Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Configure RADIUS over TLS, also known as RADSEC, to redirect regular RADIUS traffic to remote RADIUS servers connected over TLS. The TLS connection provides encryption, authentication, and data integrity for the exchange of RADIUS messages.

To configure RADIUS over TLS, you need to configure the RADSEC server as a destination for RADIUS traffic. Traffic that is destined for a RADIUS server can then be redirected to the RADSEC destination. RADSEC destinations are identified by a unique numeric ID. You can configure multiple RADSEC destinations with different parameters pointing to the same RADSEC server.​

TLS relies on certificates and private-public key exchange pairs to secure the transmission of data between the RADSEC client and server. The RADSEC destination uses local certificates that are dynamically acquired from the Junos PKI infrastructure.

To enable RADSEC, you must specify the name of the local certificate. If a certificate is not available, or if the certificate was revoked, the RADSEC destination attempts to retrieve it every 300 seconds.


RADSEC is not enabled by default.


destination id-number

Globally unique ID number for the RADSEC destination.

  • Range: 1 through 65535

address ip-address

Specify the IP address of the RADSEC server.

id-reuse-timeout seconds

Configure the number of seconds after which the RADIUS ID field value can be reused.

  • Default: 120 seconds

  • Range: 60 to 3600 seconds

logical-system ls-name routing-instance ri-name

Specify the logical system or the routing instance for transport.

Default: If you do not explicitly configure the logical system or routing instance, the default is used. You can specify the logical system, the routing instance, or both.

  • No configuration specifies default:default.
  • Configuring only the routing instance specifies default:ri-name.
  • Configuring only the logical system specifies ls-name:default.
  • Configuring both the logical system and the routing instance specifies ls-name:ri-name.
max-tx-buffers number

Configure the maximum number of packets buffered on transmission.


The buffer allocation should be able to accommodate the max-outstanding-requests for mapped RADIUS servers configured at the [edit access radius-server] hierarchy level.

  • Default: 100

  • Range: 32 to 3200

port port-number

(Optional) Configure the port number of the RADSEC server.

  • Default: 2083

  • Range: 1 through 65535

source-address ip-address

Configure the source IP address, which is the IP address of the RADSEC server. If the source address is not configured for dynamic requests, dynamic requests will be rejected.

tls-certificate certificate-name

Specify the name of the local certificate.

tls-force-ciphers [medium | low]

(Optional) Allow lower-grade ciphers than the default.

  • Values:

    • low—Add medium and low grade ciphers.

    • medium—Add medium grade ciphers.

    • Note:

      The "tls-force-ciphers" option is not applicable. Strong cipher suites are always used by default.

tls-min-version [v1.1 | v1.2]

(Optional) Configure the TLS version to limit the lowest supported versions of TLS that are enabled for SSL connections.

  • Values:

    • v1.1—Require TLS 1.1 and 1.2.

    • v1.2—Require TLS 1.2.

  • Default: v1.2

tls-peer-name name

Certified name of the RADSEC server.

tls-timeout seconds

Specify a limit on TLS negotiation.

  • Default: 5 seconds

  • Range: 3 through 90 seconds

The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.

Required Privilege Level

access—To view this statement in the configuration.

access-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 19.1R1.

dynamic-requests introduced in Junos OS Release 19.2R1.