RADIUS over TLS
This chapter introduces Remote Authentication Dial In User Service (RADIUS) over Transport Layer Security (TLS), an option for transporting RADIUS packets over the secure, reliable, and connection-oriented TLS protocol as defined by RFC 6614.
Using RADIUS over TLS enables dynamic trust relationships between RADIUS servers. Up to eight (8) RADIUS servers are configurable. If all servers are configured as User Datagram Protocol (UDP), then a round-robin algorithm is used to determine which UDP server the initial transmission will be sent to. If more than one TLS servers is live, the highest priority TLS server is chosen for the first transmission.
When a RADIUS server is configured for TLS:
- The destination port is 2083/TCP (radsec).
- The RADIUS shared secret is radsec.
- The TLS connection is authenticated using X.509 certificates.
When a mixture of UDP and TLS servers are configured, TLS takes priority. The only time the UDP servers will be used is if all TLS servers are down.