RADSec

Table 1. RADSec product support

Feature

Product

Release introduced

RADIUS Security (RADSec)

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

7520 Series

Fabric Engine 8.10

7720 Series

Fabric Engine 8.10

VSP 4900 Series

VOSS 8.2

VSP 7400 Series

VOSS 8.2

Remote Access Dial-In User Services (RADIUS) Security (RADSec) provides secure communication between RADIUS peers using Transport Layer Security (TLS) encryption over Transmission Control Protocol (TCP), or Datagram Transport Layer Security (DTLS) encryption over User Datagram Protocol (UDP).

RADSec peers use certificates to establish trust relationships. Certificates are specified in the RADSec profile on the switch, which can be the default profile or a profile that you configure. You must configure the client and secure server with the same certificate authority (CA) certificate file, server certificate, certificate key file and password to establish a RADSec connection. The password is used for packet encryption and decryption.

You can configure the RADSec security mode to use the TLS protocol or DTLS protocol. Both TLS and DTLS modes support IPv4 addresses, but IPv6 addresses are supported only by TLS mode.

Important

Important

To avoid TLS handshake issues if the switch and RADsec proxy server run different versions of OpenSSL, manually force TLS version 2 negotiation through the RADsec proxy by adding the following text to the radsecproxy.conf configuration file:
tls default{
     ...         
     TlsVersion TLS1_2
}

RADSec uses radsecproxy to encrypt packets sent between RADIUS clients and a secure server. A radsecproxy process starts when RADIUS and secure-mode are enabled both globally and for the current server. Radsecproxy uses multiple instances on the switch, one for each security-configured RADIUS server. The maximum number of radsecproxy instances is 10, which is equivalent to the maximum number of RADIUS servers you can configure on the switch.

Note

Note

As a best practice, use radsecproxy version 1.9.1 or later. Using an earlier version of radsecproxy can result in authentication failures.

The following events cause all radsecproxy processes to restart:

The following changes only affect a radsecproxy instance and result only in the associated process restarting:

A RADSec profile configuration change causes all processes associated with the profile to restart.

A RADSec process automatically stops when the corresponding RADIUS server entry is deleted, or if RADIUS or secure mode is disabled for the server.

If one of the global RADIUS flags (radius state, radius secure state) is disabled, all radsecproxy instances stop.