The RADIUS protocol follows the client-server architecture.
The client sends user information to the AAA server using Access-Request
or accounting-Request messages. The AAA server processes the request
locally, or, if acting as a proxy server, forwards (proxies) the
request to a secondary RADIUS Server.
When processing a RADIUS request locally, the AAA server can
utilize additional external services (LDAP, external database access,
DHCP, and so on.) to service the request.
The processing of RADIUS requests is usually configured on a
per-realm basis. A realm is a group of users sharing a common component
in the Network Access Identifier (NAI) attribute in the RADIUS request
(for example,"example.org" is the realm component for "username@example.org").
In Figure 1-1, a sample
Internet Service Provider (ISP) uses four AAA servers to handle user
requests. User organizations are grouped into realms. Each user connects
to one of the ISP's servers through a local Network Access Server
(NAS). The NAS sends a RADIUS Access-Request containing the user's
credentials to one of the AAA servers. In turn, the AAA server accesses
user and policy information from the repository specified for the
user's realm. The repository can be in flat text files associated
with the AAA Server, an external database or LDAP Server, or an HP-UX
Unix user repository.
When authenticating users stored in replicated LDAP directory
servers or databases, the server can be configured to perform load
balancing and failover to achieve greater scalability and availability.
Printable version
