Deployment scenarios

With RadSec, one can mitigate the risks of data sniffing over insecure networks. It is achieved by creating an encrypted TLS tunnel for exchanging RADIUS packets across remote RADIUS servers.

For successful TLS connections, install the certificates in either of the following ways:

  • Manually install certificates by raising a CSR request. For more information about installing the certificate manually, see the Access Security Guide of your switch.
  • Enrolling the application certificate using EST. For more information about EST, see the Access Security Guide of your switch.

After installation, the CA certificates of RADIUS servers must be copied to the switch certificate store.

If certificates with the usage radsec are not installed, the switch uses the default, IDEVID certificate.

You can deploy the RADIUS/TLS servers in any of the following scenarios:

  • Scenario 1: Switch establishes TLS connection with the RADIUS server.

  • Scenario 2: Switch establishes TLS connection with the proxy server, which communicates with the RADIUS server.

Scenario 1: Switch establishes TLS connection with the RADIUS server

In this scenario, the RADIUS server is across WAN. The RADIUS/TLS secures the user data by creating an encrypted TLS tunnel between the switch and authentication server.

Scenario 2: Switch establishes TLS connection with the proxy server, which communicates with the RADIUS server

In this scenario, multiple RADIUS servers are distributed over WAN (untrusted networks). RADIUS proxy directs the RADIUS requests to the RADIUS server, which listens on UDP. The proxy server uses the switch certificates to authenticate the client-server credentials. As a result, all RADIUS communications across the network are TLS encrypted.