RadSec is a protocol which allows RADIUS servers to transfer data over TCP and TLS for increased security. With RadSec capabilities, you can transfer RADIUS packets through public networks while still ensuring end-to-end security through the transport layer. This feature is configurable through using our Mist API or directly from the UI. Mist APs support RadSec for RADIUS authentications.
UI configuration
To configure RadSec, set up a 802.1X or MAC auth WLAN and choose RadSec under Authentication Servers from the drop down list. Here, provide the Server Name (optional), Server Addresses, and NAS Identifier (optional). Server name is the value of the server_name extension in client hello the TLS certificate exchange.
RadSec Certificates
Mist by default generates a unique per Organization CA certificate and automatically generates per AP certificates when RadSec is enabled. No additional configuration is required. Mist automatically handles the certificate management on the APs for RadSec. The only additional steps for use with an external RADIUS server are to import the Mist Certificate – that is the per org CA certificate – into your RADIUS server so the RADIUS server can authenticate the certificates presented by the APs in your org. You also need to export the server certificate from your RADIUS server and import into Mist as RadSec Certificates so that APs can validate the RadSec certificate presented by the RADIUS server. With Mist Access Assurance, this entire process is handled automatically.
Navigate to Organization -> Settings to obtain the Mist Certificate and enter your RadSec Certificate to complete the setup.
API configuration
API documentation which can be found here: https://api.mist.com/api/v1/docs/Home
To use RadSec on your networks, please follow these steps:
- Enable RadSec in your WLAN as the authentication type – once “radsec” is enabled, auth_servers, acct_servers, and coa_server will be ignored.
https://api.mist.com/api/v1/docs/Site#wlan
- Configure and add your CA certs to Org Settings – We use this to verify the RadSec server.
https://api.mist.com/api/v1/docs/Org#org-settings
- Get the Mist-generated per-org CA cert.