Policy Server Guides › Policy Server Configuration Guide › Using the Policy Server as a RADIUS Server › How RADIUS Authentication Works with the Policy Server

How RADIUS Authentication Works with the Policy Server

The Policy Server authenticates users through a series of communications with the NAS device. When CA SiteMinder® authenticates a user, the NAS provides that user with access to the appropriate network services.

This authentication process is depicted in the following graphic:

1. A user dialing in from a modem attempts to open a connection to the Cisco RAS (a NAS device), which will enable the user to access the Internet.
2. The RAS determines that it must use a RADIUS user profile to authenticate the user.
3. The RAS sends the user connection request to the Policy Server.
4. The Policy Server obtains the user’s name and password using one of the following methods:
   • Authenticates using Password Authentication Protocol (PAP)

     PAP is a PPP authentication protocol that provides a simple method for a host to establish its identity in a two-way handshake. Authentication takes place only upon initial link establishment and does not use encryption.

   • Authenticates using Challenge Handshake Authentication Protocol (CHAP)

     CHAP is also a secure PPP authentication protocol. CHAP provides a way to periodically verify the identity of a host using a three-way handshake and encryption. Authentication takes place upon initial link establishment. The RAS can repeat the authentication process any time after the connection takes place.

   • Authenticates using Security Dynamics ACE/Server or Secure Computing SafeWord server.
5. The Policy Server sends an authentication response to the RAS.
6. One of the following takes place:
   • If authentication is unsuccessful, the RAS refuses the connection.
   • If authentication is successful, the RAS receives a list of attributes from the CA SiteMinder® response that fires upon authentication of the user. The attributes are used as a user profile, which configures the user’s network session.

     The RAS notifies the Policy Server that the session has begun and when the session ends.