RADIUS Attribute Authentication Type Attribute Value
Service-Type MAC Call-Check
802.1X Framed
Captive Portal Login
Table 42: RADIUS Service-Type Attributes
The service-type-framed-user configuration of the RADIUS server overwrites all the attribute values to Framed
irrespective of the authentication type. Existing deployments that depend upon this attribute for their third-
party RADIUS integrations should make changes to support these new service types.
Enabling Radsecon RADIUS Servers
Conventional RADIUSprotocol offers limited security. This level of limited security is not sufficient for
authentication that takes place across unsecured networks such as the Internet. To address this, the
RADIUSover TLSor Radsec enhancement is introduced to ensure RADIUSauthentication and accounting data
is transmitted safely and reliably across insecure networks. The default destination port for RADIUS over TLS is
TCP/2083. Separate ports are not used for authentication, accounting, and dynamic authorization changes.
In a TLS connection, both the switch (TLS client) and the Radsec server (TLS server) need to authenticate each
other using certificates. For the switch to authenticate the Radsec server:
n Certificate Authority (CA) certificate should be uploaded as a Trusted CA, if the Radsec server uses a
certificate signed by a CA.
n Self-signed certificate should be uploaded as a PublicCert if the Radsec server uses a self-signed certificate.
If neither of these certificates are configured, the switch will not try to establish any connection with the Radsec
server, even if Radsec is enabled.
The switch also needs to send a TLS client certificate to the Radsec server by uploading a certificate on the
switch as ServerCert and configuring Radsec to accept and use the switch's certificate. If a certificate is not
configured, the switch will use the device certificate in its Trusted Platform Module (TPM). In this case, the
Alcatel-Lucent device CA that signed the switch's certificate, should be configured as a Trusted CA on the
Radsec server.
When Radsec support is enabled, the default RADIUS shared key is radsec and remains the same even if the user
configures a different shared key.
In the Web UI
1. From Configuration tab, navigate to Security > Authentication > Servers page.
2. Click RADIUSServer.
3. Click the Radsec server from the list displayed.
4. Enter the Radsec-related parameters as described in Table 41.
5. Click Apply.
In the CLI
aaa authentication-server radius <rad_server_name>
enable-radsec
radsec-client-cert-name <name>
radsec-port <radsec-port>
radsec-trusted-cacert-name <radsec-trusted-ca>
AOS-W 6.5.3.x | User Guide Authentication Servers | 182
To Next Page
Loading...