Server Settings

Ports & IP Addresses

Overview

RADIUSaaS provides public IP addresses that allow your network appliances and services to communicate with our service from anywhere via the internet. Thereby, we offer two types of IP addresses that support different protocols and listen on different ports.

RadSec / TCP

Properties

RadSec DNS

The DNS entry through which the RadSec service can be reached.

Server IP Addresses

Public IP address(s) on which the RadSec service is available.

A second IP address is shown if we have configured a secondary RADIUSaaS instance for you.

RadSec Ports

This section displays the (standard) port for the RadSec.

RADIUS / UDP

This section is available when you have configured at least on RADIUS Proxy. For each proxy, a separate public IP address is available. The public IP addresses in this section support the RADIUS protocol only and thus listen on ports 1812/1813.

Properties

Server IP Addresses and Location

Geo-location of the RADIUS proxy/proxies as well as the respective public IP address(es).

Shared Secrets

The shared secret for the respective RADIUS proxy. By default, all RADIUS proxies are initialized with the same shared secret.

Ports

This section displays the standard ports for the RADIUS authentication (1812) and RADIUS accounting (1813) services.

RadSec related Settings

Maximum TLS Version

This setting controls the maximum TLS version for your RadSec interface. The minimum version is fixed at 1.2, the default maximum is set to 1.3.

TLS 1.3 offers several advantages over 1.2, including post-handshake authentication mechanism, which allows requesting additional credentials before completing the handshake. This is important for the Verification check for RadSec Certificates setting.

Verification check for RadSec Certificates

For proper RadSec operation, your network devices, such as Access Points, Switches, and VPN Servers, must perform a TLS handshake to forward Access-Request messages to the RadSec Server. To check the revocation status of a certificate during the handshake, the certificate must be sent within the TLS tunnel.

TLS 1.2

In TLS 1.2, there is no method to request this during the handshake, so the handshake may complete before we have fully authorised it, and your network device may perceive the channel being open and forwards requests even if this is not the case on our side. Your network device's certificate is not transmitted until a client device authenticates, and we cannot check the revocation status of the certificate until then, which can lead to authentication timeouts or rejections because the client has to restart the authentication completely.

TLS 1.3

TLS 1.3 allows explicitly requesting the certificate before completing the handshake. This ensures that if the verification status is 'revoked', the handshake will fail immediately.

Server Certificates

Customer-CA

By default, RADIUSaaS generates a RADIUS Server Certificate signed by a Certificate Authority (CA) that is available on our service solely for this very purpose. We refer to it as the Customer-CA. The Customer-CA is unique for each customer.

To create your Customer-CA, follow these simple steps:

1. Navigate to Settings > Server Settings

2. Click Add

3. Choose Let RaaS create a CA for you

4. Click on Save

5. After the creation, you will see a new certificate available under Server Certificates

Bring your own Certificate

In case you do not want to use the Customer CA, you can upload up to two of your own certificates.

SCEPman-issued Server Certificate

You may leverage SCEPman Certificate Master to generate a server certificate for you. Please follow those steps:

1. Navigate to your SCEPman Certificate Master web portal.

2. Select Request Certificateon the left

3. Select Server Certificate on the top

4. Enter all Fully Qualified Domain Names (FQDNs) that the certificate shall be valid for separated by commas, semicolons, or line breaks. Generate a server certificate as described here and provide any FQDN you want. We recommend adapting the SAN of the default server certificate, e.g. radsec-<your RADIUSaaS instance name>.radius-as-a-service.com.

5. Set the Download file format to PEM

6. Select Include Certificate Chain and download the certificate.

7. Submit the request to download the new server certificate.

To add your server certificate created in above steps, navigate to RADIUSaaS instance > Settings > Server Settings, then

8. Choose PEM or PKCS#12 encoded Certificate

9. Drag & drop your certificate file or click to browse for it

10. Enter the password of your Private Key

11. Click Save

Certificate Activation

As certificates expire from time to time or your preference on which certificates you would like to use change, it is important that you can control the certificate that your server is using. The Active column shows you the certificate your server is currently using. To change the certificate your server is using, expand the row of the certificate you would like to choose and click Activate.

Download

To download your Server Certificate, click Download in the corresponding row.

It will open a dialog and show the complete certificate path. The root certificate will always be marked in green.

Delete

To delete a certificate, expand the corresponding row, click Delete and confirm your choice.

Certificate Expiration

Certificates will expire from time to time. Five months before your certificate is going to be expired, you dashboard will give you a hint that your certificate is about to expire.

If you're seeing this triangle, follow this guide how you can change your server certificate: