3.4.6 RadSec Configuration (RADIUS over TLS)
| Item |
Details |
| Organization |
Abhavtech.com |
| Version |
2.0 |
| Last Updated |
December 2025 |
1. RadSec Overview
1.1 Why RadSec?
RadSec (RADIUS over TLS) encrypts RADIUS traffic that traditionally uses UDP with shared secrets. This addresses several security concerns:
| Traditional RADIUS |
RadSec (RADIUS/TLS) |
| UDP ports 1812/1813 |
TCP port 2083 |
| Shared secret (weak) |
TLS certificates (strong) |
| No encryption of attributes |
Full TLS encryption |
| Vulnerable to replay attacks |
Protected by TLS |
| No mutual authentication |
Certificate-based mutual auth |
1.2 When to Use RadSec
RadSec Required:
├── PCI-DSS environments (encrypted AAA)
├── Untrusted network segments
├── WAN-connected authenticators
├── High-security zones
└── Compliance requirements (SOC 2, ISO 27001)
RadSec Optional (but recommended):
├── Campus LAN (defense in depth)
├── Data center access
└── Any 802.1X deployment
2. Certificate Infrastructure
2.1 Certificate Hierarchy for Abhavtech
┌─────────────────────────────────────────────────────────────────────┐
│ Abhavtech PKI for RadSec │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────┐ │
│ │ Root CA │ │
│ │ abhavtech-root-ca │ │
│ │ Validity: 20 years│ │
│ └──────────┬──────────┘ │
│ │ │
│ ┌────────────────┼────────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────┐ ┌─────────────────┐ │
│ │ ISE Issuing CA │ │ Network CA │ │ User CA │ │
│ │ ise-ca │ │ network-ca │ │ user-ca │ │
│ │ 10 years │ │ 10 years │ │ 10 years │ │
│ └────────┬────────┘ └──────┬──────┘ └────────┬────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────┐ ┌─────────────────┐ │
│ │ ISE Server Cert │ │ Switch Cert │ │ EAP-TLS Certs │ │
│ │ 2 years │ │ 2 years │ │ 1 year │ │
│ └─────────────────┘ └─────────────┘ └─────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
2.2 Certificate Requirements
| Certificate |
Subject |
SAN |
Key Size |
Validity |
Purpose |
| ISE RadSec Server |
CN=ise-psn-01.abhavtech.com |
DNS:ise-psn-01.abhavtech.com |
RSA 2048+ |
2 years |
ISE as RadSec server |
| Switch RadSec Client |
CN=mum-ed-01.abhavtech.com |
DNS:mum-ed-01.abhavtech.com |
RSA 2048+ |
2 years |
Switch as RadSec client |
| Root CA |
CN=Abhavtech Root CA |
- |
RSA 4096 |
20 years |
Trust anchor |
2.3 Generate Switch Certificate (Using PKI)
! On Catalyst 9300 Edge Node
! Step 1: Generate RSA keypair
crypto key generate rsa label RADSEC-KEY modulus 2048
! Step 2: Create trustpoint for RadSec
crypto pki trustpoint RADSEC-TP
enrollment terminal pem
subject-name CN=mum-ed-01.abhavtech.com,O=Abhavtech,C=IN
revocation-check crl
rsakeypair RADSEC-KEY
! Step 3: Authenticate CA (import Root CA cert)
crypto pki authenticate RADSEC-TP
! Paste Root CA certificate when prompted
! Step 4: Enroll switch (generate CSR)
crypto pki enroll RADSEC-TP
! Copy CSR to CA for signing
! Step 5: Import signed certificate
crypto pki import RADSEC-TP certificate
! Paste signed certificate when prompted
3. ISE RadSec Server Configuration
3.1 Enable RadSec on ISE
Administration → System → Settings → Protocols → RADIUS
RADIUS Settings:
☑ Enable RADIUS/UDP (legacy - keep for migration)
☑ Enable RADIUS/TLS (RadSec)
RadSec Settings:
RadSec Port: 2083
TLS Version: TLS 1.2 minimum
Server Certificate: ise-psn-01.abhavtech.com (EAP Authentication)
Client Authentication:
☑ Require client certificate
Trusted CA: Abhavtech-Network-CA
Certificate Validation:
☑ Validate certificate chain
☑ Check certificate revocation (CRL)
CRL URL: http://pki.abhavtech.com/crl/network-ca.crl
3.2 ISE Network Device Configuration for RadSec
Administration → Network Resources → Network Devices
