Security Configuration Guide, Cisco IOS XE Gibraltar 16.11.x (Catalyst 9300 Switches)

Restrictions for Configuring RadSec

The following restrictions apply to the RadSec feature:

A RADIUS client uses an ephemeral port as the source port. This source port should not be used for UDP, Datagram Transport Layer Security (DTLS), and Transport Layer Security (TLS) at the same time.
Although there is no configuration restriction, we recommend that you use the same type, either only TLS or only DTLS, for a server under an AAA server group.
RadSec is supported only on IPv4 connections.

Information About RadSec

RadSec provides encryption services over the RADIUS server, which is transported over a secure tunnel. RadSec over TLS and DTLS is implemented in both client and device servers. While the client side controls RADIUS AAA, the device side controls Change of Authorization (CoA).

You can configure the following parameters:

Individual client-specific idle timeout, client trustpoint, and server trustpoint.
Global CoA-specific TLS or DTLS listening port and the corresponding list of source interfaces.

Note

You can disable TLS or DTLS for a specific server by using the no tls or no dtls command in radius server configuration mode.

How to Configure RadSec

The following sections provide information about the various tasks that comprise RadSec configuration:

Configuring RadSec over TLS

SUMMARY STEPS

enable
configure terminal
radius server radius-server-name
tls [connectiontimeout connection-timeout-value] [idletimeout idle-timeout-value] [ip {radius source-interface interface-name |vrf forwarding forwarding-table-name} ] [port port-number] [retries number-of-connection-retries] [trustpoint {client trustpoint name | server trustpoint name}]
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password, if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	radius server `radius-server-name` Example: `Device(config)# radius server R1`	Specifies the name for the RADIUS server configuration for Protected Access Credential (PAC) provisioning, and enters RADIUS server configuration mode.
Step 4	tls [connectiontimeout `connection-timeout-value`] [idletimeout `idle-timeout-value`] [ip {radius source-interface `interface-name` \|vrf forwarding `forwarding-table-name`} ] [port `port-number`] [retries `number-of-connection-retries`] [trustpoint {client `trustpoint name` \| server `trustpoint name`}] Example: `Device(config-radius-server)# tls connectiontimeout 10` `Device(config-radius-server)# tls idletimeout 75` `Device(config-radius-server)# tls retries 15` `Device(config-radius-server)# tls ip radius source-interface GigabitEthernet 1/0/1` `Device(config-radius-server)# tls ip vrf forwarding table-1` `Device(config-radius-server)# tls port 10` `Device(config-radius-server)# tls trustpoint client TP-self-signed-721943660` `Device(config-radius-server)# tls trustpoint server isetp`	Configures the TLS parameters. You can configure the following parameters: connectiontimeout —Configures TLS connection timeout value. The default is 5 seconds. idletimeout —Configures the TLS idle timeout value. The default is 60 seconds. ip —Configures IP source parameters. port —Configures the TLS port number. The default is 2083. retries —Configures the number of TLS connection retries. The default is 5. trustpoint —Configures the TLS trustpoint for a client and a server. If the TLS trustpoint for the client and server are the same, the trustpoint name should also be the same for both.
Step 5	end Example: `Device(config-radius-server)# end`	Exits RADIUS server configuration mode and returns to privileged EXEC mode.

Configuring Dynamic Authorization for TLS CoA

SUMMARY STEPS

enable
configure terminal
aaa server radius dynamic-author
client {ip-addr | hostname} [tls [client-tp client-tp-name] [ idletimeout idletimeout-interval ] [server-tp server-tp-name] | vrf vrf-id ]
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password, if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	aaa server radius dynamic-author Example: `Device(config)# aaa server radius dynamic-author`	Enters dynamic authorization local server configuration mode and specifies the RADIUS client from which a device accepts Change of Authorization (CoA) and disconnect requests. Configures the device as an AAA server to facilitate interaction with an external policy server.
Step 4	client {ip-addr \| hostname} [tls [client-tp `client-tp-name`] [ idletimeout `idletimeout-interval` ] [server-tp `server-tp-name`] \| vrf `vrf-id` ] Example: `Device(config-locsvr-da-radius)# client 10.104.49.14 tls idletimeout 100 client-tp tls_ise server-tp tls_client`	Configures the IP address or hostname of the AAA server client. You can configure the following optional parameters: tls —Enables TLS for the client. client-tp —Configures the client trustpoint. idletimeout —Configures the TLS idle timeout value. server-tp —Configures the server trustpoint. vrf —Configures virtual routing and forwarding (VRF) ID of the client.
Step 5	end Example: `Device(config-locsvr-da-radius)# end`	Exits dynamic authorization local server configuration mode and returns to privileged EXEC mode.

