Before your access points are able to establish a valid RadSec connection (which can be considered an mTLS connection), there are requirements that must be met, regardless of which manufacturer your access points originates from.

  • Access Points require a valid client certificate (typically referred to as "RadSec Connection Certificate" or "RadSec Certificate"). This client certificate must have the EKU Client Authentication ( and not Server Authentication.

  • Access Points must trust the CA that has issued your RADIUS Server Certificate.

  • RADIUSaaS needs to trust the CA that has issued the client certificate on your access points.

Some access points (counterintuitively) still require a shared secret when RadSec is configured. The RadSec RFC defines that a static and pre-define value must be used for this: "radsec".

Last updated