Configuring RadSec

This chapter describes how to configure RadSec over Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) servers.

Restrictions for Configuring RadSec

The following restrictions apply to the RadSec feature:

  • A RADIUS client uses an ephemeral port as the source port. This source port should not be used for UDP, Datagram Transport Layer Security (DTLS), and Transport Layer Security (TLS) at the same time.

  • Although there is no configuration restriction, we recommend that you use the same type, either only TLS or only DTLS, for a server under an AAA server group.

  • RadSec is not supported on the DTLS port range 1 to 1024.

    DTLS ports must be configured to work with the Radius server.

  • RadSec is not supported with high availability.

Information About RadSec

RadSec provides encryption services over the RADIUS server, which is transported over a secure tunnel. RadSec over TLS and DTLS is implemented in both client and device servers. While the client side controls RADIUS AAA, the device side controls Change of Authorization (CoA).

You can configure the following parameters:

  • Individual client-specific idle timeout, client trustpoint, and server trustpoint.

  • Global CoA-specific TLS or DTLS listening port and the corresponding list of source interfaces.


Note

You can disable TLS or DTLS for a specific server by using the no tls or no dtls command in radius server configuration mode.

How to Configure RadSec

The following sections provide information about the various tasks that comprise RadSec configuration:

Configuring RadSec over TLS

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

radius server radius-server-name

Example:

Device(config)# radius server R1

Specifies the name for the RADIUS server configuration for Protected Access Credential (PAC) provisioning, and enters RADIUS server configuration mode.

Step 4

tls [connectiontimeout connection-timeout-value] [idletimeout idle-timeout-value] [[ip | ipv6] {radius source-interface interface-name |vrf forwarding forwarding-table-name} ] [match-server-identity {email-address email-address | hostname host-name | ip-address ip-address}] [port port-number] [retries number-of-connection-retries] [trustpoint {client trustpoint name | server trustpoint name}]

Example:

Device(config-radius-server)# tls connectiontimeout 10
Device(config-radius-server)# tls idletimeout 75
Device(config-radius-server)# tls retries 15
Device(config-radius-server)# tls ip radius source-interface GigabitEthernet 1/0/1
Device(config-radius-server)# tls ipv6 vrf forwarding table-1
Device(config-radius-server)# tls match-server-identity ip-address 10.1.1.10
Device(config-radius-server)# tls port 10
Device(config-radius-server)# tls trustpoint client TP-self-signed-721943660
Device(config-radius-server)# tls trustpoint server isetp

Configures the TLS parameters. You can configure the following parameters:

  • connectiontimeout : Configures TLS connection timeout value. The default is 5 seconds.

  • idletimeout : Configures the TLS idle timeout value. The default is 60 seconds.

  • ip : Configures IP source parameters.

  • ipv6 : Configures IPv6 source parameters.

  • match-server-identity : Configures RadSec certification validation parameters.

    Note

     

    This is a mandatory configuration.

  • port : Configures the TLS port number. The default is 2083.

  • retries : Configures the number of TLS connection retries. The default is 5.

  • trustpoint : Configures the TLS trustpoint for a client and a server. If the TLS trustpoint for the client and server are the same, the trustpoint name should also be the same for both.

Step 5

end

Example:

Device(config-radius-server)# end

Exits RADIUS server configuration mode and returns to privileged EXEC mode.

Configuring Dynamic Authorization for TLS CoA

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

aaa server radius dynamic-author

Example:

Device(config)# aaa server radius dynamic-author

Enters dynamic authorization local server configuration mode and specifies the RADIUS client from which a device accepts Change of Authorization (CoA) and disconnect requests. Configures the device as an AAA server to facilitate interaction with an external policy server.

