Enabling RADIUS Communication over TLS (RadSec)

You can configure an Instant AP to use TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. tunnel and to enable secure communication between the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and Instant AP. Enabling RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  communication over TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. increases the level of security for authentication that is carried out across the cloud network. When configured, this feature ensures that the RadSec protocol is used for safely transmitting the authentication and accounting data between the Instant AP and the RadSec server.

The following conditions apply to RadSec configuration:

Configuring a RadSec Server

The following procedure describes how to configure a RadSec:

  1. Navigate to the Configuration > Security page.
  2. Toggle the RadSec switch to enable RadSec.
  3. Expand Authentication Servers.
  4. To create a new server, click +. The New Authentication Server window for specifying details for the new server is displayed.
  5. Select the RADIUS server type and configure the following parameters:
    1. In the Name text box, enter the name of the server.
    2. In the IP Address field, enter the host name or the IP address of the server.
    3. In the RadSec port text box, ensure that the port defined for RadSec is correct. By default, the port number is set to 2083.
    4. Toggle the Dynamic Authorization switch to enabled to allow the Instant APs to process RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 3576-compliant CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. and disconnect messages from the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. messages modify session authorization attributes such as data filters.
    5. Specify an AirGroup CoA port if Dynamic Authorization is enabled, if required.
    6. In the NAS IP address text box, enter the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. IP address.
    7. In the NAS identifier text box, specify the NAS Network Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. identifier to configure strings for RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute 32 and to send it with RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  requests to the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.
  6. Click OK.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures the RadSec server:

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)# ip <host>

(Instant AP)(Auth Server "name")# radsec [port <port>]

(Instant AP)(Auth Server "name")# rfc3576

(Instant AP)(Auth Server "name")# nas-id <id>

(Instant AP)(Auth Server "name")# nas-ip <ip>

The following command allows users to exclude or include SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. -1 cipher suites from the RadSec server.

(Instant AP)(config)# wlan auth-server <profile-name>

(Instant AP)(Auth Server "name")# radsec-ciphers-level <all|high>

Associating the RadSec Server Profile with a Network Profile

The following procedure associates the server profile with a network profile:

  1. Access the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard or the Wired Settings window (Go to the Configuration > Networks page, select a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or a wired profile and click edit).

    You can also associate the authentication servers when creating a new WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired profile.

  1. Select the Security tab.
  2. If you are configuring the authentication server for a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, move the slider to Enterprise security level and select an authentication type from the Key management drop-down list.
  3. For a wired profile, enable the MAC authentication or 802.1X authentication toggle switch.
  4. From the Auth server 1 drop-down list, select the server on which RadSec is enabled. You can also create a new server enabled with RadSec by clicking +.
  5. Click Next and until Finish.
  6. To assign the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication server to a network profile, select the newly added server when configuring security settings for a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or wired network profile.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command associates an authentication server to a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# auth-server <server-name>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command associates an authentication server to a wired profile:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# auth-server <name>