Common Criteria mode requires that devices support NDcPP version 2.1. This protocol defines the communication of the device with AAA servers to take place over a TLS support session.
Even though you can configure multiple TLS support for TACACS+ or RADIUS servers, only one connection can be active at any time due to system limitations. If another TLS support for TACACS+ or RADIUS session is attempted at the same time as the first TACACS+ or RADIUS session, the connection attempt is rejected.
Additionally, since the TACACS+ or RADIUS server may accept only a single TACACS+ or RADIUS session over the TCP or the TLS support connection, it is recommended you use this only for authentication.
When the device is in Common Criteria Operational mode, and the device has been configured for a TLS support for TACACS+ or RADIUS server for authentication, only one administrator will be able to administer the device. In addition, accounting and authorizing using the TLS support for TACACS+ or RADIUS server will be disabled.
Following are the configuration commands to configure and use a RADIUS server over secure port.
device(config)# aaa authentication login default radius device(config)# aaa authorization commands 0 default radius device(config)# aaa accounting commands 0 default start-stop radius device(config)# radius-server host 10.24.12.107 ssl-auth-port 2083 default key Pass@123
For radius-server host command, 10.24.12.107 is the IP address of the radius server listening on secure port 2083 and has been configured with shared secret Pass@123 in the server configuration. Refer to the configuring a RADIUS server with TLS support for details on RADIUS server configuration.
When the RADIUS timeout is not configured, the default timeout of 3 seconds is used to establish connection to a server. When you use stunnel as TLS proxy server between the device and RADIUS server the timeout should be increased to atleast 6 seconds.
device(config)#radius-server timeout 6
Note
You can modify the default Common Criteria policy to allow a non-TLS support for TACACS+ or RADIUS server, but this will make the device noncompliant with Common Criteria requirements.device(config)#aaa authentication login default tacacs+ local device(config)#aaa authentication login privilege-mode device(config)#tacacs-server host 10.24.12.107 ssl-auth-port 60591 authentication-only key My$ecret123 device(config)#tacacs-server timeout 15
10.24.12.107 is the TACACS+ server listening on TLS port 60591 and configured with secret key My$ecret123. Unlike RADIUS, TACACS+ server has not been validated with native support for TLS on the server side and stunnel proxy server has been used. The maximum recommended TACACS+ connection timeout is 15.
More than one server can be configured on device for both RADIUS and TACACS+ servers . The device connects to them in series depending on the order of configuration. If it is able to connect to a server then it does not connect to subsequent servers.
authorityInfoAccess extension is present and indicates that the accessMethod to use OCSP
(1.3.6.1.5.5.7.48.1) specifying the accessLocation, which is the
URI of the OCSP responder. Only when the revocation staus is 'good' will the certificate
be accepted. When the switch cannot establish a connection to determine the validity of a certificate, then it will not accept the certificate. If the digital certificate does not have authorityInfoAccess extension with an OCSP URI, then no revocation check is performed on that certificate.