Enabling RADIUS Communication over TLS (RadSec)

You can configure an Instant AP to use TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel and to enable secure communication between the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and Instant AP. Enabling RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  communication over TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. increases the level of security for authentication that is carried out across the cloud network. When configured, this feature ensures that the RadSec protocol is used for safely transmitting the authentication and accounting data between the Instant AP and the RadSec server.

The following conditions apply to RadSec configuration:

When the TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel is established, RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  packets will go through the tunnel.

By default, the TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port 2083 is assigned for RadSec. Separate ports are not used for authentication, accounting, and dynamic authorizationDynamic authorization refers to the ability to make changes to a visitor account’s session while it is in progress. This might include disconnecting a session or updating some aspect of the authorization for the session. changes.

Instant supports dynamic CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. (RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 3576) over RadSec and the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server uses an existing TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. connection opened by the Instant AP to send the request.

By default, the Instant AP uses its device certificate to establish a TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. connection with RadSec server. You can also upload your custom certificates on to Instant AP.For more information on uploading certificates, see Uploading Certificates.

Configuring RadSec Server

You can configure RadSec using the WebUI or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the WebUI

1. Navigate to Security > Authentication Servers. The Security window is displayed.
2. To create a new server, click New. A popup window for specifying details for the new server is displayed.
3. Under RADIUS Server, configure the following parameters:
a. Enter the name of the server.
b. Enter the host name or the IP address of the server.
c. Select Enabled to enable RadSec.
d. Ensure that the port defined for RadSec is correct. By default, the port number is set to 2083.
e. To allow the Instant APs to process RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server, set RFC 3576 to Enabled. Disconnect messages cause a user session to be terminated immediately, whereas the CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. messages modify session authorization attributes such as data filters.
f. If RFC 3576 is enabled, specify an AirGroupThe application that allows the end users to register their personal mobile devices on a local network and define a group of friends or associates who are allowed to share them. AirGroup is primarily designed for colleges and other institutions. AirGroup uses zero configuration networking to allow Apple mobile devices, such as the AirPrint wireless printer service and the AirPlay mirroring service, to communicate over a complex access network topology. CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. port if required.
g. Enter the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address.
h. Specify the NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. identifier to configure strings for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute 32 and to send it with RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  requests to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.
4. Click OK.

In the CLI

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)# ip <host>

(Instant AP)(Auth Server "name")# radsec [port <port>]

(Instant AP)(Auth Server "name")# rfc3576

(Instant AP)(Auth Server "name")# nas-id <id>

(Instant AP)(Auth Server "name")# nas-ip <ip>

Associate the Server Profile with a Network Profile

You can associate the server profile with a network profile using the WebUI or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the WebUI

1. Access the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard or the Wired Settings window.

To open the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard, select an existing SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. on the Network tab, and click edit.

To open the wired settings window, click More > Wired. In the Wired window, select a profile and click Edit.

 

You can also associate the authentication servers when creating a new WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired profile.

2. Click the Security tab and select a splash page profile.
3. Select an authentication type.
4. From the Authentication Server 1 drop-down list, select the server name on which RadSec is enabled.
5. Click Next and then click Finish.

In the CLI

To associate an authentication server to a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

To associate an authentication server to a wired profile:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# auth-server <name>