Device Name: MUM-ED-01
IP Address: 10.100.1.11
RADIUS Authentication Settings:
Protocol: RADIUS/TLS
RadSec Port: 2083
Shared Secret: (not required for RadSec - certificate-based)
Client Certificate DN:
CN=mum-ed-01.abhavtech.com,O=Abhavtech,C=IN
☑ Enable RadSec for this device
3.3 ISE Certificate Configuration
Administration → System → Certificates → System Certificates
Import/Generate RadSec Server Certificate:
Friendly Name: ISE-RadSec-Server
Usage:
☑ EAP Authentication
☑ RADIUS DTLS
Certificate should contain:
- Extended Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
- Subject Alternative Name: DNS:ise-psn-01.abhavtech.com
Administration → System → Certificates → Trusted Certificates
Import Network Device CA:
Friendly Name: Abhavtech-Network-CA
Trust for:
☑ Trust for client authentication
☑ Trust for authenticating Cisco Services
4. Switch RadSec Client Configuration
4.1 Catalyst 9300 RadSec Configuration
! Configure RadSec on Edge Node MUM-ED-01
! Step 1: Define RADIUS server with TLS
radius server ISE-PSN-01-RADSEC
address ipv4 10.250.10.21 auth-port 2083 acct-port 2083
tls connectiontimeout 10
tls idletimeout 60
tls retransmit 3
tls trustpoint client RADSEC-TP
tls trustpoint server RADSEC-TP
radius server ISE-PSN-02-RADSEC
address ipv4 10.250.10.22 auth-port 2083 acct-port 2083
tls connectiontimeout 10
tls idletimeout 60
tls trustpoint client RADSEC-TP
tls trustpoint server RADSEC-TP
! Step 2: Create server group
aaa group server radius RADSEC-SERVERS
server name ISE-PSN-01-RADSEC
server name ISE-PSN-02-RADSEC
! Step 3: Apply to AAA methods
aaa authentication dot1x default group RADSEC-SERVERS
aaa authorization network default group RADSEC-SERVERS
aaa accounting dot1x default start-stop group RADSEC-SERVERS
! Step 4: Enable RadSec globally
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server deadtime 5
4.2 Verification Commands
! Verify TLS connection to ISE
MUM-ED-01# show radius server-group RADSEC-SERVERS
RADIUS server group RADSEC-SERVERS
Server: ISE-PSN-01-RADSEC
Address: 10.250.10.21
Ports: Auth 2083, Acct 2083
Status: UP (TLS Connected)
TLS Version: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
! Verify RadSec statistics
MUM-ED-01# show radius statistics
RADIUS Statistics:
TLS Sessions Established: 47
TLS Handshake Failures: 0
Authentication Requests (TLS): 12,456
Authentication Accepts: 12,398
Authentication Rejects: 58
! Test RadSec connectivity
MUM-ED-01# test aaa group RADSEC-SERVERS testuser Cisco123 new-code
User successfully authenticated
5. Certificate Lifecycle Management
5.1 Certificate Renewal Procedure
Certificate_Renewal_Workflow:
90_Days_Before_Expiry:
- ISE alerts via email/SNMP
- Create change ticket
- Generate new CSR
60_Days_Before_Expiry:
- Submit CSR to CA
- Obtain signed certificate
- Test in lab environment
30_Days_Before_Expiry:
- Schedule maintenance window
- Import new certificate (don't delete old yet)
- Update network devices to trust new cert
14_Days_Before_Expiry:
- Execute certificate rotation
- Switch devices to new certificate
- Verify RadSec connectivity
After_Rotation:
- Remove old certificate
- Update documentation
- Close change ticket
5.2 ISE Certificate Monitoring
Administration → System → Settings → Alarm Settings
Certificate Expiry Alarms:
☑ Enable certificate expiry notification
Warning: 90 days before expiry
Critical: 30 days before expiry
Notification:
Email: pki-admin@abhavtech.com, noc@abhavtech.com
SNMP Trap: Enabled
Syslog: Enabled
5.3 Automated Certificate Monitoring Script
#!/usr/bin/env python3
# /opt/abhavtech/scripts/radsec_cert_monitor.py
import ssl
import socket
from datetime import datetime, timedelta
