Network Access Server (NAS)

Every time a user tries to obtain network access, that request is made to a Network Access Server or NAS. These NASes are commonly located at an ISP, and provide dial-up access or broadband services. The NAS may also be a wireless Access Point (AP), at an Internet cafe or airport.

In recent years, the NAS is no longer a stand-alone device offering primarily network access. RADIUS clients are so simple to write that they are in widespread use from FTP servers, to web servers, to Unix or Windows login services. In short, RADIUS can be used almost anywhere user authentication is need.

The role of the NAS is to act as the gateway between the user and the RADIUS server. Everything the NAS does is based on trust relationships, and leveraging those relationships to permit or deny network access to end users. The end user has a trust relationship with the RADIUS server via his user name and password, which the server uses to verify the users identity. The NAS and the server have a trust relationship with each other, similarly based on authentication credentials called "shared secrets". When a user tries to obtain network access, the NAS passes authentication information (e.g. user name and password) back and forth between the user and the RADIUS server. We call this process a RADIUS conversation, and we cover it in more detail below, in the overview page.

Note that the above description relies on the user login to initiate the process. This concept introduces us to the first RADIUS fact:

All RADIUS conversations are initiated by the NAS on behalf of a user.

At some point in the conversation, the RADIUS server either tells the NAS to reject the user and thus deny him network access, or to accept the user, and let them onto the network. The NAS blindly obeys the RADIUS server in these instructions, subject to some caveats outlined below. If the user is allowed on the network, the NAS enforces proper behavior on the user, and no longer communicates with the RADIUS server about that user.