RadSec - Secure RADIUS
RadSec (RADIUS over TLS) provides encrypted, certificate-based authentication for OpenRoaming federation with IronWiFi. This overview covers RadSec benefits, IronWiFi server configuration, certificate management, and implementation requirements for secure WiFi roaming deployments.
Quick Start
- Log in to IronWiFi Console > Networks > select your network
- Enable RadSec from dropdown
- Download certificate bundle (contains Root CA, Intermediate CA, client cert, and key)
- Upload certificates to your access point/controller
- Configure RadSec connection to
radsec.ironwifi.com:2083 - Test authentication with a Passpoint device
Prerequisites
In IronWiFi Console (complete these first):
- Create or select a Network in the IronWiFi Console
- Enable OpenRoaming from the dropdown menu
- Enable RadSec from the dropdown menu
- Download the certificate bundle (ZIP file containing Root CA, Intermediate CA, client certificate, and private key)
In Your Network Infrastructure:
- Access points or controller with RadSec/RADIUS over TLS support
- Network connectivity to IronWiFi RadSec servers on port 2083
- Ability to import and configure TLS certificates
- Hotspot 2.0 (Passpoint) capable hardware for OpenRoaming
What is RadSec?
RadSec (defined in RFC 6614) is RADIUS over TLS/DTLS. It provides:
- Encrypted transport - All RADIUS traffic encrypted via TLS
- Certificate authentication - Mutual TLS for server/client verification
- Reliable transport - TCP instead of UDP
- Federation support - Required for OpenRoaming
Why Use RadSec?
Traditional RADIUS Limitations
Standard RADIUS has security limitations:
- UDP-based (no guaranteed delivery)
- Shared secret for authentication
- Traffic not encrypted (only attributes)
- Difficult to federate across organizations
RadSec Benefits
| Feature | Standard RADIUS | RadSec |
|---|---|---|
| Transport | UDP | TCP/TLS |
| Encryption | Partial | Full |
| Authentication | Shared Secret | Certificates |
| Port | | 2083 |
| Federation | Difficult | Native support |
IronWiFi RadSec Servers
Server Addresses
IronWiFi provides RadSec servers in multiple regions:
| Region | Server Address | Port |
|---|---|---|
| Global | | 2083 |
| US East | | 2083 |
| US West | | 2083 |
| Europe | | 2083 |
Certificate Requirements
To connect to IronWiFi RadSec:
- Root CA Certificate - IronWiFi Root CA
- Intermediate CA - RadSec Signing CA
- Client Certificate - Your organization's certificate
- Client Key - Private key for client certificate
Enabling RadSec in IronWiFi
Step 1: Enable RadSec
- Log in to IronWiFi Console
- Navigate to Networks > select your network
- Find RadSec option
- Select Enabled from dropdown
- Page reloads with certificate download link
Step 2: Download Certificates
- Click the certificate bundle download link
- Download and extract the ZIP file
- Contents include:
- - Root CA
iw-rsa-root-ca.cert.pem - - Intermediate CA
iw-rsa-radsec-signing-ca.cert.pem - - Your client certificate
client.cert.pem - - Your private key
client.key.pem
Step 3: Configure Access Points
Upload certificates to your wireless infrastructure:
Certificate Chain
All three certificates must be installed and trusted on your access points.
RadSec + OpenRoaming
RadSec is required for OpenRoaming federation:
Benefits for OpenRoaming
- Secure federation - Encrypted communication with roaming hub
- Trust verification - Certificate-based authentication
- Global reach - Connect to worldwide OpenRoaming network
- Compliance - Meets WBA OpenRoaming requirements
Troubleshooting
Connection Failures
-
Certificate Issues
- Verify all certificates installed
- Check certificate validity dates
- Ensure proper chain order
-
Network Issues
- Verify port 2083 is open
- Check firewall rules
- Test connectivity to RadSec server
-
TLS Handshake Failures
- Verify TLS version compatibility
- Check certificate trust chain
- Review server name verification
Debug Steps
Common Errors
| Error | Cause | Solution |
|---|---|---|
| Certificate verify failed | Missing CA | Install root + intermediate CA |
| Connection refused | Port blocked | Open port 2083 outbound |
| Handshake failure | Wrong cert/key | Verify certificate matches key |
| Unknown CA | Trust not configured | Mark CA as trusted |
Best Practices
- Protect private keys - Secure storage, restrict access
- Monitor expiration - Certificates expire, plan renewal
- Use all regions - Configure backup RadSec servers
- Test connectivity - Verify before production
- Keep certificates current - Download fresh when needed
Vendor Guides
Standard RADIUS Guides (No Native RadSec)
Related Topics
Was this page helpful?