Table of Contents
Advertisement
(Instant AP)# commit apply
Enabling RADIUS Communication over TLS
You can configure an IAP to use Transport Layer Security (TLS) tunnel and to enable secure communication
between the RADIUS server and IAP clients. Enabling RADIUS communication over TLS increases the level of
security for authentication that is carried out across the cloud network. When configured, this feature ensures
that RadSec protocol is used for safely transmitting the authentication and accounting data between the IAP
clients and the RADIUS server in cloud.
The following configuration conditions apply to RadSec configuration:
When the TLS tunnel is established, RADIUS packets will go through the tunnel and server adds CoA on this
l
tunnel.
By default, the TCP port 2083 is assigned for RadSec. Separate ports are not used for authentication,
l
accounting, and dynamic authorization changes.
Instant supports dynamic CoA (RFC 3576) over RadSec and the RADIUS server uses an existing TLS
l
connection opened by the IAP to send the request.
For authentication between the IAP clients and the TLS server, RadSec certificate must be uploaded to IAP.
l
For more information on uploading certificates, see
Configuring RadSec Protocol
You can configure RadSec Protocl using the Instant UI or the CLI;
In the Instant UI
To configure the RadSec protocol in the UI:
1. Navigate to Security > Authentication Servers. The Security window is displayed.
2. To create a new server, click New. A popup window for specifying details for the new server is displayed.
3. Under RADIUS Server, configure the following parameters:
a. Enter the name of the server.
b. Enter the host name or the IP address of the server.
c. Select Enabled to enable RadSec.
d. Ensure that the port defined for RadSec is correct. By default, the port number is set to 2083.
e. To allow the IAPs to process RFC 3576-compliant Change of Authorization (CoA) and disconnect
messages from the RADIUS server, set RFC 3576 to Enabled. Disconnect messages cause a user session
to be terminated immediately, whereas the CoA messages modify session authorization attributes such
as data filters.
f. If RFC 3576 is enabled, specify an AirGroup CoA port if required.
g. Enter the NAS IP address.
h. Specify the NAS identifier to configure strings for RADIUS attribute 32 and to send it with RADIUS
requests to the RADIUS server.
4. Click OK.
In the CLI
To configure the RadSec protocol:
(Instant AP)(config)# wlan auth-server <profile-name>
(Instant AP)(Auth Server "name")# ip <host>
(Instant AP)(Auth Server "name")# radsec [port <port>]
(Instant AP)(Auth Server "name")# rfc3576
(Instant AP)(Auth Server "name")# nas-id <id>
(Instant AP)(Auth Server "name")# nas-ip <ip>
Aruba Instant 6.5.0.0-4.3.0.0 | User Guide
Uploading Certificates on page
Authentication and User Management |
179.
161
Hide quick links:
Advertisement
Table of Contents
