an unknown or inactive user account. 

Access Challenge - Requests additional information from the user, such as a secondary password, PIN, token, or card. Access-challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the RADIUS Server to hide the access credentials from the NAS. 

Access-Accept - The user is granted access. Once the user is authenticated, the RADIUS server will check that the user is authorized to use the network service he requested. For example. a given user may be allowed to use a company's wireless network but not its VPN service. Again, this information may be stored locally on the RADIUS server or may be looked up in an external source such as LDAP or Active Directory.                         

Accops as RADIUS Server for User Authentication and MFA

Accops HyID Server can also act as a radius server for user authentication, and the RADIUS client can be any network device or application. The radius server is pre-built and installed inside the Accops HyID Server. The administrator has to configure the Network device IP address in the radius config file and create a shared secret key between the RADIUS Client and Accops HyID RADIUS server. 

Accops HyID RADIUS module can be configured in two ways:  

  1. OTP and Password combined in the same field - The RADIUS client forwards the remote user's User ID, OTP, and Password to the RADIUS authentication server. If the credentials are correct, the server authenticates the user, and the RADIUS client enables the remote user to connect to the network. When using this flow, we can only use Mobile Tokens as an MFA option since we have to use the OTP at the time of login.

  2. Challenge response after Providing Password. The RADIUS client forwards the remote user's user ID and password to the RADIUS authentication server. If the credentials are correct, the server sends a response method with available 2FA Options to the user, and the user has to provide the input again to the RADIUS server. The server will again prompt according to the Input provided and ask for an OTP. After proving the final Input as OTP, the user will be authenticated. When using this flow, we can use Mobile Tokens as a multiple MFA option, i.e., Mobile token, Email token, SMS Token, Push Notification, and more.

For more details on RADIUS configuration, click here.