IronWiFi RadSec Secure Radius Servers

This technical article describes what is RadSec and how to enable RadSec servers in your IronWiFi network.

RadSec General Information

RadSec or Radius over TLS is an extension to the RADIUS protocol, that uses secure tunnels estabilished between the Radius Client and Radius Server to encapsulate Authentication, Authorization, and Accounting (AAA) protocol messages. Connection is authenticated using Client Certificates. Without the correct client certificate, issued by our Secure PKI Infrastructure, RadSec server will not even allow the tunnel to be estabilished. Each client certificate is issued for the specific customer, region and network, making it impossible for the unauthorised radius client to connect or to intercept the messages.

How to enable RadSec on your network

Thanks to your Modern and Secure PKI Infrastructure enabling RadSec servers in your network and obtaining the Certificate Pack is very straightforward.

  1. Sign in to the IronWiFi Management Console
  2. Go to Networks -> Select the network you want to enable the RadSec for.
  3. Select Enabled from the drop-down menu

    Screenshot 2024-05-13 at 21.13.25

  4. The page will reload and you will see the link to the certificate bundle, consisting of the Root CA certificate, the RadSec Signing Intermediate CA certificate, your Client Certificate and the Client Key. You need to upload them to your controller, and set up the IP address and port, with the standard RadSec secret: 'radsec', and you should be up and running !Screenshot 2024-05-13 at 21.25.22
  5. You should use the same details for Authentication and Accounting, RadSec server automatically distinguishes between the two and directs the requests and updates to the correct internal destinaton.