Allied Telesis Support Portal

How AW+ can make secure a non secure RADIUS Server

RadSec is an extension to the Remote Authentication Dial-In User Service (RADIUS) authentication protocol that uses Transport Layer Security (TLS) as the transport protocol.
This provides improved security over the standard RADIUS protocol by:

  • ensuring that protocol messages are encrypted, preventing external entities from snooping for usernames and passwords
  • using X.509 certificate chains for identity validation and encryption key exchange
The previous (insecure) RADIUS implementation used UDP datagrams to carry AAA messages between client and server systems.
These messages are inherently insecure, subjecting the network to intrusion by attackers who can snoop the messages to determine usernames and passwords.

RadSec is a relatively new protocol, however, and many RADIUS implementations do not support RadSec natively. One mechanism for adding RadSec to an existing implementation is by using a proxy application that translates RADIUS UDP datagrams into messages that are carried over TLS.
AlliedWare Plus implements the Open Source application RadSecProxy for achieving this goal. Existing RADIUS applications send UDP datagrams to the RadSecProxy application running on the same device.

RadSecProxy then converts the messages to RadSec TLS messages for transport over the network.

RadSecProxy works for both the client and server sides of the RADIUS exchange.

awplus#show radius-secure-proxy aaa
Secure (TLS) Proxy via : 127.0.0.1
  Proxy Port          : 1645
  Trustpoints         : raleigh
  Cert Name Check     : global default on
  Computed Timeout    : 7 sec
  Proxy Status        : running
Secure (TLS) Server Host : radsec_server.local
  Timeout             : default (5 sec)
  Cert Name Check     : default (on)

                               Auth  Acct  Auth           Acct
Server Host/IP Address         Port  Port  Status         Status
------------------------------------------------------------------------
radsec_server.local            (TLS Proxy) Alive          Alive


You can find more information here:
http://www.alliedtelesis.com/documents/public-key-infrastructure-feature-overview-and-configuration-guide

Previous MonthNext Month
SunMonTueWedThuFriSat