1-2Security and Authentication MechanismsInformation exchanged between a RADIUS client and the RADIUS server is authenticated with ashared key, which is never transmitted over the network. This enhances the information exchangesecurity. In addition, to prevent user passwords from being intercepted on insecure networks, RADIUSencrypts passwords before transmitting them.A RADIUS server supports multiple user authentication methods. Moreover, a RADIUS server can actas the client of another AAA server to provide authentication proxy services.Basic Message Exchange Process of RADIUSFigure 1-2 illustrates the interaction of the host, the RADIUS client, and the RADIUS server.Figure 1-2 Basic message exchange process of RADIUSRADIUS client RADIUS server1) Username and password3) Access-Accept/Reject2) Access-Request4) Accounting-Request (start)5) Accounting-Response7) Accounting-Request (stop)8) Accounting-Response9) Notification of access terminationHost6) The host accesses the resourcesThe following is how RADIUS operates:1) The host initiates a connection request carrying the username and password to the RADIUS client.2) Having received the username and password, the RADIUS client sends an authentication request(Access-Request) to the RADIUS server, with the user password encrypted by using theMessage-Digest 5 (MD5) algorithm and the shared key.3) The RADIUS server authenticates the username and password. If the authentication succeeds, itsends back an Access-Accept message containing the user’s authorization information. If theauthentication fails, it returns an Access-Reject message.4) The RADIUS client permits or denies the user according to the returned authentication result. If itpermits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.5) The RADIUS server returns a start-accounting response (Accounting-Response) and startsaccounting.6) The user accesses the network resources.7) The host requests the RADIUS client to tear down the connection and the RADIUS client sends astop-accounting request (Accounting-Request) to the RADIUS server.