The RADIUS server is commonly a piece of software sitting on a computer (e.g. PC) somewhere in the network. In recent years, companies have started selling RADIUS appliances, where the maintenance and management of the software is simplified for the administrator. Still, the resulting behavior is much the same.

In short, the RADIUS server listens for authentication requests from a NAS, and in return instructions the NAS to either permit or deny the user. That simplified description, however, is complicated by a number of factors, which we outline later in this chapter. First, though, we will cover the behavior of the RADIUS server in more detail.

In order to authenticate the user who is asking for network access, the RADIUS server has to make a number of decisions. These decisions are based on what we call local site policy, and are the subject of much of the remainder of this book. Those policies may be simple, such as accept anyone with a correct user name and password. The policies may be complicated, such as allow basic users to request premium services in non-premium hours, except for Sundays and holidays, so long as their account is up to date.

In all cases, the local administrator has to design, implement, and deploy these policies. This effort may be significant, and few resources have historically existed to help with that process. The majority of this book is devoted to explaining the principles and practices necessary for working with those policies.

Despite all of this effort on the part of the RADIUS server, it may not have enough information about the user to make a final decision. That is, it may need information from the NAS, that the NAS just doesn't send. This problem is most commonly seen when the administrator of a server would like to obtain certain kinds of accounting information from a NAS. If the NAS does not send that information, there is very little that can be done to obtain it.

The RADIUS server cannot control what information the NAS sends in a request.

Once the server has made a final decision, it returns an answer to the NAS, which includes instructions on how to handle the users session. The problem is that the server has no way to know if the NAS has received its instructions, or even if the NAS is obeying those instructions. In this respect, RADIUS is a ``best effort'' protocol, or ``fire and forget''. If the NAS outputs little or no information about what it received, or what it is doing with the servers response, this limitation can make it very difficult to debug a RADIUS installation.

The RADIUS server cannot control whether or not the NAS uses the information it was sent in a reply.

The policies that are implemented by the RADIUS server are generally stored in a database on the RADIUS server, either as flat text files, or for large deployments, in SQL or LDAP. That brings us to the final principal in a RADIUS deployment.