Users Guide
254 | Authentication Servers Dell Networking W-Series ArubaOS 6.4.x| User Guide
Enabling Radsecon RADIUS Servers
Conventional RADIUSprotocol offers limited security. This level of limited security is not sufficient for
authentication that takes place across unsecured networks such as the Internet. To address this, the
RADIUSover TLSor Radsec enhancement is introduced to ensure RADIUSauthentication and accounting data
is transmitted safely and reliably across insecure networks. The default destination port for RADIUS over TLS is
TCP/2083. Separate ports are not used for authentication, accounting, and dynamic authorization changes.
In a TLS connection, both the controller (TLS client) and the Radsec server (TLS server) need to authenticate
each other using certificates. For the controller to authenticate the Radsec server:
l Certificate Authority (CA) certificate should be uploaded as a Trusted CA, if the Radsec server uses a
certificate signed by a CA.
l Self-signed certificate should be uploaded as a PublicCert if the Radsec server uses a self-signed certificate.
If neither of these certificates are configured, the controller will not try to establish any connection with the Radsec
server, even if Radsec is enabled.
The controller also needs to send a TLS client certificate to the Radsec server by uploading a certificate on the
controller as ServerCert and configuring Radsec to accept and use the controller's certificate. If a certificate is
not configured, the controller will use the device certificate in its Trusted Platform Module (TPM). In this case,
the Aruba device CA that signed the controller's certificate, should be configured as a Trusted CA on the Radsec
server.
When Radsec support is enabled, the default RADIUS shared key is radsec and remains the same even if the user
configures a different shared key.
In the Web UI
1. From Configuration tab, navigate to Security > Authentication > Servers page.
2. Click RADIUSServer.
3. Click the Radsec server from the list displayed.
4. Enter the Radsec-related parameters as described in Table 42.
5. Click Apply.
In the CLI
aaa authentication-server radius <rad_server_name>
enable-radsec
radsec-client-cert-name <name>
radsec-port <radsec-port>
radsec-trusted-cacert-name <radsec-trusted-ca>
radsec-trusted-servercert-name <name>
To upload certificates through the CLI, see Importing Certificates.
To configure a Radsec server as RFC 3576 server for dynamic authorization (CoA), see Configuring an RFC-3576
RADIUS Server on page 259.
RADIUS Server VSAs
Vendor-Specific Attributes (VSAs) are a method for communicating vendor-specific information between
Network Access Servers and RADIUS servers, allowing vendors to support their own extended attributes. You
can use Dell VSAs to derive the user role and VLAN for RADIUS-authenticated clients; however the VSAs must
be present on your RADIUS server. This requires that you update the RADIUS dictionary file with the vendor
name (Aruba) and/or the vendor-specific code (14823), the vendor-assigned attribute number, and the