What is the RADIUS protocol? RADIUS is a network protocol that is used to authenticate and authorize user access to a remote network. The term, RADIUS, is an acronym that stands for Remote Authentication Dial-In User Service. First introduced in 1991, RADIUS has remained a powerful tool for managing network user access. To understand why, let’s take a look at the evolution of the RADIUS protocol through the years.
According John Vollbrecht, founder of Interlink Networks and a central figure in the emergence of the RADIUS protocol, the RADIUS story actually began in 1987 when the National Science Foundation (NSF) awarded a contract to Merit Network Inc. to expand NSFnet (i.e., the precursor to the modern internet). Merit Network Inc. was a non-profit corporation hosted at the University of Michigan that had been developing a proprietary network authentication protocol to connect universities throughout Michigan. At the time, most networks leveraged proprietary protocols and were exclusive in this way. The NSF contract to expand NSFnet was an effort to bring the internet to the public.
In order to do so, however, Merit’s proprietary network had to be converted to the IP-based network of NSFnet. Merit then solicited proposals from vendors to develop a protocol that could support Merit’s dial-in authentication approach, but for IP-based networks. They received a response from a company called Livingston Enterprises, whose proposal basically contained the description of the RADIUS protocol. Merit Networks Inc. accepted the proposal from Livingston Enterprises in 1991, and the RADIUS protocol was born. (source)
How Does RADIUS Work?
RADIUS leverages the client/server model for authenticating network user access. In practice, a user request for network access is sent from a client such as a user system or a WiFi access point to a RADIUS server for authentication. How does RADIUS work? RADIUS servers are typically coupled with a separate core identity provider database (a.k.a., directory services) that acts as the source of truth for user identities. As users attempt to access a remote, RADIUS protected network, they are challenged to provide the unique user credentials that are associated with their user identities stored in the associated directory database. Once provided by the user, credentials are then transported from the client to a RADIUS server via a supplicant (a program responsible for making login requests to a wireless network). In simple terms, authentication requests and credentials are sent from the user’s device via the supplicant to a RADIUS-backed networking device. The RADIUS-backed networking device then forwards authentication requests to the RADIUS server for authentication. Upon receiving the user authentication request and credentials, the RADIUS server then validates the user credentials against the associated directory services database. If the user credentials match the user information stored in the associated directory database, valid authorizations are sent back to the RADIUS client to initiate the connection to the network. If not, a rejection notice is issued.
Get an in-depth look at exactly how RADIUS works in our Definitive Guide to RADIUS.
Modern RADIUS Limitations
The RADIUS protocol has proven to increase network security and control, but it is not without certain challenges. This is especially true for newer, cloud-forward IT organizations. For example, RADIUS has historically been an on-prem implementation that effectively required existing on-prem identity management infrastructure to operate (e.g., systems, servers, routers, switches, etc.). This setup can be difficult and costly to achieve. Further, on-prem identity management infrastructure has been largely focused on Microsoft Windows®, with Microsoft Active Directory® (AD) acting as the core identity provider. To be fair, AD does offer its own ancillary RADIUS functionality. However, as the modern IT landscape continues to diversify, many IT organizations are moving away from implementing AD on-prem due to its numerous limitations in cross-platform and hybrid-cloud environments. In fact, many IT organizations are shifting their entire on-prem identity management infrastructure to the cloud with Active Directory alternatives. There are a number of benefits with this approach such as increasing agility and reducing costs, but without anything on-prem, how do IT organizations continue to provide secure RADIUS authentication?
RADIUS Authentication from the Cloud
Fortunately, a next generation identity and access management solution has emerged that can provide RADIUS-as-a-Service as a cloud delivered service. This solution is called JumpCloud® Directory-as-a-Service®, and it not only offers RADIUS authentication from the cloud, but it also serves as a comprehensive cloud-based alternative for Active Directory. This is because the JumpCloud platform is the first cloud-based directory services platform to take a cross-platform, vendor-neutral, protocol driven approach to managing modern IT networks. In doing so, IT organizations can securely manage and connect users to their systems, applications, files, and – specifically as it relates to this blog post – networks via RADIUS. In doing so, administrators are free to leverage the best IT resources for the organization with the peace of mind that comes from knowing they can effectively manage the entire network from the cloud with JumpCloud Directory-as-a-Service.
Learn More about the RADIUS Protocol
We hope this was helpful, but if you’re still asking yourself, “What is the RADIUS protocol?” Sign up for a free JumpCloud Directory-as-a-Service account or schedule a demo to see RADIUS authentication in action. We offer 10 free users so that you can explore the full functionality of our comprehensive cloud directory risk free. You can also contact the JumpCloud team to answer any questions.