Step 4

client {ip-addr | hostname} [tls [client-tp client-tp-name] [ idletimeout idletimeout-interval ] [server-key server-key] [server-tp server-tp-name]]

Example:

Device(config-locsvr-da-radius)# client 10.104.49.14 tls idletimeout 100 client-tp 
tls_ise server-tp tls_client server-key key1

Configures the IP address or hostname of the AAA server client. You can configure the following optional parameters:

  • tls : Enables TLS for the client.

    • client-tp : Configures the client trustpoint.

    • idletimeout : Configures the TLS idle timeout value.

    • server-key : Configures a RADIUS client server-key.

    • server-tp : Configures the server trustpoint.

Step 5

end

Example:

Device(config-locsvr-da-radius)# end

Exits dynamic authorization local server configuration mode and returns to privileged EXEC mode.

Configuring RadSec over DTLS

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

radius server radius-server-name

Example:

Device(config)# radius server R1

Specifies the name for the RADIUS server configuration for Protected Access Credential (PAC) provisioning, and enters RADIUS server configuration mode.

Step 4

dtls [connectiontimeout connection-timeout-value] [idletimeout idle-timeout-value] [[ip | ipv6] {radius source-interface interface-name |vrf forwarding forwarding-table-name} ] [match-server-identity {email-address email-address | hostname host-name | ip-address ip-address}] [port port-number] [retries number-of-connection-retries] [trustpoint {client trustpoint name | server trustpoint name}]

Example:

Device(config-radius-server)# dtls connectiontimeout 10
Device(config-radius-server)# dtls idletimeout 75
Device(config-radius-server)# dtls retries 15
Device(config-radius-server)# dtls ip radius source-interface GigabitEthernet 1/0/1
Device(config-radius-server)# dtls ipv6 vrf forwarding table-1
Device(config-radius-server)# tls match-server-identity ip-address 10.1.1.10
Device(config-radius-server)# dtls port 10
Device(config-radius-server)# dtls trustpoint client TP-self-signed-721943660
Device(config-radius-server)# dtls trustpoint server isetp

Configures DTLS parameters. You can configure the following parameters:

  • connectiontimeout : Configures the DTLS connection timeout value. The default is 5 seconds.

  • idletimeout : Configures the DTLS idle timeout value. The default is 60 seconds.

    Note

     

    When the idle timeout expires, and there are no transactions after the last idle timeout, then the DTLS session is closed. When the session is reestablished, restart the idle timer for it to work.

    If the configured idle timeout is 30 seconds, when the timeout expires, the number of RADIUS DTLS transactions are checked. If the RADIUS DTLS packets are more than 0, the transaction counter is reset and the timer is started again.

  • ip : Configures IP source parameters.

  • ipv6 : Configures IPv6 source parameters.

  • match-server-identity : Configures RadSec certification validation parameters.

    Note

     

    This is a mandatory configuration.

  • port : Configures the DTLS port number. The default is 2083.

  • retries : Configures the number of DTLS connection retries. The default is 5.

  • trustpoint : Configures the DTLS trustpoint for the client and the server. If the DTLS trustpoint for the client and server are the same, the trustpoint name should also be the same for both.

Step 5

end

Example:

Device(config-radius-server)# end

Exits RADIUS server configuration mode and returns to privileged EXEC mode.

Configuring Dynamic Authorization for DTLS CoA

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

  • Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

aaa server radius dynamic-author

Example:

Device(config)# aaa server radius dynamic-author

Enters dynamic authorization local server configuration mode and specifies a RADIUS client from which a device accepts Change of Authorization (CoA) and disconnect requests. Configures the device as an AAA server to facilitate interaction with an external policy server.

Step 4

client {ip-addr | hostname} [dtls [client-tp client-tp-name] [ idletimeout idletimeout-interval ] [server-key server-key] [server-tp server-tp-name]]

Example:

Device(config-locsvr-da-radius)# client 10.104.49.14 dtls idletimeout 100 client-tp 
tls_ise server-tp tls_client server-key key1

Configures the IP address or hostname of the AAA server client. You can configure the following optional parameters:

  • tls : Enables TLS for the client.