RADSEC_HOSTS = [
("ise-psn-01.abhavtech.com", 2083),
("ise-psn-02.abhavtech.com", 2083),
("mum-ed-01.abhavtech.com", 2083),
]
WARNING_DAYS = 90
CRITICAL_DAYS = 30
def check_certificate_expiry(host, port):
context = ssl.create_default_context()
with socket.create_connection((host, port), timeout=10) as sock:
with context.wrap_socket(sock, server_hostname=host) as ssock:
cert = ssock.getpeercert()
expiry = datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
days_remaining = (expiry - datetime.now()).days
return days_remaining, expiry
for host, port in RADSEC_HOSTS:
try:
days, expiry = check_certificate_expiry(host, port)
if days <= CRITICAL_DAYS:
print(f"CRITICAL: {host} cert expires in {days} days ({expiry})")
elif days <= WARNING_DAYS:
print(f"WARNING: {host} cert expires in {days} days ({expiry})")
else:
print(f"OK: {host} cert valid for {days} days")
except Exception as e:
print(f"ERROR: Cannot check {host}: {e}")
6. Migration from RADIUS/UDP to RadSec
6.1 Phased Migration Plan
┌─────────────────────────────────────────────────────────────────────┐
│ RadSec Migration Phases │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Phase 1: Preparation (Week 1-2) │
│ ├── Deploy PKI infrastructure │
│ ├── Generate ISE server certificates │
│ ├── Configure ISE to accept both UDP and TLS │
│ └── Test in lab environment │
│ │
│ Phase 2: Pilot (Week 3-4) │
│ ├── Select 2-3 pilot switches │
│ ├── Generate switch certificates │
│ ├── Configure RadSec on pilot devices │
│ └── Validate authentication works │
│ │
│ Phase 3: Site Rollout (Week 5-8) │
│ ├── Deploy certificates to all switches (site by site) │
│ ├── Configure RadSec (keep UDP as fallback) │
│ ├── Monitor authentication success rate │
│ └── Troubleshoot issues per site │
│ │
│ Phase 4: Cutover (Week 9-10) │
│ ├── Remove RADIUS/UDP configuration │
│ ├── Disable UDP on ISE │
│ ├── Update firewall rules (block UDP 1812/1813) │
│ └── Final validation and documentation │
│ │
└─────────────────────────────────────────────────────────────────────┘
6.2 Rollback Procedure
! If RadSec fails, rollback to RADIUS/UDP
! Step 1: Re-add UDP RADIUS server
radius server ISE-PSN-01-UDP
address ipv4 10.250.10.21 auth-port 1812 acct-port 1813
key 0 $SharedSecret$
! Step 2: Update server group
aaa group server radius RADIUS-FALLBACK
server name ISE-PSN-01-UDP
! Step 3: Apply fallback
aaa authentication dot1x default group RADIUS-FALLBACK
7. Troubleshooting RadSec
7.1 Common Issues
| Issue |
Cause |
Resolution |
| TLS handshake failure |
Certificate mismatch |
Verify CN/SAN matches hostname |
| Connection refused |
Port blocked |
Open TCP 2083 in firewall |
| Certificate validation error |
Missing CA |
Import full certificate chain |
| Intermittent failures |
Certificate expiry |
Check certificate validity dates |
| Authentication timeout |
TLS renegotiation |
Increase tls connectiontimeout |
7.2 Debug Commands
! Enable RadSec debugging
MUM-ED-01# debug radius authentication
MUM-ED-01# debug radius tls
MUM-ED-01# debug crypto pki transactions
! Check TLS session state
MUM-ED-01# show radius server-group all
MUM-ED-01# show crypto pki certificates
MUM-ED-01# show crypto pki trustpoints status
! ISE debugging
Operations → Troubleshoot → Diagnostic Tools → TCP Dump
Filter: port 2083
8. Compliance Mapping
| Requirement |
Standard |
RadSec Control |
| Encrypt authentication traffic |
PCI-DSS 4.1 |
TLS 1.2+ encryption |
| Strong authentication |
PCI-DSS 8.2 |
Certificate-based mutual auth |
| Audit trail |
SOC 2 CC6.1 |
TLS session logging |
| Secure transmission |
ISO 27001 A.13.2.1 |
End-to-end encryption |
Document Version: 2.0
Abhavtech.com - SD-Access Implementation