Security Configuration Guide, Cisco IOS XE Fuji 16.9.x (Catalyst 9300 Switches)

Restrictions for Configuring RadSec

Following restrictions apply to the RadSec feature:

RADIUS client uses an ephemeral port as source port, and this source port should not be used for UDP, Datagram Transport Layer Security (DTLS), and Transport Layer Security (TLS) at the same time.
Although there is no configuration restriction, it is recommended to use the same type, either only TLS or only DTLS, for a server under a Authentication, Authorization, and Accounting (AAA) server group.
RadSec is supported on IPv4 connections only.

Information About RadSec

How to Configure RadSec

The following sections provide information about the various tasks that comprise RadSec configuration.

Configuring RadSec over TLS

SUMMARY STEPS

enable
configure terminal
radius server radius-server-name
tls [connectiontimeout connection-timeout-value] [idletimeout idle-timeout-value] [ip {radius source-interface interface-name |vrf forwarding forwarding-table-name} ] [port port-number] [retries number-of-connection-retries] [trustpoint {client trustpoint name | server trustpoint name}]
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password, if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	radius server `radius-server-name` Example: `Device(config)# radius server R1`	Specifies the name for the RADIUS server configuration for Protected Access Credential (PAC) provisioning, and enters RADIUS server configuration mode.
Step 4	tls [connectiontimeout `connection-timeout-value`] [idletimeout `idle-timeout-value`] [ip {radius source-interface `interface-name` \|vrf forwarding `forwarding-table-name`} ] [port `port-number`] [retries `number-of-connection-retries`] [trustpoint {client `trustpoint name` \| server `trustpoint name`}] Example: `Device(config-radius-server)# tls connectiontimeout 10` `Device(config-radius-server)# tls idletimeout 75` `Device(config-radius-server)# tls retries 15` `Device(config-radius-server)# tls ip radius source-interface GigabitEthernet 1/0/1` `Device(config-radius-server)# tls ip vrf forwarding table-1` `Device(config-radius-server)# tls port 10` `Device(config-radius-server)# tls trustpoint client TP-self-signed-721943660` `Device(config-radius-server)# tls trustpoint server isetp`	Configures the TLS parameters. You can configure the following parameters: connectiontimeout —Configures TLS connection timeout value. The default is 5 seconds. idletimeout —Configures the TLS idle timeout value. The default is 60 seconds. ip —Configures IP source parameters. port —Configures the TLS port number. The default is 2083. retries —Configures the number of TLS connection retries. The default is 5. trustpoint —Configures the TLS trustpoint for a client and a server. If the TLS trustpoint for the client and server are the same, the trustpoint name should also be the same for both.
Step 5	end Example: `Device(config-radius-server)# end`	Exits RADIUS server configuration mode and returns to privileged EXEC mode.

Configuring Dynamic Authorization for TLS CoA

SUMMARY STEPS

enable
configure terminal
aaa server radius dynamic-author
client {ip-addr | hostname} [tls [client-tp client-tp-name] [ idletimeout idletimeout-interval ] [server-tp server-tp-name] | vrf vrf-id ]
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	aaa server radius dynamic-author Example: `Device(config)# aaa server radius dynamic-author`	Enters dynamic authorization local server configuration mode and specifies a RADIUS client from which a device accepts Change of Authorization (CoA) and disconnect requests. Configures the device as a AAA server to facilitate interaction with an external policy server.
Step 4	client {ip-addr \| hostname} [tls [client-tp `client-tp-name`] [ idletimeout `idletimeout-interval` ] [server-tp `server-tp-name`] \| vrf `vrf-id` ] Example: `Device(config-locsvr-da-radius)# client 10.104.49.14 tls idletimeout 100 client-tp tls_ise server-tp tls_client`	Configures the IP address or hostname of the AAA server client. You can configure the following optional parameters: tls —Enables TLS for the client. client-tp —Configures client trustpoint. idletimeout —Configures TLS idle timeout value. server-tp —Configures server trustpoint. vrf —Virtual routing and forwarding (VRF) ID of the client.
Step 5	end Example: `Device(config-radius-server)# end`	Returns from dynamic authorization local server configuration mode to privileged EXEC mode.

