Remote Authentication Dial in User Service (RADIUS) is a protocol commonly used by remote-access equipment for authentication, authorization, and accounting.
Accessing the RADIUS service
The RADIUS authentication services use the standard access ports defined by RFC 2865 and 2866. Both the IANA-assigned port numbers and the unofficial legacy port numbers are supported.
|Protocol||Legacy Port||IANA-Assigned Port|
For a client to connect, a profile for that client must exist in the configuration of the RADIUS server. This profile contains the IP address of the client and a pre-defined shared secret for sending messages.
Supported authentication types
At this time, the following authentication types are supported:
|PAP||Password Authentication Protocol||PAP should only be used on controlled/trusted networks.|
|MSCHAPv2||Microsoft Challenge-Handshake Authentication Protocol, version 2||Microsoft implementation of CHAP, not to be confused with NTLMv2.|
|EAP||Extensible Authentication Protocol||A framework for implementing additional protocols.|
Standard CHAP protocol is not supported because it requires reversibly encrypted passwords in AD-DS. MSCHAPv1 is similarly not supported because it requires LAN Manager-compatible password hashes in AD-DS.
Extensible authentication protocol and protected extensible authentication protocol
Additional authentication protocols can be implemented using EAPHost API. There are two that come with the RADIUS server: EAP-MSCHAPv2 and EAP-TLS. Protected EAP means that the EAP traffic between the supplicant (client) and the authentication server is encapsulated in a TLS encrypted tunnel. The EAP-based authentication protocols are generally more secure than non-EAP methods and should be used if possible.