PingAM

RADIUS authentication

RADIUS (Remote Authentication Dial-In User Service) is a networking protocol specified in RFC 2865. It ensures that users or devices attempting to connect to a network are properly authenticated, safeguarding access and preventing unauthorized use.

It operates using a client/server model, where devices such as VPN concentrators, routers, and Wi-Fi access points are the RADIUS clients. Using the RADIUS protocol, they converse with RADIUS servers to authenticate users or devices attempting to access the network.

The conversation between RADIUS clients and servers happens through the exchange of packets. There are four types of packets used in the authentication process:

Access-Request

The client sends an Access-Request packet to the server to start a new authentication conversation, or to respond to a previous response in an existing conversation and provide requested information.

This packet always contains the User-Name and User-Password fields but can contain additional information.

For example, the presence of the optional State field indicates that a packet is part of an existing authentication conversation. This field doesn’t exist when it’s a new conversation.

Access-Accept

The server sends an Access-Accept packet to the client to indicate a successful authentication.

Access-Reject

The server sends an Access-Reject packet to the client to indicate a failed authentication.

Access-Challenge

The server sends an Access-Challenge packet to the client to request more information from the user or device that’s authenticating.

This packet is sent only if the RADIUS server requires additional information beyond the username and password, such as a one-time password (OTP) for multi-factor authentication (MFA).

When this packet is sent, it’s followed by another Access-Request packet from the client that contains the requested information and the State field to associate the request with the existing conversation.

AM provides flexible RADIUS support, allowing it to operate as either a RADIUS client or a RADIUS server.

AM as a RADIUS client

Learn how to configure RADIUS authentication when AM is the RADIUS client.
AM as a RADIUS server

Learn how to configure AM as a RADIUS server.