Overview of Radius Authentication on Windows Server 2008 Example
About This Network Configuration Example
This network configuration example (NCE) describes how to configure Windows Server 2008 to authenticate users by using EX Series switches for Protected Extensible Authentication Protocol (PEAP) authentication.
A Radius server is very flexible and secure. It uses complex authentication methods such as LDAP, NTLM, and Kerberos to authenticate users. It uses a central database to secure wired or wireless networks and provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users.
The use case shows how to deploy Network Policy Server (NPS) as the Radius server for an EX4300 switch.
Use Case Overview
Need for a Radius Server
A Radius server maintains user profile information, authenticates and authorizes when a user tries to connect to the network. It ensures a secure wired or wireless network. It efficiently manages dial-in access to various Points-Of-Presence (POPs) across its network and provides a centralized AAA management.
A Radius server provides more functionality than other authentication protocols. All two-factor authentication vendors and VPN providers support Radius servers. Radius servers are very simple and easy to manage. To activate the Radius server, all you need is the IP address of each network device and a shared secret.
To authenticate and communicate with users, Radius server uses Extensible Authentication Protocol (EAP). PEAP is the authentication protocol that a Radius server uses to authenticate users by using credentials such as username and password.
Radius servers use Splitting Authorization and Authentication method to ensure data security.
For more information about the Radius server and authentication workflow, see 802.1X and RADIUS Accounting
Radius Server Benefits
The Radius server provides the following benefits:
Active Directory—Offers complex authentication methods such as LDAP, NTLM, and Kerberos. These authentication methods make sure that when a device tries to authenticate users, it requires valid credentials within Active Directory.
Central database—Uses a central database to secure wired or wireless networks and to authenticate users instead of using a pre-shared key.
AAA—Provides centralized AAA management. This makes the system incredibly flexible, and can perform authentication and authorization against any user directory source. This flexibility combined with a wealth of supported authentication protocols and a variety of client integration has kept Radius in high demand.
Secure authentication methods—Provides a variety of secure authentication methods, that can leverage username or password, PKI certificates, or a combination of both. Based on the results of the authentication and authorization, Radius helps to provide access to the appropriate network gear or networks. When you use Radius with 802.1x, control over access is strong and powerful.
Secure directory services—Provides a way to couple Radius with directory services to create a layer of security for wireless networks.
Understanding Radius Servers
Radius servers manage all authentication requests and use Extensible Authentication Protocol (EAP) to communicate with users. Most popular EAP types are:
Protected EAP (PEAP)– Authenticates users by using a username and password.
EAP-TLS - Authenticate wireless users.
Radius servers show a certificate to users so that they can verify and confirm that they are communicating with the correct Radius server.
Server Network Topology
Radius architecture makes the network infrastructure secure for wired or wireless users. It uses EAP to authenticate users by using credentials such as username and password.