RADIUS Protocol
Applies To: Windows Server 2008, Windows Server 2008 R2
RADIUS is an industry standard protocol described in the Internet Engineering Task Force (IETF) Request for Comments (RFC) 2865, “Remote Authentication Dial-in User Service (RADIUS),” and RFC 2866, “RADIUS Accounting.” RADIUS is used to provide authentication, authorization, and accounting services.
In this section
During the network connection attempt by a client computer or other device, a RADIUS client, such as a virtual private network (VPN) server or wireless access point, sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The RADIUS server authenticates and authorizes the RADIUS client request, and sends back a RADIUS message response. RADIUS clients also send RADIUS accounting messages to RADIUS servers. Additionally, the RADIUS standards support the use of RADIUS proxies. A RADIUS proxy is a computer that forwards RADIUS messages between RADIUS-enabled computers.
Important
Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.
RADIUS messages are sent as User Datagram Protocol (UDP) messages. UDP port 1812 is used for RADIUS authentication messages and UDP port 1813 is used for RADIUS accounting messages. Some older network access servers (NASs) might use UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages.
NPS can receive RADIUS messages on any configurable set of ports. By default, NPS monitors for, receives, and sends RADIUS traffic on the following UDP ports: 1812 and 1645 for RADIUS authentication messages and 1813 and 1646 for RADIUS accounting messages. Exactly one RADIUS message is encapsulated in the UDP payload.
RADIUS message format
The following section provides information that might be useful for the following:
Understanding a Network Monitor capture.
Understanding the different message formats for analyzing the accounting log.
Entering vendor-specific attribute (VSA) numbers.
General packet structure
The figure, “General Structure of RADIUS Packet,” provides a summary of the data structure of a RADIUS packet. The RADIUS client or server sends the fields from top to bottom, or from the Code field in vertical order to the Attributes field.
General Structure of RADIUS Packet
Code field
The Code field is 1 byte long and indicates the type of RADIUS message. A message with a Code field that is not valid is silently discarded. The defined values for the RADIUS Code field are listed in the following table.
Codes (Decimal) | Packets |
---|---|
1 |
Access-Request |
2 |
Access-Accept |
3 |
Access-Reject |
4 |
Accounting-Request |
5 |
Accounting-Response |
11 |
Access-Challenge |
12 |
Status-Server (experimental) |
13 |
Status-Client (experimental) |
255 |
Reserved |
Identifier field
The Identifier field is 1 byte long and is used to match a request with its corresponding response.
Length field
The Length field is two octets long and indicates the entire length of the RADIUS message, including the Code, Identifier, Length, and Authenticator fields, and the RADIUS attributes. The Length field can vary from 20 to 4,096 bytes.
Authenticator field
The Authenticator field is 16 octets long and contains the information that the RADIUS client and server use to verify that the message came from a computer that is configured with a common shared secret.
Attributes section
The Attributes section of the RADIUS message contains one or more RADIUS attributes, which carry the specific authentication, authorization, information, and configuration details for RADIUS messages.
RADIUS message example
A Windows Server 2003 Point-to-Point Tunneling Protocol (PPTP) client attempts a remote access connection to a Windows Server 2003 VPN server. The VPN server is at the IP address 10.10.210.13, and the NPS server is at the IP address 10.10.210.12.
Access-Request message
The following Network Monitor capture display shows the Access-Request message sent by the VPN server to the NPS server.
