Connectivity Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4048-ON

791

792

793

794

795

796

797

798

799

800

OS10(config)# radius-server timeout 10

OS10(config)# ip radius source-interface mgmt 1/1/1

Congure RADIUS server for non-default VRFs

OS10(config)# ip vrf blue

OS10(conf-vrf)# exit

OS10(config)# radius-server vrf blue

View RADIUS server conguration

OS10# show running-configuration

...

radius-server host 1.2.4.5

key 9

3a95c26b2a5b96a6b80036839f296babe03560f4b0b7220d6454b3e71bdfc59b

radius-server retransmit 10

radius-server timeout 10

ip radius source-interface mgmt 1/1/1

...

Delete RADIUS server

OS10# no radius-server host 1.2.4.5

RADIUS over TLS authentication

Traditional RADIUS-based user authentication runs over UDP and uses the MD5 message-digest algorithm for secure communications. To

provide enhanced security in RADIUS user authentication exchanges, RFC 6614 denes the RADIUS over Transport Layer Security (TLS)

protocol. RADIUS over TLS secures the entire authentication exchange in a TLS connection and provides additional security by:

• Performing mutual authentication of a client and server using public key infrastructure (PKI) certicates

• Encrypting the entire authentication exchange so that neither user ID nor password is vulnerable to discovery

RADIUS over TLS authentication requires that X.509v3 PKI certicates are congured on a certication authority (CA) and installed on the

switch. For more information, including a complete RADIUS over TLS use case, see X.509v3 certicates.

NOTE

: RADIUS over TLS operates in FIPS mode when you enable FIPS using the crypto fips enable command. In FIPS

mode, RADIUS over TLS requires that a FIPS-compliant certicate is installed on the switch. In non-FIPS mode, RADIUS over

TLS requires that a certicate is installed as a non-FIPS certicate. For information about how to install FIPS-compliant and non-

FIPS certicates, see Request and install host certicates.

To congure RADIUS over TLS user authentication, use the radius-server host tls command. Enter the server IP address or host

name, and the shared secret key used to authenticate the OS10 switch on a RADIUS host. You must enter the name of an X.509v3 security

prole to use with RADIUS over TLS authentication — see Security proles. You can enter the authentication key in plain text or encrypted

format. By default, RADIUS over TLS connections use TCP port 2083, and require that the authentication key is radsec. You can change

the TCP port number on the server.

• Congure a RADIUS over TLS authentication on a RADIUS server in CONFIGURATION mode.

radius-server host {hostname | ip-address} tls security-profile profile-name

[auth-port port-number] key {0 authentication-key | 9 authentication-key | authentication-key}

To congure more than one RADIUS server for RADIUS over TLS authentication, re-enter the radius-server host tls command

multiple times. If you congure multiple RADIUS servers, OS10 attempts to connect in the order you congured them. An OS10 switch

connects with the congured RADIUS servers one at a time, until a RADIUS server responds with an accept or reject response. The switch

tries to connect with a server for the congured number of retransmit retries and timeout period.

Enter the name of a security prole to use with RADIUS over TLS authentication. The security prole determines the X.509v3 certicate

on the switch to use for TLS authentication with a RADIUS server. To congure a security prole for an OS10 application, see Security

proles.

Congure global settings for the timeout and retransmit attempts allowed on RADIUS servers as described in RADIUS authentication.

Security

791