Connectivity Guide
OS10(config)# radius-server timeout 10
OS10(config)# ip radius source-interface mgmt 1/1/1
Congure RADIUS server for non-default VRFs
OS10(config)# ip vrf blue
OS10(conf-vrf)# exit
OS10(config)# radius-server vrf blue
View RADIUS server conguration
OS10# show running-configuration
...
radius-server host 1.2.4.5
key 9
3a95c26b2a5b96a6b80036839f296babe03560f4b0b7220d6454b3e71bdfc59b
radius-server retransmit 10
radius-server timeout 10
ip radius source-interface mgmt 1/1/1
...
Delete RADIUS server
OS10# no radius-server host 1.2.4.5
RADIUS over TLS authentication
Traditional RADIUS-based user authentication runs over UDP and uses the MD5 message-digest algorithm for secure communications. To
provide enhanced security in RADIUS user authentication exchanges, RFC 6614 denes the RADIUS over Transport Layer Security (TLS)
protocol. RADIUS over TLS secures the entire authentication exchange in a TLS connection and provides additional security by:
• Performing mutual authentication of a client and server using public key infrastructure (PKI) certicates
• Encrypting the entire authentication exchange so that neither user ID nor password is vulnerable to discovery
RADIUS over TLS authentication requires that X.509v3 PKI certicates are congured on a certication authority (CA) and installed on the
switch. For more information, including a complete RADIUS over TLS use case, see X.509v3 certicates.
NOTE
: RADIUS over TLS operates in FIPS mode when you enable FIPS using the crypto fips enable command. In FIPS
mode, RADIUS over TLS requires that a FIPS-compliant certicate is installed on the switch. In non-FIPS mode, RADIUS over
TLS requires that a certicate is installed as a non-FIPS certicate. For information about how to install FIPS-compliant and non-
FIPS certicates, see Request and install host certicates.
To congure RADIUS over TLS user authentication, use the radius-server host tls command. Enter the server IP address or host
name, and the shared secret key used to authenticate the OS10 switch on a RADIUS host. You must enter the name of an X.509v3 security
prole to use with RADIUS over TLS authentication — see Security proles. You can enter the authentication key in plain text or encrypted
format. By default, RADIUS over TLS connections use TCP port 2083, and require that the authentication key is radsec. You can change
the TCP port number on the server.
• Congure a RADIUS over TLS authentication on a RADIUS server in CONFIGURATION mode.
radius-server host {hostname | ip-address} tls security-profile profile-name
[auth-port port-number] key {0 authentication-key | 9 authentication-key | authentication-key}
To congure more than one RADIUS server for RADIUS over TLS authentication, re-enter the radius-server host tls command
multiple times. If you congure multiple RADIUS servers, OS10 attempts to connect in the order you congured them. An OS10 switch
connects with the congured RADIUS servers one at a time, until a RADIUS server responds with an accept or reject response. The switch
tries to connect with a server for the congured number of retransmit retries and timeout period.
Enter the name of a security prole to use with RADIUS over TLS authentication. The security prole determines the X.509v3 certicate
on the switch to use for TLS authentication with a RADIUS server. To congure a security prole for an OS10 application, see Security
proles.
Congure global settings for the timeout and retransmit attempts allowed on RADIUS servers as described in RADIUS authentication.
Security
791