Remote Authentication Dial in User Service (RADIUS) is a protocol commonly used by remote-access equipment for authentication, authorization, and accounting.
Accessing the RADIUS service
The RADIUS authentication services use the standard access ports defined by RFC 2865 and 2866. Both the IANA-assigned port numbers and the unofficial legacy port numbers are supported.
Protocol | Legacy Port | IANA-Assigned Port |
---|---|---|
Authentication | 1645 | 1812 |
Accounting | 1646 | 1813 |
For a client to connect, a profile for that client must exist in the configuration of the RADIUS server. This profile contains the IP address of the client and a pre-defined shared secret for sending messages.
Supported authentication types
At this time, the following authentication types are supported:
Auth Type | Description | Note |
---|---|---|
PAP | Password Authentication Protocol | PAP should only be used on controlled/trusted networks. |
MSCHAPv2 | Microsoft Challenge-Handshake Authentication Protocol, version 2 | Microsoft implementation of CHAP, not to be confused with NTLMv2. |
EAP | Extensible Authentication Protocol | A framework for implementing additional protocols. |
Standard CHAP protocol is not supported because it requires reversibly encrypted passwords in AD-DS. MSCHAPv1 is similarly not supported because it requires LAN Manager-compatible password hashes in AD-DS.
Extensible authentication protocol and protected extensible authentication protocol
Additional authentication protocols can be implemented using EAPHost API. There are two that come with the RADIUS server: EAP-MSCHAPv2 and EAP-TLS. Protected EAP means that the EAP traffic between the supplicant (client) and the authentication server is encapsulated in a TLS encrypted tunnel. The EAP-based authentication protocols are generally more secure than non-EAP methods and should be used if possible.
University IT provides more information on Stanford’s wireless networks and eduroam as well as the Stanford VPN.