radsec

Syntax

Hierarchy Level

Description

Configure RADIUS over TLS, also known as RADSEC, to redirect regular RADIUS traffic to remote RADIUS servers connected over TLS. The TLS connection provides encryption, authentication, and data integrity for the exchange of RADIUS messages.

To configure RADIUS over TLS, you need to configure the RADSEC server as a destination for RADIUS traffic. Traffic that is destined for a RADIUS server can then be redirected to the RADSEC destination. RADSEC destinations are identified by a unique numeric ID. You can configure multiple RADSEC destinations with different parameters pointing to the same RADSEC server.

TLS relies on certificates and private-public key exchange pairs to secure the transmission of data between the RADSEC client and server. The RADSEC destination uses local certificates that are dynamically acquired from the Junos PKI infrastructure.

To enable RADSEC, you must specify the name of the local certificate. If a certificate is not available, or if the certificate was revoked, the RADSEC destination attempts to retrieve it every 300 seconds.

Default

RADSEC is not enabled by default.

Options

destination `id-number`	Globally unique ID number for the RADSEC destination. Range: 1 through 65535
address `ip-address`	Specify the IP address of the RADSEC server.
id-reuse-timeout `seconds`	Configure the number of seconds after which the RADIUS ID field value can be reused. Default: 120 seconds Range: 60 to 3600 seconds
logical-system `ls-name` routing-instance `ri-name`	Specify the logical system or the routing instance for transport. Default: If you do not explicitly configure the logical system or routing instance, the default is used. You can specify the logical system, the routing instance, or both. No configuration specifies default:default. Configuring only the routing instance specifies default:`ri-name`. Configuring only the logical system specifies `ls-name`:default. Configuring both the logical system and the routing instance specifies `ls-name`:`ri-name`.
max-tx-buffers `number`	Configure the maximum number of packets buffered on transmission. Note: The buffer allocation should be able to accommodate the `max-outstanding-requests` for mapped RADIUS servers configured at the [`edit access radius-server`] hierarchy level. Default: 100 Range: 32 to 3200
port `port-number`	(Optional) Configure the port number of the RADSEC server. Default: 2083 Range: 1 through 65535
source-address `ip-address`	Configure the source IP address, which is the IP address of the RADSEC server. If the source address is not configured for dynamic requests, dynamic requests will be rejected.
tls-certificate `certificate-name`	Specify the name of the local certificate.
tls-force-ciphers [medium \| low]	(Optional) Allow lower-grade ciphers than the default. Values: low—Add medium and low grade ciphers. medium—Add medium grade ciphers. Note: The "tls-force-ciphers" option is not applicable. Strong cipher suites are always used by default.
tls-min-version [v1.1 \| v1.2]	(Optional) Configure the TLS version to limit the lowest supported versions of TLS that are enabled for SSL connections. Values: v1.1—Require TLS 1.1 and 1.2. v1.2—Require TLS 1.2. Default: v1.2
tls-peer-name `name`	Certified name of the RADSEC server.
tls-timeout `seconds`	Specify a limit on TLS negotiation. Default: 5 seconds Range: 3 through 90 seconds

The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.

Required Privilege Level

access—To view this statement in the configuration.

access-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 19.1R1.

dynamic-requests introduced in Junos OS Release 19.2R1.

ON THIS PAGE