Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

RADIUS over TLS (RADSEC)

To use 802.1X or MAC RADIUS authentication, you must specify the connections on the switch for each RADIUS server to which you will connect. RADIUS over TLS is designed to provide secure communication of RADIUS requests using the Transport Secure Layer (TLS) protocol. RADIUS over TLS, also known as RADSEC, redirects regular RADIUS traffic to remote RADIUS servers connected over TLS. RADSec allows RADIUS authentication, authorization and accounting data to be passed safely across untrusted networks.

RADSEC uses TLS in combination with the Transmission Control Protocol (TCP). This transport profile provides stronger security than the User Datagram Protocol (UDP) which was originally used for RADIUS transmission. RADIUS over UDP encrypts the shared secret password using the MD5 algorithm, which is vulnerable to attacks. RADSEC mitigates the risk of attacks on MD5 by exchanging RADIUS packet payloads over an encrypted TLS tunnel.

Note:

Due to limitations of the TCP protocol, RADSEC can have no more than 255 RADIUS messages in flight.

Configure the RADSEC Destination

RADSEC servers are represented by RADSEC destination objects. To configure RADSEC, you must define the RADSEC server as a destination, and direct RADIUS traffic to that destination.

You define the RADSEC server as a destination using the radsec statement at the [edit access] hierarchy level. RADSEC destinations are identified by a unique numeric ID. You can configure multiple RADSEC destinations with different parameters pointing to the same RADSEC server.​

To redirect traffic from a standard RADIUS server to a RADSEC server, associate the RADIUS server with a RADSEC destination. For example, the RADIUS server 10.1.1.1 is associated with RADSEC destination 10:

You can also associate the RADIUS server with a RADSEC destination inside an access profile. For example, RADIUS server 10.2.2.2 in profile acc_profile is associated with RADSEC destination 10:

Note:

You can redirect more than one RADIUS server to the same RADSEC destination.​

To configure RADSEC:

  1. Configure the RADSEC destination with a unique ID and an IP address.
  2. Configure the port of the RADSEC server. If no port is configured, the default RADSEC port 2083 is used.
  3. Redirect traffic from a RADIUS server to the RADSEC destination:

Configure TLS Connection Parameters

The TLS connection provides encryption, authentication, and data integrity for the exchange of RADIUS messages. TLS relies on certificates and private-public key exchange pairs to secure the transmission of data between the RADSEC client and server. The RADSEC destination uses local certificates that are dynamically acquired from the Junos PKI infrastructure.

To enable RADSEC, you must specify the name of the local certificate. For information on configuring the local certificate and certificate authority (CA), see Configuring Digital Certificates.

  1. Specify the name of the local certificate to be used for TLS communications.
  2. Configure the certified name of the RADSEC server​.
  3. (Optional) Configure the TLS connection timeout (default is 5 seconds).

Example: Simple RADSEC Configuration

The following example is a simple RADSEC configuration with one RADIUS server and one RADSEC destination. RADIUS traffic is redirected from RADIUS server 10.1.1.1 to RADSEC destination 10.

Monitoring Certificates

To view information about the state and statistics of local certificate acquisition: show network-access radsec local-certificate.

Monitoring RADSEC Destinations

To view statistics for the RADSEC destinations: show network-access radsec statistics.

To view the state of the RADSEC destinations: show network-access radsec state.

Related Documentation