RadSec considerations

RADIUS communication between the switch and RADIUS server uses UDP as the transport layer mechanism. RadSec supports communication between the switch and RADIUS server over TCP and TLS. RadSec considerations are as follows:
  • No change in RADIUS packet formats from UDP to TCP.

  • TLS version must be at least 1.1 for successful connections.

  • Mutually authenticated TLS connections are required. The default port is 2083.

    For more information about automatic certificates enrollment, see EST certificates section in the Access Security Guide of your switch.

  • If certificates with radsec-client or all as usage are not installed, switch uses the default IDEVID certificate.

  • If a server group consists of RADIUS servers supporting both UDP and TCP, the authentication falls back to the next available RADIUS server. The fallback happens to the next available server, in case of a connection failure.

  • With RADIUS tracking enabled and RadSec server is not reachable due to a failed TCP connection, the server is termed as DEAD server. If server is configured with deadtime, then new requests are not made until the dead time elapses.

  • Supports configurable connection time-out.