--- title: RADIUS authentication description: RADIUS (Remote Authentication Dial-In User Service) is a networking protocol specified in RFC 2865. It ensures that users or devices attempting to connect to a network are properly authenticated, safeguarding access and preventing unauthorized use. component: pingam version: 8.1 page_id: pingam:am-authentication:radius-authentication canonical_url: https://docs.pingidentity.com/pingam/8.1/am-authentication/radius-authentication.html keywords: ["Authentication", "Journeys", "Nodes & Trees", "RADIUS"] page_aliases: ["radius-server-guide:preface.adoc", "radius-server:preface.adoc", "radius-server-guide:radius-introduction.adoc", "radius-server:radius-introduction.adoc"] --- # RADIUS authentication RADIUS (Remote Authentication Dial-In User Service) is a networking protocol specified in [RFC 2865](https://www.rfc-editor.org/info/rfc2865). It ensures that users or devices attempting to connect to a network are properly authenticated, safeguarding access and preventing unauthorized use. It operates using a client/server model, where devices such as VPN concentrators, routers, and Wi-Fi access points are the RADIUS clients. Using the RADIUS protocol, they converse with RADIUS servers to authenticate users or devices attempting to access the network. The conversation between RADIUS clients and servers happens through the exchange of packets. There are four types of packets used in the authentication process: * `Access-Request` The client sends an `Access-Request` packet to the server to start a new authentication conversation, or to respond to a previous response in an existing conversation and provide requested information. This packet always contains the `User-Name` and `User-Password` fields but can contain additional information. For example, the presence of the optional `State` field indicates that a packet is part of an existing authentication conversation. This field doesn't exist when it's a new conversation. * `Access-Accept` The server sends an `Access-Accept` packet to the client to indicate a successful authentication. * `Access-Reject` The server sends an `Access-Reject` packet to the client to indicate a failed authentication. * `Access-Challenge` The server sends an `Access-Challenge` packet to the client to request more information from the user or device that's authenticating. This packet is sent only if the RADIUS server requires additional information beyond the username and password, such as a one-time password (OTP) for multi-factor authentication (MFA). When this packet is sent, it's followed by another `Access-Request` packet from the client that contains the requested information and the `State` field to associate the request with the existing conversation. AM provides flexible RADIUS support, allowing it to operate as either a RADIUS client or a RADIUS server. [icon: id-card, set=fad, size=3x] #### [AM as a RADIUS client](radius-client.html) Learn how to configure RADIUS authentication when AM is the RADIUS client. [icon: server, set=fad, size=3x] #### [AM as a RADIUS server](radius-server.html) Learn how to configure AM as a RADIUS server.