Install or import the certificates.
At least one RADIUS server must be configured on the device using the radius-server host
command.
To configure Mutual Authentication do the following:
-
Import the RADIUS client certificate. Use the following
command.
crypto ca import-pkcs type pkcs12 cert-type radius-client protocol FTP directory /mydir-name file /myfile-name source-ip 10.9.9.2 user user-name password password
-
Import the RADIUS server CA certificates.
crypto import radiusca directory /mydir-name file /myfile-name host 10.11.12.13 user user-name password password
-
Configure the RADIUS server and AAA authentication. Navigate to the global configuration
mode. This configures a RADIUS server with IP 10.11.12.13 with port 2083.
SLX (config)# radius-server host 10.11.12.13 use-vrf mgmt-vrf
SLX (config)# auth-port 2083.
-
Enable RADIUS security.
-
Configure AAA globally.
SLX(config)# aaa authentication login radius local-auth-fallback
The following example shows the complete configuration of RADIUS server for Mutual
Authentication.
SLX # configure terminal
SLX (config) #
SLX(config)# radius-server host 10.11.12.13 use-vrf mgmt-vrf
SLX(config)# auth-port 2083
SLX(config)# key "pdyVKkn793k+DpLf54iiEw==\n"
SLX(config)# encryption-level 7
SLX(config)# radsec
SLX(config)# aaa authentication login radius local-auth-fallback
SLX(config)# aaa accounting exec default start-stop none
SLX(config)# aaa accounting commands default start-stop none
SLX(config)# aaa authorization command none
