Information About RADIUS DTLS
The Remote Authentication Dial-In User Service (RADIUS) is a client or server protocol that provides centralized security for users attempting to gain management access to a network. The RADIUS protocol is a widely deployed authentication and authorization protocol that delivers a complete Authentication, Authorization, and Accounting (AAA) solution.
RADIUS DTLS Port
The RADIUS port (DTLS server) is used for authentication and accounting. The default DTLS server port is 2083.
You can change the RADIUS DTLS port number using dtls port port_number . For more information, see the Configuring RADIUS DTLS Port Number section.
Shared Secret
You can use radius/dtls as the shared secret, if you have enabled DTLS for a specific server.
Handling PAC for CTS Communication
You can download PAC from ISE for CTS communication. Once the PAC is downloaded, you need to encrypt all the CTS attributes with the PAC key instead of the shared secret.
The ISE then decrypts these attributes using PAC.
Session Management
The RADIUS client purely depends on the response from the DTLS server. If the session is ideal for ideal timeout, then the session must be closed.
In case of invalid responses, the sessions must be deleted.
If you need to send the radius packets over DTLS, the DTLS session needs to be re-established with the specific server.
Load Balancing
Multiple DTLS servers and load balancing methods are configured.
You need to select the AAA server to which the request needs to be sent. Then use the DTLS context of the specific server to encrypt the RADIUS packet and send it back.
Connection Timeout
After the encrypted RADIUS packet is sent, you need to start the retransmission timer. If you do not get a response before the retransmission timer expires, the packet is re-encrypted and re-transmitted.
You can continue for number of times as per the dtls retries configuration or till the default value. Once the number of tries exceeds the limit, the server becomes unavailable and responses are sent back to the AAA clients.
Note |
The default connection timeout is 5 seconds. |
Connection Retries
As the RADIUS DTLS is UDP based, you need to retry the connection after a specific timeout interval for a specific number of retries.
After all retries are exhausted, the DTLS connection performs the following:
-
Is marked as unsuccessful.
-
Looks up for the next available server for processing the RADIUS requests.
Note |
The default connection retries is 5. |
Idle Timeout
When the idle timer expires and no transactions exists since the last idle timeout, the DTLS session remains closed.
After you establish the DTLS session, you can start the idle timer. If you start the idle timer for 30 seconds and one of the RADIUS DTLS packet is sent, then after 30 seconds, the idle timer expires and checks for number of RADIUS DTLS transactions.
If the idle timer value exceeds zero, the idle timer resets the transaction counter and restarts the timer.
Note |
The default idle timeout is 60 seconds. |
Handling Server and Server Group Failover
You can configure RADIUS servers with and without DTLS. It is recommended to create AAA server groups with DTLS enabled servers and non-DTLS servers. However, you will not find any such restriction while configuring AAA server groups.
Suppose you choose a DTLS server, the DTLS server establishes connection and RADIUS request packet is sent to the DTLS server. If the DTLS server does not respond after all RADIUS retries, it would fall over to the next configured server in the same server group. If the next server is a DTLS server, the processing of the RADIUS request packet continues with the next server. If the next server is a non-DTLS server, the processing of RADIUS request packet does not happen in that server group. Then the server group failover occurs and the same sequence continues with the next server group, if the next server group is available.
Note |
You need to use either only DTLS or non-DTLS servers in a server group. |