You are here: Home > Aruba Instant User Guide > Table of Contents > Enabling RADIUS Communication over TLS

Enabling RADIUS Communication over TLS (RadSec)

You can configure an Instant AP to use TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel and to enable secure communication between the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and Instant AP. Enabling RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  communication over TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. increases the level of security for authentication that is carried out across the cloud network. When configured, this feature ensures that the RadSec protocol is used for safely transmitting the authentication and accounting data between the Instant AP and the RadSec server.

The following conditions apply to RadSec configuration:

When the TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel is established, RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets will go through the tunnel.

By default, the TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port 2083 is assigned for RadSec. Separate ports are not used for authentication, accounting, and dynamic authorizationDynamic authorization refers to the ability to make changes to a visitor account’s session while it is in progress. This might include disconnecting a session or updating some aspect of the authorization for the session. changes.

Instant supports dynamic CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. (RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 3576) over RadSec and the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server uses an existing TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. connection opened by the Instant AP to send the request.

By default, the Instant AP uses its device certificate to establish a TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. connection with RadSec server. You can also upload your custom certificates on to Instant AP.For more information on uploading certificates, see Uploading Certificates.

Configuring RadSec Server

You can configure RadSec using the WebUI or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the Old WebUI

1. Navigate to Security > Authentication Servers.

2. To create a new server, click New. The New Authentication Server window for specifying details for the new server is displayed.

3. Select the RADIUS server type and configure the following parameters:

a. Enter the name of the server.

b. Enter the host name or the IP address of the server.

c. Select Enabled to enable RadSec.

d. Ensure that the port defined for RadSec is correct. By default, the port number is set to 2083.

e. To allow the Instant APs to process RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, set RFC 3576 to Enabled. Disconnect messages cause a user session to be terminated immediately, whereas the CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. messages modify session authorization attributes such as data filters.

f. If RFC 3576 is enabled, specify an AirGroup CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. port if required.

g. Enter the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address.

h. Specify the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. identifier to configure strings for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute 32 and to send it with RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  requests to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

4. Click OK.

In the New WebUI

1. Navigate to the Configuration > Security page.

2. Expand Authentication Servers.

3. To create a new server, click +. The New Authentication Server window for specifying details for the new server is displayed.

4. Select the RADIUS server type and configure the following parameters:

a. Enter the name of the server.

b. Enter the host name or the IP address of the server.

c. Toggle the RadSec switch to enable RadSec.

d. Ensure that the port defined for RadSec is correct in the RadSec port text box. By default, the port number is set to 2083.

e. To allow the Instant APs to process RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, select the Dynamic Authorization toggle switch. Disconnect messages cause a user session to be terminated immediately, whereas the CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. messages modify session authorization attributes such as data filters.

f. If Dynamic Authorization is enabled, specify an AirGroup CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. port, if required.

g. Enter the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address.

h. Specify the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. identifier to configure strings for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute 32 and to send it with RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  requests to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

5. Click OK.

In the CLI

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)# ip <host>

(Instant AP)(Auth Server "name")# radsec [port <port>]

(Instant AP)(Auth Server "name")# rfc3576

(Instant AP)(Auth Server "name")# nas-id <id>

(Instant AP)(Auth Server "name")# nas-ip <ip>

Associate the RadSec Server Profile with a Network Profile

You can associate the server profile with a network profile using the WebUI or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the Old WebUI

1. Access the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard or the Wired Settings window.

To open the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard, select an existing SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. on the Networks tab, and click edit.

To open the wired settings window, click More > Wired. In the Wired window, select a profile and click Edit.

 

You can also associate the authentication servers when creating a new WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired profile.

2. Click the Security tab.

3. If you are configuring the authentication server for a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, move the slider to Enterprise security level and select an authentication type from the Key management drop-down list.

4. For a wired profile, set MAC authentication or 802.1X authentication to Enabled.

5. From the Auth server 1 drop-down list, select the server name on which RadSec is enabled. You can also create a new server with Radsec enabled by selecting New.

6. Click Next and then click Finish.

7. To assign the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server to a network profile, select the newly added server when configuring security settings for a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired network profile.

In the New WebUI

1. Access the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard or the Wired Settings window (Go to the Configuration > Networks page, select a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or a wired profile and click edit).

 

You can also associate the authentication servers when creating a new WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired profile.

2. Select the Security tab.

3. If you are configuring the authentication server for a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, move the slider to Enterprise security level and select an authentication type from the Key management drop-down list.

4. For a wired profile, enable the MAC authentication or 802.1X authentication toggle switch.

5. From the Auth server 1 drop-down list, select the server on which RadSec is enabled. You can also create a new server with Radsec enabled by clicking +.

6. Click Next and until Finish.

7. To assign the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server to a network profile, select the newly added server when configuring security settings for a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired network profile.

In the CLI

To associate an authentication server to a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

To associate an authentication server to a wired profile:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# auth-server <name>

/*]]>*/