Example of RadSec configuration

Prerequisite

  • ClearPass version is 6.7.4 or higher.

ClearPass as RadSec server

Following are the steps to configure ClearPass as RadSec server:

  1. Import Root CA certificate to the ClearPass certificate store. Choose Select Type as RadSec Server Certificate

  2. Click Create Certificate Signing Request.

    Enter the IP address of ClearPass . For configuring radius-server host FQDN on DUT, enter the hostname.

  3. Sign the created CSR with CA.

  4. Ensure RadSec Server Certificate is selected while importing signed certificate.

  5. Select Enable RadSec while adding devices.

    The IP address is used as the source IP of the DUT and must be reachable from ClearPass.

DUT configuration

Follow these steps to configure DUT:

  1. Generate CSR with usage radsec-client
    DUT(config)# crypto pki  ta-profile ta1
    DUT(config)# crypto pki create-csr certificate-name Cert1 ta-profile ta1
     key-type rsa key-size 2048 subject common-name test org HEP org-unit HPN state KA country IN usage radsec-client
    
  2. Copy CA root certificate generated on CA.

    DUT(config)# copy tftp ta-certificate ta1 <tftp server ip> certnew.cer
  3. Sign the CSR with CA.
  4. Install the signed certificate.
    DUT(config)# crypto pki install-signed-certificate

  5. Verify the installed Root and Local certificate.

    DUT(config)# sh crypto pki ta-profile
      Profile Name    Profile Status                 CRL Configured  OCSP Configured
      --------------- ------------------------------ --------------- ---------------
      IDEVID_ROOT     Root Certificate Installed
      COMODO_CA       Root Certificate Installed     No              No
      default         Self-signed Certificate Ins... No              No
      GEOTRUST_CA     Root Certificate Installed     No              No
      ARUBA_CA        Root Certificate Installed     No              No
      ADDTRUST_CA     Root Certificate Installed     No              No
      clearpass       Root Certificate Installed     No              No
      ta1             Root Certificate Installed     No              No
     
    DUT(config)# sh crypto pki local-certificate
       Name                 Usage         Expiration     Parent / Profile
       -------------------- ------------- -------------- --------------------
       IDEVID_CERT          IDEVID        2031/01/26     IDEVID_INTER_1
       IDEVID_INTER_1       IDEVID        2031/01/26     IDEVID_INTER_2
       IDEVID_INTER_2       IDEVID        2031/01/26     IDEVID_ROOT
       test                 All           2019/08/13     default
       Test_Certificate     Web           2019/08/03     default
       Cert1                  RADSEC        2020/02/14     ta1
    DUT(config)#
    
  6. Configure radius-server with tls option.
    DUT(config)# radius-server host 192.168.1.252 tls
  7. Enable debug commands.

    Debug security RadSec
    Debug security radius
    
  8. Verify the RadSec connection.

    DUT(config)# show radius host 192.168.1.252
    
     Status and Counters - RADIUS Server Information
    
    
      Server IP Addr : 192.168.1.252         TLS Enabled : Yes
    
      Authentication Port     : 2083         Accounting Port      : 2083
      Round Trip Time         : 4            Round Trip Time      : 0
      Pending Requests        : 0            Pending Requests     : 0
      Retransmissions         : 0            Retransmissions      : 0
      Timeouts                : 78           Timeouts             : 0
      Malformed Responses     : 0            Malformed Responses  : 0
      Bad Authenticators      : 2            Bad Authenticators   : 0
      Unknown Types           : 0            Unknown Types        : 0
      Packets Dropped         : 10           Packets Dropped      : 0
      Access Requests         : 1435         Accounting Requests  : 0
      Access Challenges       : 22           Accounting Responses : 0
      Access Accepts          : 11
      Access Rejects          : 1324
      Connection Status       : RADSEC Connection established
      Connection Error        : NA