Before the Client starts communicating with the Radius Server, it is required that the secret key is shared between the Client and the Server and the Client must be configured to use Radius server to get service.
The following is the process used in a RADIUS-managed login:
Step 1. A user login generates a query (Access-Request) from the AAA client to the
Step 2. A corresponding response (Access-Challenge, Access-Accept, or Access-Reject)
is returned by the server.
The Access-Request packet contains the username, encrypted password, IP address of
the AAA client, and port. The format of the request also provides information on the
type of session that the user wants to initiate. Optionally, if the RADIUS server needs
more information, it can send an Access-Challenge
RADIUS Packet Format
Each RADIUS packet contains the following information:
Code: The code field is one octet; it identifies one of the following types of
■ Access-Request (1)
■ Access-Accept (2)
■ Access-Reject (3)
■ Accounting-Request (4)
■ Accounting-Response (5)
■ Access-Challenge (11)
■ Status-Server (12)
■ Status-Client (13)
■ Reserved (255)
Identifier: The identifier field is one octet; it helps the RADIUS server match requests and responses and detect duplicate requests.
Length: The length field is two octets; it specifies the length of the entire packet.
Request Authenticator: The authenticator field is 16 octets. The most significant octet is transmitted first; it authenticates the reply from the RADIUS server.
Two types of authenticators are as follows:
Request-Authenticator: Available in Access-Request and Accounting-Request packets.
Response-Authenticator: Available in Access-Accept, Access-Reject, Access-Challenge and Accounting-Response packets.