Configuring RadSec over DTLS

SUMMARY STEPS

enable
configure terminal
radius server radius-server-name
dtls [connectiontimeout connection-timeout-value] [idletimeout idle-timeout-value] [ip {radius source-interface interface-name |vrf forwarding forwarding-table-name} ] [port port-number] [retries number-of-connection-retries] [trustpoint {client trustpoint name | server trustpoint name}]
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password, if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	radius server `radius-server-name` Example: `Device(config)# radius server R1`	Specifies the name for the RADIUS server configuration for Protected Access Credential (PAC) provisioning, and enters RADIUS server configuration mode.
Step 4	dtls [connectiontimeout `connection-timeout-value`] [idletimeout `idle-timeout-value`] [ip {radius source-interface `interface-name` \|vrf forwarding `forwarding-table-name`} ] [port `port-number`] [retries `number-of-connection-retries`] [trustpoint {client `trustpoint name` \| server `trustpoint name`}] Example: `Device(config-radius-server)# dtls connectiontimeout 10` `Device(config-radius-server)# dtls idletimeout 75` `Device(config-radius-server)# dtls retries 15` `Device(config-radius-server)# dtls ip radius source-interface GigabitEthernet 1/0/1` `Device(config-radius-server)# dtls ip vrf forwarding table-1` `Device(config-radius-server)# dtls port 10` `Device(config-radius-server)# dtls trustpoint client TP-self-signed-721943660` `Device(config-radius-server)# dtls trustpoint server isetp`	Configures DTLS parameters. You can configure the following parameters: connectiontimeout —Configures the DTLS connection timeout value. The default is 5 seconds. idletimeout —Configures the DTLS idle timeout value. The default is 60 seconds. ip —Configures IP source parameters. port —Configures the DTLS port number. The default is 2083. retries —Configures the number of DTLS connection retries. The default is 5. trustpoint —Configures the DTLS trustpoint for the client and the server. If the DTLS trustpoint for the client and server are the same, the trustpoint name should also be the same for both.
Step 5	end Example: `Device(config-radius-server)# end`	Exits RADIUS server configuration mode and returns to privileged EXEC mode.

Configuring Dynamic Authorization for DTLS CoA

SUMMARY STEPS

enable
configure terminal
aaa server radius dynamic-author
client {ip-addr | hostname} [dtls [client-tp client-tp-name] [ idletimeout idletimeout-interval ] [server-tp server-tp-name] | vrf vrf-id ]
dtls {ip radius source-interface interface-name | port radius-dtls-server-port-number}
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	aaa server radius dynamic-author Example: `Device(config)# aaa server radius dynamic-author`	Enters dynamic authorization local server configuration mode and specifies a RADIUS client from which a device accepts Change of Authorization (CoA) and disconnect requests. Configures the device as a AAA server to facilitate interaction with an external policy server.
Step 4	client {ip-addr \| hostname} [dtls [client-tp `client-tp-name`] [ idletimeout `idletimeout-interval` ] [server-tp `server-tp-name`] \| vrf `vrf-id` ] Example: `Device(config-locsvr-da-radius)# client 10.104.49.14 dtls idletimeout 100 client-tp dtls_ise server-tp dtls_client`	Configures the IP address or hostname of the AAA server client. You can configure the following optional parameters: dtls —Enables DTLS for the client. client-tp —Configures client trustpoint. idletimeout —Configures DTLS idle timeout value. server-tp —Configures server trustpoint. vrf —Virtual routing and forwarding (VRF) ID of the client.
Step 5	dtls {ip radius source-interface `interface-name` \| port `radius-dtls-server-port-number`} Example: `Device(config-locsvr-da-radius)# dtls ip radius source-interface GigabitEthernet 1/0/24` `Device(config-locsvr-da-radius)# dtls port 100`	Configures RADIUS CoA server. You can configure the following parameters: ip radius source-interface `interface-name` —Specifies the interface for source address in RADIUS CoA Server. port `radius-dtls-server-port-number` —Specifies port on which local DTLS RADIUS server listens.
Step 6	end Example: `Device(config-radius-server)# end`	Returns from dynamic authorization local server configuration mode to privileged EXEC mode.

