RADIUS Server: User Credential Authentication Failure

Action Taken by RADIUS Server

Prev Question Next Question

Question

What action does a RADIUS server take when it cannot authenticate the credentials of a user?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A.

When a user attempts to authenticate to a network device or service, the device forwards the user's credentials to a RADIUS server for authentication. The RADIUS server compares the credentials against its database of user accounts to determine if the user is authorized to access the requested service. If the credentials match, the RADIUS server sends an Access-Accept message to the network device, and the user is granted access. If the credentials do not match, the RADIUS server takes one of several actions, depending on the configuration.

Option A: An Access-Reject message is sent. This is the most common action taken by a RADIUS server when it cannot authenticate the user's credentials. An Access-Reject message is sent to the network device, which denies the user access to the requested service. This message may include additional information, such as the reason for the rejection.

Option B: An Access-Challenge message is sent, and the user is prompted to re-enter credentials. This action is less common and typically used in situations where the RADIUS server requires additional information from the user to complete the authentication process. An Access-Challenge message is sent to the network device, which prompts the user to re-enter their credentials or provide additional information, such as a token or one-time password. If the user provides the correct information, the RADIUS server sends an Access-Accept message to the network device, and the user is granted access.

Option C: A Reject message is sent. This option is less common and typically used in situations where the RADIUS server cannot authenticate the user's credentials and does not want to provide additional information about the reason for the rejection. A Reject message is sent to the network device, which denies the user access to the requested service.

Option D: A RADIUS start-stop message is sent via the accounting service to disconnect the session. This option is rarely used and typically only in situations where the RADIUS server wants to immediately terminate the user's session. A RADIUS start-stop message is sent to the accounting service, which terminates the user's session and disconnects them from the network.

In summary, when a RADIUS server cannot authenticate the credentials of a user, it typically sends an Access-Reject message to the network device, denying the user access to the requested service. However, other actions, such as sending an Access-Challenge message or a Reject message, may be taken depending on the configuration. Option D is the least common and only used in specific situations where the RADIUS server wants to immediately terminate the user's session.