Example of RadSec configuration

Prerequisite

• ClearPass version is 6.7.4 or higher.

ClearPass as RadSec server

Following are the steps to configure ClearPass as RadSec server:

1. Import Root CA certificate to the ClearPass certificate store. Choose Select Type as RadSec Server Certificate

2. Click Create Certificate Signing Request.

   Enter the IP address of ClearPass . For configuring radius-server host FQDN on DUT, enter the hostname.

   

3. Sign the created CSR with CA.

4. Ensure RadSec Server Certificate is selected while importing signed certificate.

   

5. Select Enable RadSec while adding devices.

   The IP address is used as the source IP of the DUT and must be reachable from ClearPass.

   

DUT configuration

Follow these steps to configure DUT:

1. Generate CSR with usage radsec-client

   DUT(config)# crypto pki  ta-profile ta1
   DUT(config)# crypto pki create-csr certificate-name Cert1 ta-profile ta1
    key-type rsa key-size 2048 subject common-name test org HEP org-unit HPN state KA country IN usage radsec-client
   

2. Copy CA root certificate generated on CA.

   DUT(config)# copy tftp ta-certificate ta1 <tftp server ip> certnew.cer

3. Sign the CSR with CA.
4. Install the signed certificate.

   DUT(config)# crypto pki install-signed-certificate

5. Verify the installed Root and Local certificate.

   DUT(config)# sh crypto pki ta-profile
     Profile Name    Profile Status                 CRL Configured  OCSP Configured
     --------------- ------------------------------ --------------- ---------------
     IDEVID_ROOT     Root Certificate Installed
     COMODO_CA       Root Certificate Installed     No              No
     default         Self-signed Certificate Ins... No              No
     GEOTRUST_CA     Root Certificate Installed     No              No
     ARUBA_CA        Root Certificate Installed     No              No
     ADDTRUST_CA     Root Certificate Installed     No              No
     clearpass       Root Certificate Installed     No              No
     ta1             Root Certificate Installed     No              No
    
   DUT(config)# sh crypto pki local-certificate
      Name                 Usage         Expiration     Parent / Profile
      -------------------- ------------- -------------- --------------------
      IDEVID_CERT          IDEVID        2031/01/26     IDEVID_INTER_1
      IDEVID_INTER_1       IDEVID        2031/01/26     IDEVID_INTER_2
      IDEVID_INTER_2       IDEVID        2031/01/26     IDEVID_ROOT
      test                 All           2019/08/13     default
      Test_Certificate     Web           2019/08/03     default
      Cert1                  RADSEC        2020/02/14     ta1
   DUT(config)#
   

6. Configure radius-server with tls option.

   DUT(config)# radius-server host 192.168.1.252 tls

7. Enable debug commands.

   Debug security RadSec
   Debug security radius
   

8. Verify the RadSec connection.

   DUT(config)# show radius host 192.168.1.252
   
    Status and Counters - RADIUS Server Information
   
   
     Server IP Addr : 192.168.1.252         TLS Enabled : Yes
   
     Authentication Port     : 2083         Accounting Port      : 2083
     Round Trip Time         : 4            Round Trip Time      : 0
     Pending Requests        : 0            Pending Requests     : 0
     Retransmissions         : 0            Retransmissions      : 0
     Timeouts                : 78           Timeouts             : 0
     Malformed Responses     : 0            Malformed Responses  : 0
     Bad Authenticators      : 2            Bad Authenticators   : 0
     Unknown Types           : 0            Unknown Types        : 0
     Packets Dropped         : 10           Packets Dropped      : 0
     Access Requests         : 1435         Accounting Requests  : 0
     Access Challenges       : 22           Accounting Responses : 0
     Access Accepts          : 11
     Access Rejects          : 1324
     Connection Status       : RADSEC Connection established
     Connection Error        : NA