Page 995 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 995
access server). A user can connect to any network access server, which
then passes on the user’s credentials to the RADIUS server to verify
authentication and authorization and to track accounting. In this
context, the network access server is the RADIUS client and a RADIUS
server acts as an authentication server. The RADIUS server also
provides AAA services for multiple remote access servers.
Many internet service providers (ISPs) use RADIUS for
authentication. Users can access the ISP from anywhere and the ISP
server then forwards the user’s connection request to the RADIUS
server.
Organizations can also use RADIUS, and organizations often
implement it with location-based security. For example, if the user
connects with an IP address, the system can use geolocation
technologies to identify the user’s location. While it isn’t as common
today, some users still have Integrated Services Digital Network
(ISDN) lines and use them to connect to VPNs. The RADIUS server
can use callback security for an extra layer of protection. Users call in,
and after authentication, the RADIUS server terminates the
connection and initiates a call back to the user’s predefined phone
number. If a user’s authentication credentials are compromised, the
callback security prevents an attacker from using them.
RADIUS uses the User Datagram Protocol (UDP) and encrypts only
the exchange of the password. It doesn’t encrypt the entire session, but
additional protocols can be used to encrypt the data session. The
current version is defined in RFC 2865.
RADIUS provides AAA services between network access
servers and a shared authentication server. The network access
server is the client of the RADIUS authentication server.
TACACS+
Terminal Access Controller Access-Control System (TACACS) was
introduced as an alternative to RADIUS. Cisco later introduced
extended TACACS (XTACACS) as a proprietary protocol. However,
