LogoLogo
LogoLogo
  • Welcome
  • Details
  • Configuration
    • Getting Started
      • Generic Guide
      • Scenario-based Guides
        • Microsoft Cloud PKI
        • SCEPman PKI
    • Access Point Setup
      • RadSec
        • Aruba
        • FortiNet
        • Juniper Mist
        • Meraki
        • MikroTik
        • Ruckus
        • UniFi
      • RADIUS
        • ExtremeCloud IQ CoPilot
        • Meraki
        • Sophos UTM
        • UniFi
    • Server Certificate Renewal
  • Admin Portal
    • Home
    • Insights
      • Rule Engine
      • Logs
    • Users
    • Settings
      • Server Settings
      • Trusted Certificates
      • Proxy Settings
      • Permissions
      • User Settings
      • Rules
        • General Structure
        • WiFi
        • LAN
        • VPN
      • Log Exporter
        • Teams
        • Log Analytics
        • Generic Webhook
        • Examples
    • My Invited Users
  • Profile Deployment
    • Microsoft Intune
      • Server Trust
      • WiFi Profile
        • Windows
        • iOS/iPadOS & macOS
        • Android
      • Wired Profile
        • Windows
        • macOS
    • Jamf Pro
      • Server Trust
      • WiFi Profile
      • Wired Profile
    • Google Workspace
      • Server Trust
      • WiFi Profile
  • Other
    • Troubleshooting
    • FAQs
      • General
      • Log & Common Errors
      • MAC Authentication
      • Blast-RADIUS Vulnerability
      • OCSP Soft-fail Consequences
      • Security & Privacy
    • REST API
      • External Monitoring
    • Changelog
  • Licensing
    • Azure Marketplace
  • Support & Service Level
  • RADIUSaaS Website
Powered by GitBook
On this page

Was this helpful?

  1. Configuration
  2. Access Point Setup

RadSec

Last updated 6 months ago

Was this helpful?

Before your access points are able to establish a valid RadSec connection (which can be considered an mTLS connection), the following requirements must be met regardless of the manufacturer of the access point.

  • Access Points require a valid client certificate (typically referred to as "RadSec Client Certificate" or "RadSec Certificate"). This client certificate must have the EKU Client Authentication (1.3.6.1.5.5.7.3.2) and not Server Authentication.

  • Access Points must trust the CA that issued the RADIUS Server Certificate.

  • RADIUSaaS must trust the CA that issued the RadSec client certificate on your access points.

The RadSec protocol requires a shared secret to compute the MD5 integrity checks. The defines this shared secret as the literal string "radsec".

RadSec RFC
Showing TLS outer tunnel and required certificates