radius-server host tls port
Syntax
radius-server host <IP-ADDR/FQDN> tls port <PORT>
no radius-server host <IP-ADDR/FQDN> tls port <PORT>Description
Enables TLS session over TCP connection for Radsec protocol. RADIUS packets are encrypted due to TLS over TCP connection.
The no form of the command configures TLS session on the default port, 2083.
Command context
config
Parameters
IP-ADDRSpecifies server IPv4 address.
FQDN- Specifies server FQDN.NOTE:
For successful RadSec connections when FQDN is configured as RADIUS server, the server certificate sent by RadSec server must contain the same FQDN name in the common name or DNS field of the certificate.
PORTSpecifies the TCP destination port number for TLS session.
The default port is 2083.
Examples
The following example shows how to configure a RADIUS server with an address of
10.3.17.8, and enabling TLS. If no port is configured, TLS is enabled on the default port, 2083 as shown:
switch(config)# radius-server
access-request Configure access-request attribute to be included.
cppm Username and password combination of ClearPass which is
used to login to ClearPass to download user roles.
dead-time Configure the dead time for unavailable RADIUS servers.
dyn-autz-port Configure the UDP port for dynamic authorization
messages.
fqdn-retry The interval at which the resolution of the FQDN is
retried for the radius server which failed to resolve
the FQDN at the time of configuring it.
host Configure a RADIUS server.
key Configure the default authentication key for all RADIUS
servers.
retransmit Configure the request retransmit count.
timeout Configure the server response timeout.
tls Configure the RADIUS server with respect to TLS.
tracking Configure RADIUS service tracking parameters.
switch(config)# radius-server host
FQDN The server fqdn address.
IP-ADDR The server IPv4 address.
IPV6-ADDR The server IPv6 address.
NOTE: RadSec for IPv6 servers is not supported.
switch(config)# radius-server host 10.3.17.8 tls
clearpass Radius server is hosted by ClearPass or not
dyn-authorization Accept dynamic authorization messages.
oobm Use the OOBM interface to connect to the server.
port Configure the TCP destination port number for TLS
session (the default is 2083).
time-window Configure replay protection for dynamic authorization
messages.
switch(config)# show radius host 10.3.17.8
Status and Counters - RADIUS Server Information
Server IP Addr : 10.3.17.8 TLS Enabled : Yes
Authentication Port : 2083 Accounting Port : 2083
Round Trip Time : 0 Round Trip Time : 0
Pending Requests : 0 Pending Requests : 0
Retransmissions : 0 Retransmissions : 0
Timeouts : 0 Timeouts : 0
Malformed Responses : 0 Malformed Responses : 0
Bad Authenticators : 0 Bad Authenticators : 0
Unknown Types : 0 Unknown Types : 0
Packets Dropped : 0 Packets Dropped : 0
Access Requests : 0 Accounting Requests : 0
Access Challenges : 0 Accounting Responses : 0
Access Accepts : 0
Access Rejects : 0
Upon enabling TLS on port 1026 of RADIUS host
10.3.17.8:
switch(config)# radius-server host 10.3.17.8 tls port <1025-65535> Enter a TCP port number. switch(config)# radius-server host 10.3.17.8 tls port 1026 switch(config)# show radius host 10.3.17.8 Status and Counters - RADIUS Server Information Server IP Addr : 10.3.17.8 TLS Enabled : Yes Authentication Port : 1026 Accounting Port : 1026 Round Trip Time : 0 Round Trip Time : 0 Pending Requests : 0 Pending Requests : 0 Retransmissions : 0 Retransmissions : 0 Timeouts : 0 Timeouts : 0 Malformed Responses : 0 Malformed Responses : 0 Bad Authenticators : 0 Bad Authenticators : 0 Unknown Types : 0 Unknown Types : 0 Packets Dropped : 0 Packets Dropped : 0 Access Requests : 0 Accounting Requests : 0 Access Challenges : 0 Accounting Responses : 0 Access Accepts : 0 Access Rejects : 0
The following example shows FQDN
www.clearpass.com being configured as a radius-server host:
switch(config)# radius-server host www.clearpass.com tls switch(config)# show radius host www.clearpass.com Status and Counters - RADIUS Server Information Server IP Addr : 10.101.0.199 TLS Enabled : Yes Authentication Port : 2083 Accounting Port : 2083 Round Trip Time : 0 Round Trip Time : 0 Pending Requests : 0 Pending Requests : 0 Retransmissions : 0 Retransmissions : 0 Timeouts : 0 Timeouts : 0 Malformed Responses : 0 Malformed Responses : 0 Bad Authenticators : 0 Bad Authenticators : 0 Unknown Types : 0 Unknown Types : 0 Packets Dropped : 0 Packets Dropped : 0 Access Requests : 0 Accounting Requests : 0 Access Challenges : 0 Accounting Responses : 0 Access Accepts : 0 Access Rejects : 0 Connection Status : Waiting for socket creation Connection Error : RadSec server certificate has bad common name. Retrying the connection in (minutes) : 5