API Guide

ManualsBrandsDell ManualsAccess PlatformsEMC Networking MX9116n

1021

○ If no address of the same IP version as the RADIUS server is configured, RADIUS authentication is performed with no

source interface, using the IP address of the management interface. The management IP address serves as the RADIUS

network access server (NAS) IP address on the switch.

ip radius source-interface interface

On the RADIUS server, you must update the configured IP routes using the Linux command line so that the source interface

routes match the NAS IP route.

If OS10 uses a RADIUS server VRF instance, a RADIUS server source interface is not supported and cannot be configured.

● (Optional) By default, the switch uses the default VRF instance to communicate with RADIUS servers. You can optionally

configure a nondefault or the management VRF instance for RADIUS authentication in CONFIGURATION mode.

radius-server vrf management

radius-server vrf vrf-name

Configure RADIUS server

OS10(config)# radius-server host 1.2.4.5 key secret1

OS10(config)# radius-server retransmit 10

OS10(config)# radius-server timeout 10

OS10(config)# ip radius source-interface mgmt 1/1/1

Configure RADIUS server for non-default VRFs

OS10(config)# ip vrf blue

OS10(conf-vrf)# exit

OS10(config)# radius-server vrf blue

View RADIUS server configuration

OS10# show running-configuration

...

radius-server host 1.2.4.5 key 9

3a95c26b2a5b96a6b80036839f296babe03560f4b0b7220d6454b3e71bdfc59b

radius-server retransmit 10

radius-server timeout 10

ip radius source-interface mgmt 1/1/1

...

Delete RADIUS server

OS10# no radius-server host 1.2.4.5

RADIUS over TLS authentication

Traditional RADIUS-based user authentication runs over UDP and uses the MD5 message-digest algorithm for secure

communications. To provide enhanced security in RADIUS user authentication exchanges, RFC 6614 defines the RADIUS over

Transport Layer Security (TLS) protocol. RADIUS over TLS secures the entire authentication exchange in a TLS connection and

provides additional security by:

● Performing mutual authentication of a client and server using public key infrastructure (PKI) certificates

● Encrypting the entire authentication exchange so that neither the user ID nor password is vulnerable to discovery

RADIUS over TLS authentication requires that X.509v3 PKI certificates are configured on a certification authority (CA) and

installed on the switch. For more information, including a complete RADIUS over TLS use case, see X.509v3 certificates.

NOTE:

If you enable FIPS using the crypto fips enable command, RADIUS over TLS operates in FIPS mode. In FIPS

mode, RADIUS over TLS requires that a FIPS-compliant certificate and key pair are installed on the switch. In non-FIPS

mode, RADIUS over TLS requires that a certificate is installed as a non-FIPS certificate. For information about how to install

FIPS-compliant and non-FIPS certificates, see Request and install host certificates.

To configure RADIUS over TLS user authentication, use the radius-server host tls command. Enter the server IP

address or host name, and the shared secret key used to authenticate the OS10 switch on a RADIUS host. You must enter the

name of an X.509v3 security profile to use with RADIUS over TLS authentication — see Security profiles. You can enter the

Security

1029