Feature |
Product |
Release introduced |
---|---|---|
RADIUS Security (RADSec) |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
|
5720 Series |
Fabric Engine 8.7 |
|
7520 Series |
Fabric Engine 8.10 |
|
7720 Series |
Fabric Engine 8.10 |
|
VSP 4900 Series |
VOSS 8.2 |
|
VSP 7400 Series |
VOSS 8.2 |
Remote Access Dial-In User Services (RADIUS) Security (RADSec) provides secure communication between RADIUS peers using Transport Layer Security (TLS) encryption over Transmission Control Protocol (TCP), or Datagram Transport Layer Security (DTLS) encryption over User Datagram Protocol (UDP).
RADSec peers use certificates to establish trust relationships. Certificates are specified in the RADSec profile on the switch, which can be the default profile or a profile that you configure. You must configure the client and secure server with the same certificate authority (CA) certificate file, server certificate, certificate key file and password to establish a RADSec connection. The password is used for packet encryption and decryption.
You can configure the RADSec security mode to use the TLS protocol or DTLS protocol. Both TLS and DTLS modes support IPv4 addresses, but IPv6 addresses are supported only by TLS mode.
Important
tls default{ ... TlsVersion TLS1_2 }
RADSec uses radsecproxy to encrypt packets sent between RADIUS clients and a secure server. A radsecproxy process starts when RADIUS and secure-mode are enabled both globally and for the current server. Radsecproxy uses multiple instances on the switch, one for each security-configured RADIUS server. The maximum number of radsecproxy instances is 10, which is equivalent to the maximum number of RADIUS servers you can configure on the switch.
Note
As a best practice, use radsecproxy version 1.9.1 or later. Using an earlier version of radsecproxy can result in authentication failures.
The following events cause all radsecproxy processes to restart:
The following changes only affect a radsecproxy instance and result only in the associated process restarting:
A RADSec profile configuration change causes all processes associated with the profile to restart.
A RADSec process automatically stops when the corresponding RADIUS server entry is deleted, or if RADIUS or secure mode is disabled for the server.
If one of the global RADIUS flags (radius state, radius secure state) is disabled, all radsecproxy instances stop.