Monitoring RadSec

Use the following commands to monitor TLS and DTLS server statistics:

Table 1. Monitoring TLS and DTLS Server Statistics Commands
Command	Purpose
show aaa servers	Displays information related to TLS and DTLS servers.
clear aaa counters servers radius {`server id` \| all}	Clears the RADIUS TLS-specific or DTLS-specific statistics.
debug radius radsec	Enables RADIUS RadSec debugs.

Configuration Examples for RadSec

The following examples help you understand the RadSec configuration better.

Example: Configuring RadSec over TLS

Device> enable
Device# configure terminal
Device(config)# radius server R1
Device(config-radius-server)# tls connectiontimeout 10
Device(config-radius-server)# tls idletimeout 75
Device(config-radius-server)# tls retries 15
Device(config-radius-server)# tls ip radius source-interface GigabitEthernet 1/0/1
Device(config-radius-server)# tls ip vrf forwarding table-1
Device(config-radius-server)# tls port 10
Device(config-radius-server)# tls trustpoint client TP-self-signed-721943660
Device(config-radius-server)# tls trustpoint server isetp
Device(config-radius-server)# end

Example: Configuring Dynamic Authorization for TLS CoA

Device> enable
Device# configure terminal
Device(config)# aaa server radius dynamic-author
Device(config-locsvr-da-radius)# client 10.104.49.14 tls idletimeout 100 client-tp tls_ise server-tp tls_client
Device(config-locsvr-da-radius)# dtls port 100
Device(config-radius-server)# end

Example: Configuring RadSec over DTLS

Device> enable
Device# configure terminal
Device(config)# radius server R1
Device(config-radius-server)# dtls connectiontimeout 10
Device(config-radius-server)# dtls idletimeout 75
Device(config-radius-server)# dtls retries 15
Device(config-radius-server)# dtls ip radius source-interface GigabitEthernet 1/0/1
Device(config-radius-server)# dtls ip vrf forwarding table-1
Device(config-radius-server)# dtls port 10
Device(config-radius-server)# dtls trustpoint client TP-self-signed-721943660
Device(config-radius-server)# dtls trustpoint server isetp
Device(config-radius-server)# end

Example: Configuring Dynamic Authorization for DTLS CoA

Device> enable
Device# configure terminal
Device(config)# aaa server radius dynamic-author
Device(config-locsvr-da-radius)# client 10.104.49.14 dtls idletimeout 100 client-tp dtls_ise server-tp dtls_client
Device(config-locsvr-da-radius)# dtls ip radius source-interface GigabitEthernet 1/0/24
Device(config-locsvr-da-radius)# dtls port 100
Device(config-radius-server)# end

Feature History for Configuring RadSec

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.


Release	Feature	Feature Information
Cisco IOS XE Everest 16.6.1	Configuring RadSec over DTLS	RadSec over DTLS provides encryption services over the RADIUS server, which is transported over a secure tunnel.
Cisco IOS XE Fuji 16.9.1	Configuring RadSec over TLS	RadSec over TLS provides encryption services over the RADIUS server, which is transported over a secure tunnel.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.

Bias-Free Language

Results

Chapter: Configuring RadSec

Configuring RadSec

Restrictions for Configuring RadSec

Information About RadSec

How to Configure RadSec

Configuring RadSec over TLS

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Configuring Dynamic Authorization for TLS CoA

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Configuring RadSec over DTLS

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Configuring Dynamic Authorization for DTLS CoA

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Example:

Monitoring RadSec

Configuration Examples for RadSec

Example: Configuring RadSec over TLS

Example: Configuring Dynamic Authorization for TLS CoA

Example: Configuring RadSec over DTLS

Example: Configuring Dynamic Authorization for DTLS CoA

Feature History for Configuring RadSec

Was this Document Helpful?

Contact Cisco