Most of you have already heard of RADIUS and many of you use it in your infrastructure (usually to provide wi-fi or dialup/dsl access). Have you ever wondered, what’s the main difference between RADIUS and user authentication databases like LDAP (and also what they have in common)? Here ‘re a few points:
- LDAP and RADIUS have something in common. They ‘re both mainly a protocol (more than a database) which uses attributes to carry information back and forth. They ‘re clearly defined in RFC documents so you can expect products from different vendors to be able to function properly together.
- RADIUS is NOT a database. It’s a protocol for asking intelligent questions to a user database. LDAP is just a database. In recent offerings it contains a bit of intelligence (like Roles, Class of Service and so on) but it still is mainly just a rather stupid database. RADIUS (actually RADIUS servers like FreeRADIUS) provide the administrator the tools to not only perform user authentication but also to authorize users based on extremely complex checks and logic. For instance you can allow access on a specific NAS only if the user belongs to a certain category, is a member of a specific group and an outside script allows access. There’s no way to perform any type of such complex decisions in a user database.
- RADIUS also includes accounting. That means that you can use accounting history when making authorization decisions and get functionality like quotas (a user is only allowed 4 hours of dialup access per day regardless of how many times he connects).
- With the introduction of Extensible Authentication Protocol (EAP) you can use almost any authentication protocol known to man 🙂
- RADIUS is extensible. You can easily extend the RADIUS schema with attributes of you choice (as long as you have a Vendor number). RADIUS servers are extensible. You can use almost any database for authentication and accounting (LDAP, SQL, password files, outside scripts). The same stands for the LDAP protocol (one of the major factors for it’s popularity) and for LDAP servers although they don’t get even close to the levels allowed by RADIUS servers.