< Home

RADIUS Authentication, Authorization, and Accounting Process

A device that functions as a RADIUS client collects user information, including the user name and password, and sends the information to the RADIUS server. The RADIUS server then authenticates users according to the information, after which it performs authorization and accounting for the users. Figure 1 shows the information exchange process between a user, a RADIUS client, and a RADIUS server.

Figure 1 RADIUS authentication, authorization, and accounting process

  1. A user needs to access a network and sends a connection request containing the user name and password to the RADIUS client (device).
  2. The RADIUS client sends a RADIUS Access-Request packet containing the user name and password to the RADIUS server.

  3. The RADIUS server verifies the user identity:

    • If the user identity is valid, the RADIUS server returns an Access-Accept packet to the RADIUS client to permit further operations of the user. The Access-Accept packet contains authorization information because RADIUS provides both authentication and authorization functions.
    • If the user identity is invalid, the RADIUS server returns an Access-Reject packet to the RADIUS client to reject access from the user.
  4. The RADIUS client notifies the user of whether authentication is successful.
  5. The RADIUS client permits or rejects the user access request according to the authentication result. If the access request is permitted, the RADIUS client sends an Accounting-Request (Start) packet to the RADIUS server.
  6. The RADIUS server sends an Accounting-Response (Start) packet to the RADIUS client and starts accounting.
  7. The user starts to access network resources.
  8. (Optional) If interim accounting is enabled, the RADIUS client periodically sends an Accounting-Request (Interim-update) packet to the RADIUS server, preventing incorrect accounting result caused by unexpected user disconnection.
  9. (Optional) The RADIUS server returns an Accounting-Response (Interim-update) packet and performs interim accounting.
  10. The user sends a logout request.
  11. The RADIUS client sends an Accounting-Request (Stop) packet to the RADIUS server.
  12. The RADIUS server sends an Accounting-Response (Stop) packet to the RADIUS client and stops accounting.
  13. The RADIUS client notifies the user of the processing result, and the user stops accessing network resources.
Parent Topic: RADIUS AAA
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >