Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Enabling RADIUS Communication over TLS (RadSec)
You can configure an Instant AP to use TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel and to enable secure communication between the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server and Instant AP. Enabling RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. communication over TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. increases the level of security for authentication that is carried out across the cloud network. When configured, this feature ensures that the RadSec protocol is used for safely transmitting the authentication and accounting data between the Instant AP and the RadSec server.
The following conditions apply to RadSec configuration:
- When the TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel is established, RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. packets will go through the tunnel.
- By default, the TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port 2083 is assigned for RadSec. Separate ports are not used for authentication, accounting, and dynamic authorization Dynamic authorization refers to the ability to make changes to a visitor account’s session while it is in progress. This might include disconnecting a session or updating some aspect of the authorization for the session. changes.
- Instant supports dynamic CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. (RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 3576) over RadSec and the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server uses an existing TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. connection opened by the Instant AP to send the request.
- By default, the Instant AP uses its device certificate to establish a TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. connection with RadSec server. You can also upload your custom certificates on to Instant AP. For more information on uploading certificates, see Authentication Certificates.
Configuring a RadSec Server
The following procedure describes how to configure a RadSec:
- Navigate to the > page.
- Toggle the switch to enable RadSec.
- Expand .
- To create a new server, click . The window for specifying details for the new server is displayed.
- Select the
- In the text box, enter the name of the server.
- In the field, enter the host name or the IP address of the server.
- In the text box, ensure that the port defined for RadSec is correct. By default, the port number is set to 2083.
- Toggle the Instant APs to process RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. messages modify session authorization attributes such as data filters. switch to enabled to allow the
- Specify an if is enabled, if required.
- In the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address. text box, enter the
- In the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. identifier to configure strings for RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. attribute 32 and to send it with RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. requests to the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server. text box, specify the
server type and configure the following parameters: - Click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures the RadSec server:
(Instant AP)(config)# wlan auth-server <profile-name>
(Instant AP)# ip <host>
(Instant AP)(Auth Server "name")# radsec [port <port>]
(Instant AP)(Auth Server "name")# rfc3576
(Instant AP)(Auth Server "name")# nas-id <id>
(Instant AP)(Auth Server "name")# nas-ip <ip>
The following command allows users to exclude or include SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. -1 cipher suites from the RadSec server.
(Instant AP)(config)# wlan auth-server <profile-name>
(Instant AP)(Auth Server "name")# radsec-ciphers-level <all|high>
Associating the RadSec Server Profile with a Network Profile
The following procedure associates the server profile with a network profile:
- Access the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard or the Wired Settings window (Go to the > Networks page, select a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or a wired profile and click ).
You can also associate the authentication servers when creating a new WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired profile.
- Select the tab.
- If you are configuring the authentication server for a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, move the slider to security level and select an authentication type from the drop-down list.
- For a wired profile, enable the or toggle switch.
- From the drop-down list, select the server on which RadSec is enabled. You can also create a new server enabled with RadSec by clicking .
- Click and until .
- To assign the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. authentication server to a network profile, select the newly added server when configuring security settings for a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired network profile.
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command associates an authentication server to a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# auth-server <server-name>
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command associates an authentication server to a wired profile:
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile <name>)# auth-server <name>