Configuring RadSec over DTLS

SUMMARY STEPS

enable
configure terminal
radius server radius-server-name
dtls [connectiontimeout connection-timeout-value] [idletimeout idle-timeout-value] [ip {radius source-interface interface-name |vrf forwarding forwarding-table-name} ] [port port-number] [retries number-of-connection-retries] [trustpoint {client trustpoint name | server trustpoint name}]
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password, if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	radius server `radius-server-name` Example: `Device(config)# radius server R1`	Specifies the name for the RADIUS server configuration for Protected Access Credential (PAC) provisioning, and enters RADIUS server configuration mode.
Step 4	dtls [connectiontimeout `connection-timeout-value`] [idletimeout `idle-timeout-value`] [ip {radius source-interface `interface-name` \|vrf forwarding `forwarding-table-name`} ] [port `port-number`] [retries `number-of-connection-retries`] [trustpoint {client `trustpoint name` \| server `trustpoint name`}] Example: `Device(config-radius-server)# dtls connectiontimeout 10` `Device(config-radius-server)# dtls idletimeout 75` `Device(config-radius-server)# dtls retries 15` `Device(config-radius-server)# dtls ip radius source-interface GigabitEthernet 1/0/1` `Device(config-radius-server)# dtls ip vrf forwarding table-1` `Device(config-radius-server)# dtls port 10` `Device(config-radius-server)# dtls trustpoint client TP-self-signed-721943660` `Device(config-radius-server)# dtls trustpoint server isetp`	Configures DTLS parameters. You can configure the following parameters: connectiontimeout —Configures the DTLS connection timeout value. The default is 5 seconds. idletimeout —Configures the DTLS idle timeout value. The default is 60 seconds. ip —Configures IP source parameters. port —Configures the DTLS port number. The default is 2083. retries —Configures the number of DTLS connection retries. The default is 5. trustpoint —Configures the DTLS trustpoint for the client and the server. If the DTLS trustpoint for the client and server are the same, the trustpoint name should also be the same for both.
Step 5	end Example: `Device(config-radius-server)# end`	Exits RADIUS server configuration mode and returns to privileged EXEC mode.

Configuring Dynamic Authorization for DTLS CoA

SUMMARY STEPS

enable
configure terminal
aaa server radius dynamic-author
client {ip-addr | hostname} [dtls [client-tp client-tp-name] [ idletimeout idletimeout-interval ] [server-tp server-tp-name] | vrf vrf-id ]
dtls {ip radius source-interface interface-name | port radius-dtls-server-port-number}
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password, if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	aaa server radius dynamic-author Example: `Device(config)# aaa server radius dynamic-author`	Enters dynamic authorization local server configuration mode and specifies a RADIUS client from which a device accepts Change of Authorization (CoA) and disconnect requests. Configures the device as an AAA server to facilitate interaction with an external policy server.
Step 4	client {ip-addr \| hostname} [dtls [client-tp `client-tp-name`] [ idletimeout `idletimeout-interval` ] [server-tp `server-tp-name`] \| vrf `vrf-id` ] Example: `Device(config-locsvr-da-radius)# client 10.104.49.14 dtls idletimeout 100 client-tp dtls_ise server-tp dtls_client`	Configures the IP address or hostname of the AAA server client. You can configure the following optional parameters: dtls —Enables DTLS for the client. client-tp —Configures the client trustpoint. idletimeout —Configures the DTLS idle timeout value. server-tp —Configures the server trustpoint. vrf —Configures virtual routing and forwarding (VRF) ID of the client.
Step 5	dtls {ip radius source-interface `interface-name` \| port `radius-dtls-server-port-number`} Example: `Device(config-locsvr-da-radius)# dtls ip radius source-interface GigabitEthernet 1/0/24` `Device(config-locsvr-da-radius)# dtls port 100`	Configures the RADIUS CoA server. You can configure the following parameters: ip radius source-interface `interface-name` —Specifies the interface for the source address in the RADIUS CoA server. port `radius-dtls-server-port-number` —Specifies the port on which the local DTLS RADIUS server listens.
Step 6	end Example: `Device(config-locsvr-da-radius)# end`	Exits dynamic authorization local server configuration mode and returns to privileged EXEC mode.