    • client-tp : Configures the client trustpoint.

    • idletimeout : Configures the TLS idle timeout value.

    • server-key : Configures a RADIUS client server-key.

    • server-tp : Configures the server trustpoint.

Step 5

dtls {{ip | ipv6} radius source-interface interface-name | port radius-dtls-server-port-number}

Example:

Device(config-locsvr-da-radius)# dtls ip radius source-interface GigabitEthernet 1/0/24
Device(config-locsvr-da-radius)# dtls port 100

Configures the RADIUS CoA server. You can configure the following parameters:

  • {ip | ipv6} radius source-interface interface-name : Specifies the interface for the source address in the RADIUS CoA server.

  • port radius-dtls-server-port-number : Specifies the port on which the local DTLS RADIUS server listens.

Step 6

end

Example:

Device(config-locsvr-da-radius)# end

Exits dynamic authorization local server configuration mode and returns to privileged EXEC mode.

Monitoring RadSec

Use the following commands to monitor TLS and DTLS server statistics:

Table 1. Monitoring TLS and DTLS Server Statistics Commands

Command

Purpose

show aaa servers

Displays information related to TLS and DTLS servers.

clear aaa counters servers radius {server id | all}

Clears the RADIUS TLS-specific or DTLS-specific statistics.

debug radius radsec

Enables RADIUS RadSec debugs.

Configuration Examples for RadSec

The following examples help you understand the RadSec configuration better:

Example: Configuring RadSec over TLS

Device> enable
Device# configure terminal
Device(config)# radius server R1
Device(config-radius-server)# tls connectiontimeout 10
Device(config-radius-server)# tls idletimeout 75
Device(config-radius-server)# tls retries 15
Device(config-radius-server)# tls ip radius source-interface GigabitEthernet 1/0/1
Device(config-radius-server)# tls ip vrf forwarding table-1
Device(config-radius-server)# tls port 10
Device(config-radius-server)# tls trustpoint client TP-self-signed-721943660
Device(config-radius-server)# tls trustpoint server isetp
Device(config-radius-server)# end

Example: Configuring Dynamic Authorization for TLS CoA

Device> enable
Device# configure terminal
Device(config)# aaa server radius dynamic-author
Device(config-locsvr-da-radius)# client 10.104.49.14 tls idletimeout 100 
client-tp tls_ise server-tp tls_client
Device(config-locsvr-da-radius)# dtls port 100
Device(config-locsvr-da-radius)# end

Example: Configuring RadSec over DTLS

Device> enable
Device# configure terminal
Device(config)# radius server R1
Device(config-radius-server)# dtls connectiontimeout 10
Device(config-radius-server)# dtls idletimeout 75
Device(config-radius-server)# dtls retries 15
Device(config-radius-server)# dtls ip radius source-interface GigabitEthernet 1/0/1
Device(config-radius-server)# dtls ip vrf forwarding table-1
Device(config-radius-server)# dtls port 10
Device(config-radius-server)# dtls trustpoint client TP-self-signed-721943660
Device(config-radius-server)# dtls trustpoint server isetp
Device(config-radius-server)# end

Example: Configuring Dynamic Authorization for DTLS CoA

Device> enable
Device# configure terminal
Device(config)# aaa server radius dynamic-author
Device(config-locsvr-da-radius)# client 10.104.49.14 dtls idletimeout 100 
client-tp dtls_ise server-tp dtls_client
Device(config-locsvr-da-radius)# dtls ip radius source-interface GigabitEthernet 1/0/24
Device(config-locsvr-da-radius)# dtls port 100
Device(config-locsvr-da-radius)# end

Feature History for Configuring RadSec

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature

Feature Information

Cisco IOS XE Bengaluru 17.4.1

Configuring RadSec

RadSec provides encryption services over the RADIUS server, which is transported over a secure tunnel.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.