RADIUS Authentication: Transport Mechanism between Authenticator and Server

RADIUS Authentication Transport Mechanism

Prev Question Next Question


Which transport mechanism is used between a RADIUS authenticator and a RADIUS authentication server?



Click on the arrows to vote for the correct answer

A. B. C. D. E.


The correct answer is A: UDP, with only the password in the Access-Request packet encrypted.

Remote Authentication Dial-In User Service (RADIUS) is a protocol used to provide centralized authentication, authorization, and accounting (AAA) management for network access. It is commonly used in enterprise environments to authenticate users who want to connect to a network.

In a RADIUS system, there are three main components: the RADIUS client, the RADIUS authenticator, and the RADIUS server. The RADIUS client is typically a network access server, such as a switch or router. The RADIUS authenticator sits between the client and the server and is responsible for passing authentication requests and responses between them. The RADIUS server stores user account information and is responsible for authenticating users.

When a user attempts to access the network, the RADIUS client sends an Access-Request message to the RADIUS authenticator. The RADIUS authenticator then forwards the request to the RADIUS server, which verifies the user's credentials and sends a response back to the authenticator. The authenticator then forwards the response to the client, allowing or denying access based on the server's response.

The transport mechanism used between the RADIUS authenticator and the RADIUS server is User Datagram Protocol (UDP), which is a connectionless protocol that operates at the Transport Layer of the OSI model. UDP is used because it is lightweight and provides faster transmission of data than TCP.

In terms of encryption, only the password in the Access-Request packet is encrypted using a one-way hash function, such as Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA1). This is done to protect the password from being intercepted and read by unauthorized users. The rest of the packet body is not encrypted, which means that it can be read by anyone who intercepts it. However, the RADIUS server and client can be configured to use Transport Layer Security (TLS) to encrypt the entire packet body for added security.

Option B is incorrect because the whole packet body is not encrypted in a standard RADIUS implementation. Option C is incorrect because TCP is not used in RADIUS, and even if it were, only the password in the Access-Request packet would be encrypted. Option D is incorrect because EAPOL is not a transport mechanism used in RADIUS. Option E is incorrect because UDP RADIUS encapsulated in EAP mode enforced by the authentication server is a specific implementation of RADIUS and not the general RADIUS implementation used in most networks.