Monitoring RadSec

Use the following commands to monitor TLS and DTLS server statistics:

Table 1. Monitoring TLS and DTLS Server Statistics Commands
Command	Purpose
show aaa servers	Displays information related to TLS and DTLS servers.
clear aaa counters servers radius {`server id` \| all}	Clears the RADIUS TLS-specific or DTLS-specific statistics.
debug radius radsec	Enables RADIUS RadSec debugs.

Configuration Examples for RadSec

The following examples help you understand the RadSec configuration better:

Example: Configuring RadSec over TLS

Device> enable
Device# configure terminal
Device(config)# radius server R1
Device(config-radius-server)# tls connectiontimeout 10
Device(config-radius-server)# tls idletimeout 75
Device(config-radius-server)# tls retries 15
Device(config-radius-server)# tls ip radius source-interface GigabitEthernet 1/0/1
Device(config-radius-server)# tls ip vrf forwarding table-1
Device(config-radius-server)# tls port 10
Device(config-radius-server)# tls trustpoint client TP-self-signed-721943660
Device(config-radius-server)# tls trustpoint server isetp
Device(config-radius-server)# end

Example: Configuring Dynamic Authorization for TLS CoA

Device> enable
Device# configure terminal
Device(config)# aaa server radius dynamic-author
Device(config-locsvr-da-radius)# client 10.104.49.14 tls idletimeout 100 
client-tp tls_ise server-tp tls_client
Device(config-locsvr-da-radius)# dtls port 100
Device(config-locsvr-da-radius)# end

Example: Configuring RadSec over DTLS

Device> enable
Device# configure terminal
Device(config)# radius server R1
Device(config-radius-server)# dtls connectiontimeout 10
Device(config-radius-server)# dtls idletimeout 75
Device(config-radius-server)# dtls retries 15
Device(config-radius-server)# dtls ip radius source-interface GigabitEthernet 1/0/1
Device(config-radius-server)# dtls ip vrf forwarding table-1
Device(config-radius-server)# dtls port 10
Device(config-radius-server)# dtls trustpoint client TP-self-signed-721943660
Device(config-radius-server)# dtls trustpoint server isetp
Device(config-radius-server)# end

Example: Configuring Dynamic Authorization for DTLS CoA

Device> enable
Device# configure terminal
Device(config)# aaa server radius dynamic-author
Device(config-locsvr-da-radius)# client 10.104.49.14 dtls idletimeout 100 
client-tp dtls_ise server-tp dtls_client
Device(config-locsvr-da-radius)# dtls ip radius source-interface GigabitEthernet 1/0/24
Device(config-locsvr-da-radius)# dtls port 100
Device(config-locsvr-da-radius)# end

Feature History for Configuring RadSec

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.


Release	Feature	Feature Information
Cisco IOS XE Everest 16.6.1	Configuring RadSec over DTLS	RadSec over DTLS provides encryption services over the RADIUS server, which is transported over a secure tunnel.
Cisco IOS XE Fuji 16.9.1	Configuring RadSec over TLS	RadSec over TLS provides encryption services over the RADIUS server, which is transported over a secure tunnel.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.

Bias-Free Language

Results

Chapter: Configuring RadSec

Configuring RadSec

Restrictions for Configuring RadSec

Information About RadSec

How to Configure RadSec

Configuring RadSec over TLS

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Configuring Dynamic Authorization for TLS CoA

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Configuring RadSec over DTLS

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Configuring Dynamic Authorization for DTLS CoA

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Example:

Monitoring RadSec

Configuration Examples for RadSec

Example: Configuring RadSec over TLS

Example: Configuring Dynamic Authorization for TLS CoA

Example: Configuring RadSec over DTLS

Example: Configuring Dynamic Authorization for DTLS CoA

Feature History for Configuring RadSec

Was this Document Helpful?

Contact Cisco