radius-server host tls port

Syntax

radius-server host <IP-ADDR/FQDN> tls port <PORT>
no radius-server host <IP-ADDR/FQDN> tls port <PORT>

Description

Enables TLS session over TCP connection for Radsec protocol. RADIUS packets are encrypted due to TLS over TCP connection.

The no form of the command configures TLS session on the default port, 2083.

Command context

config

Parameters

IP-ADDR

Specifies server IPv4 address.

FQDN
Specifies server FQDN.
NOTE:

For successful RadSec connections when FQDN is configured as RADIUS server, the server certificate sent by RadSec server must contain the same FQDN name in the common name or DNS field of the certificate.

PORT

Specifies the TCP destination port number for TLS session.

The default port is 2083.

Examples

The following example shows how to configure a RADIUS server with an address of 10.3.17.8, and enabling TLS. If no port is configured, TLS is enabled on the default port, 2083 as shown:

switch(config)# radius-server
 access-request        Configure access-request attribute to be included.
 cppm                  Username and password combination of ClearPass which is
                       used to login to ClearPass to download user roles.
 dead-time             Configure the dead time for unavailable RADIUS servers.
 dyn-autz-port         Configure the UDP port for dynamic authorization
                       messages.
 fqdn-retry            The interval at which the resolution of the FQDN is
                       retried for the radius server which failed to resolve
                       the FQDN at the time of configuring it.
 host                  Configure a RADIUS server.
 key                   Configure the default authentication key for all RADIUS
                       servers.
 retransmit            Configure the request retransmit count.
 timeout               Configure the server response timeout.
 tls                   Configure the RADIUS server with respect to TLS.
 tracking              Configure RADIUS service tracking parameters.

switch(config)# radius-server host
 FQDN                  The server fqdn address.
 IP-ADDR               The server IPv4 address.
 IPV6-ADDR             The server IPv6 address.

NOTE: RadSec for IPv6 servers is not supported.

switch(config)# radius-server host 10.3.17.8 tls
 clearpass             Radius server is hosted by ClearPass or not
 dyn-authorization     Accept dynamic authorization messages.
 oobm                  Use the OOBM interface to connect to the server.
 port                  Configure the TCP destination port number for TLS
                       session (the default is 2083).
 time-window           Configure replay protection for dynamic authorization
                       messages.

switch(config)# show radius host 10.3.17.8

 Status and Counters - RADIUS Server Information


    Server IP Addr : 10.3.17.8             TLS Enabled : Yes

  Authentication Port     : 2083         Accounting Port      : 2083
  Round Trip Time         : 0            Round Trip Time      : 0
  Pending Requests        : 0            Pending Requests     : 0
  Retransmissions         : 0            Retransmissions      : 0
  Timeouts                : 0            Timeouts             : 0
  Malformed Responses     : 0            Malformed Responses  : 0
  Bad Authenticators      : 0            Bad Authenticators   : 0
  Unknown Types           : 0            Unknown Types        : 0
  Packets Dropped         : 0            Packets Dropped      : 0
  Access Requests         : 0            Accounting Requests  : 0
  Access Challenges       : 0            Accounting Responses : 0
  Access Accepts          : 0
  Access Rejects          : 0

Upon enabling TLS on port 1026 of RADIUS host 10.3.17.8:
switch(config)# radius-server host 10.3.17.8 tls port
<1025-65535>          Enter a TCP port number.

switch(config)# radius-server host 10.3.17.8 tls port 1026

switch(config)# show radius host 10.3.17.8

 Status and Counters - RADIUS Server Information


  Server IP Addr : 10.3.17.8            TLS Enabled : Yes

  Authentication Port     : 1026         Accounting Port      : 1026
 	Round Trip Time         : 0            Round Trip Time      : 0
  Pending Requests        : 0            Pending Requests     : 0
  Retransmissions         : 0            Retransmissions      : 0
  Timeouts                : 0            Timeouts             : 0
  Malformed Responses     : 0            Malformed Responses  : 0
  Bad Authenticators      : 0            Bad Authenticators   : 0
  Unknown Types           : 0            Unknown Types        : 0
  Packets Dropped         : 0            Packets Dropped      : 0
  Access Requests         : 0            Accounting Requests  : 0
  Access Challenges       : 0            Accounting Responses : 0
  Access Accepts          : 0
  Access Rejects          : 0

The following example shows FQDN www.clearpass.com being configured as a radius-server host:

switch(config)# radius-server host www.clearpass.com tls

switch(config)# show radius host www.clearpass.com 

Status and Counters - RADIUS Server Information


  Server IP Addr : 10.101.0.199          TLS Enabled : Yes          

  Authentication Port     : 2083         Accounting Port      : 2083         
  Round Trip Time         : 0            Round Trip Time      : 0            
  Pending Requests        : 0            Pending Requests     : 0            
  Retransmissions         : 0            Retransmissions      : 0            
  Timeouts                : 0            Timeouts             : 0            
  Malformed Responses     : 0            Malformed Responses  : 0            
  Bad Authenticators      : 0            Bad Authenticators   : 0            
  Unknown Types           : 0            Unknown Types        : 0            
  Packets Dropped         : 0            Packets Dropped      : 0            
  Access Requests         : 0            Accounting Requests  : 0            
  Access Challenges       : 0            Accounting Responses : 0            
  Access Accepts          : 0            
  Access Rejects          : 0            
  Connection Status       : Waiting for socket creation 
  Connection Error        : RadSec server certificate has bad common name. 

  Retrying the connection in (minutes) : 5