The RADIUS protocol is widely used in network environments to provide authentication and accounting services to both embedded routers, modem servers, software, and wireless applications. It provides centralized authentication and administration (including configuration) for thousands and sometimes millions of entities. In addition it offers roaming and distributed authentication / accounting through it's ability to proxy requests to other servers regardless of the originating client's location.
The RADIUS protocol provides good protection against common attacks (sniffers and replay) better than LDAP (no protection against sniffers) and TACACS+ which has some subtle security flaws.
The RADIUS protocol is the de-facto standard for authentication by hardware and is uniformly supported as a standard. Changes to the RADIUS protocol generally have minimal (if any) effects on older RADIUS clients and servers. No other protocol has nearly the same support RADIUS enjoys.
The Network Access Server (NAS) is often depicted as a modem server, although that's not necessarily the case. In this document NAS and client are used interchangeably and mean the same thing.
The authentication request packet contain the name and encoded password as well as an identifier for the Network Access Server (NAS) client. Other attributes in the packet may request particular types of server or network connection. The response packets may contain configuration information, idle timeout, session timeout, and variety of other information.
The packet transport mechanism is UDP (User Datagram Protocol) . UDP is connectionless in the sense that the packet is sent without establishing a connection with the receiver (unlike TCP). The consequences of this range from losing packets going to a non-existent server, and losing packets or portions of them along the way. While UDP is an unreliable transport, it is much faster than TCP since there is no setup time to create, verify packet contents, and destroy the connection.
The server may also deliberately not respond to inbound packets. As part of the RADIUS security clients that are unknown to the server do receive responses. The server may not respond for other reasons (e.g. an incorrect Message-Authenticator attribute).
The local RADIUS server may not be able to authenticate a client request directly. In this case the server acts as a proxy and delegates the authentication to another server. There may a chain of proxy servers before the final authentication server is reached. This is usually accomplished by appending a realm to the User-Name attribute. For example if 'Fred' is the User-Name and the final authentication server is called 'someserver.com' the User-Name would be set to 'Fred@someserver.com'. This looks like an email address but there are two important differences. First, it's not Fred's email address, and second the 'someserver.com' isn't necessarily a domain name. Most of the time it is a domain name of a RADIUS server. The Called-Station-Id and the Calling-Station-Id may also contain routing information.