+ IP: ID = 0x850; Proto = UDP; Len: 248
+ UDP: Src Port: Unknown, (1327); Dst Port: Unknown (1812); Length = 228 (0xE4)
RADIUS: Message Type: Access Request(1)
RADIUS: Message Type = Access Request
RADIUS: Identifier = 2 (0x2)
RADIUS: Length = 220 (0xDC)
RADIUS: Authenticator = 8A 6F DC 03 23 5F 4B 62 CA 40 92 38 DC 75
CB 74
RADIUS: Attribute Type: NAS IP Address(4)
RADIUS: Attribute type = NAS IP Address
RADIUS: Attribute length = 6 (0x6)
RADIUS: NAS IP address = 10.10.210.13
RADIUS: Attribute Type: Service Type(6)
RADIUS: Attribute type = Service Type
RADIUS: Attribute length = 6 (0x6)
RADIUS: Service type = Framed
RADIUS: Attribute Type: Framed Protocol(7)
RADIUS: Attribute type = Framed Protocol
RADIUS: Attribute length = 6 (0x6)
RADIUS: Framed protocol = PPP
RADIUS: Attribute Type: NAS Port(5)
RADIUS: Attribute type = NAS Port
RADIUS: Attribute length = 6 (0x6)
RADIUS: NAS port = 32 (0x20)
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 12 (0xC)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string = _
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 18 (0x12)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string = MSRASV5.00
RADIUS: Attribute Type: NAS Port Type(61)
RADIUS: Attribute type = NAS Port Type
RADIUS: Attribute length = 6 (0x6)
RADIUS: NAS port type = Virtual
RADIUS: Attribute Type: Tunnel Type(64)
RADIUS: Attribute type = Tunnel Type
RADIUS: Attribute length = 6 (0x6)
RADIUS: Tag = 0 (0x0)
RADIUS: Tunnel type = Point-to-Point Tunneling Protocol(PPTP)
RADIUS: Attribute Type: Tunnel Media Type(65)
RADIUS: Attribute type = Tunnel Media Type
RADIUS: Attribute length = 6 (0x6)
RADIUS: Tag = 0 (0x0)
RADIUS: Tunnel media type = IP (IP version 4)
RADIUS: Attribute Type: Calling Station ID(31)
RADIUS: Attribute type = Calling Station ID
RADIUS: Attribute length = 14 (0xE)
RADIUS: Calling station ID = 10.10.14.226
RADIUS: Attribute Type: Tunnel Client Endpoint(66)
RADIUS: Attribute type = Tunnel Client Endpoint
RADIUS: Attribute length = 14 (0xE)
RADIUS: Tunnel client endpoint = 10.10.14.226
RADIUS: Attribute Type: User Name(1)
RADIUS: Attribute type = User Name
RADIUS: Attribute length = 18 (0x12)
RADIUS: User name = NTRESKIT\johndoe
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 24 (0x18)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string = _+-_e_$+fN<N
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 58 (0x3A)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string = _4
The RADIUS attributes sent by the VPN server include the framed protocol, the service type, the class, various tunnel attributes for the PPTP connection, and a series of vendor-specific attributes (VSA)s for Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1) authentication. For more information about Microsoft vendor-specific RADIUS attributes, see RFC 2548.
Access-Accept message
The following Network Monitor output shows the Access-Accept message sent by the NPS server to the VPN server.
+ IP: ID = 0xB18; Proto = UDP; Len: 248
+ UDP: Src Port: Unknown, (1812); Dst Port: Unknown (1327); Length = 228 (0xE4)
RADIUS: Message Type: Access Accept(2)
RADIUS: Message Type = Access Accept
RADIUS: Identifier = 2 (0x2)
RADIUS: Length = 220 (0xDC)
RADIUS: Authenticator = 52 E19 98 2E F8 E2 D3 B7 3B E1 24 5B 72 55 9E
RADIUS: Attribute Type: Framed Protocol(7)
RADIUS: Attribute type = Framed Protocol
RADIUS: Attribute length = 6 (0x6)
RADIUS: Framed protocol = PPP
RADIUS: Attribute Type: Service Type(6)
RADIUS: Attribute type = Service Type
RADIUS: Attribute length = 6 (0x6)
RADIUS: Service type = Framed
RADIUS: Attribute Type: Class(25)
RADIUS: Attribute type = Class
RADIUS: Attribute length = 32 (0x20)
RADIUS: Class = <$_@
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 42 (0x2A)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string = _$_DZ,Sc7__:+RW_t-qxF (-+%p6
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 42 (0x2A)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string = _$_
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 51 (0x33)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string = _-
RADIUS: Attribute Type: Vendor Specific(26)
RADIUS: Attribute type = Vendor Specific
RADIUS: Attribute length = 21 (0x15)
RADIUS: Vendor ID = 311 (0x137)
RADIUS: Vendor string =
The RADIUS attributes sent by the NPS server include the user name, the service type, the framed protocol, the service class, and a series of VSAs for MS-CHAP v1 authentication.