diff --git a/docs/config_radsec.md b/docs/config_radsec.md new file mode 100644 index 0000000000..441b00f2d9 --- /dev/null +++ b/docs/config_radsec.md @@ -0,0 +1,82 @@ +--- +title: Configuring RADUIS over TLS +sidebar_label: Configuring RADIUS over TLS +--- + +RADIUS over TLS is designed to provide secure communication of RADIUS requests using the Transport Secure Layer (TLS) protocol. RADIUS over TLS, also known as RADSEC, redirects regular RADIUS traffic to remote RADIUS servers connected over TLS. RADSEC allows RADIUS authentication, authorization, and accounting data to be passed safely across untrusted networks. + +In this section: +- Configuring RADSEC +- Signing and Importing Webserver Certificates +- Syslog over TLS + +## Configuring RADSEC + +Use the following information to configure RADIUS over TLS (RADSEC). + +#### 1. Configure the RADSEC server. + +The following configuration example will add a radius server named `radsec` + +``` +admin@t327-dut1.cond# configure authority radius-server radsec +admin@t327-dut1.cond (radius-server[name=radsec])# address 172.18.5.224 +admin@t327-dut1.cond (radius-server[name=radsec])# port 2083 +admin@t327-dut1.cond (radius-server[name=radsec])# protocol tls +admin@t327-dut1.cond (radius-server[name=radsec])# account-creation manual +admin@t327-dut1.cond (radius-server[name=radsec])# ocsp strict +admin@t327-dut1.cond (radius-server[name=radsec])# server-name t327-dut1.openstacklocal +admin@t327-dut1.cond (radius-server[name=radsec])# top +``` + +#### 2. Configure the trusted CA certificate. + +The trusted CA certificate is necessary to validate the incoming client certificate. Certificates are pasted in as a multi-line config. + +Create a certificate root named `ca_root` and paste the certificate file content into the command: + +``` +admin@conductor-node-1.Conductor# config authority trusted-ca-certificate ca_root +admin@conductor-node-1.Conductor (trusted-ca-certificate[name=ca_root])# content +Enter plain for content (Press CTRL-D to finish): + +``` + +#### 3. Configure a client certificate to be used for the RADIUS client. + +Repeat the previous step to create a client certificate named `radsec`. + +``` +admin@conductor-node-1.Conductor# config authority client-certificate radsec +admin@conductor-node-1.Conductor (client-certificate[name=radsec])# content +Enter plain for content (Press CTRL-D to finish): + +``` + +#### 4. Configure the RADIUS server at the Authority level to use the configured client certificate. + +Associate the previously configured `radsec` client certificate to the radius server running on a specified node. + +`configure authority router cond node t327-dut1 radius client-certificate-name radsec` + +Note that the client certificate selected should match the appropriate IP/hostname of the node as seen from the RADIUS server. + +`validate` and `commit` the changes. + +#### 5. Create a RADIUS User + +Create a remotely authenticated RADIUS user. In this example we create user `test1`. + +``` +*admin@conductor-node-1.Conductor# create user test1 +Full Name: test1 +Authentication Type (remote or local): remote +Roles (space separated): admin +Enabled (true or false): true +Account 'test1' successfully created +``` + +When the user logs into the node `t327-dut1` via ssh, the authentication request is sent via RADSEC to the server `172.18.5.224` and the user is authenticated. + + + diff --git a/docs/release_notes_128t_6.3.md b/docs/release_notes_128t_6.3.md index f11f9b9149..01a303f97e 100644 --- a/docs/release_notes_128t_6.3.md +++ b/docs/release_notes_128t_6.3.md @@ -72,7 +72,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-56337 / I95-56339 / I95-56341 REST API changes to better support BGP endpoints:** Updated BGP REST endpoints for better functionality, by adding pagination support to summary commands and altering json schema to use arrays where necessary to preserve ordering. Added `show bgp family-summary` to condense address-family information per peer into one entry. ------ -- **I95-56723 TLS Client Support:** See CC docs, see Radius Server docs ---- **link here +- **I95-56723 TLS Client Support:** RADIUS over TLS is designed to provide secure communication of RADIUS requests using the Transport Secure Layer (TLS) protocol. RADIUS authentication, authorization, and accounting data can now be passed safely across untrusted networks. For more information, see [Configuring RADUIS over TLS](config_radsec.md). ### Resolved Issues @@ -180,11 +180,3 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co - **I95-56628 Unable to upgrade second HA Conductor to 6.3.0:** After successfully upgrading the primary HA conductor, attempting to upgrade the second node using the GUI prompt fails. This is a known issue and is currently under investigation. Please see the Knowledgebase Article [Unable to upgrade second HA Conductor to 6.3.0](../kb/2024/08/30/I95-56628) for workaround information. ------ - **I95-57844 Software versions not listed for download from the GUI:** In rare failure scenarios when initiating a software download via the GUI, known software versions are missing from the upgrade list but no errors are reported to the user. If such a scenario is observed, it is recommended that you initiate a second download from the PCLI. In this case any errors are better reported and can be resolved. - - - - - - - - diff --git a/sidebars.js b/sidebars.js index a9ed82395e..9bea73ec18 100644 --- a/sidebars.js +++ b/sidebars.js @@ -89,7 +89,7 @@ module.exports = { "install_conductor_overview", "bcp_conductor_deployment", "single_conductor_install", - "ha_conductor_install", + "ha_conductor_install", "single_conductor_config", "conductor_upgrade", "howto_conductor_migration", @@ -285,6 +285,7 @@ module.exports = { "config_access_mgmt", "config_ldap", "config_radius", + "config_radsec", "config_password_policies", "howto_reset_user_password", ],