Skip to main content

RadSec - Secure RADIUS

RadSec (RADIUS over TLS) provides encrypted, certificate-based authentication for OpenRoaming federation with IronWifi. This overview covers RadSec benefits, IronWifi server configuration, certificate management, and implementation requirements for secure WiFi roaming deployments.

Quick Start

  1. Log in to IronWifi Console > Networks > select your network
  2. Enable RadSec from dropdown
  3. Download certificate bundle (contains Root CA, Intermediate CA, client cert, and key)
  4. Upload certificates to your access point/controller
  5. Configure RadSec connection to radsec.ironwifi.com:2083
  6. Test authentication with a Passpoint device

Prerequisites

In IronWifi Console (complete these first):

  1. Create or select a Network in the IronWifi Console
  2. Enable OpenRoaming from the dropdown menu
  3. Enable RadSec from the dropdown menu
  4. Download the certificate bundle (ZIP file containing Root CA, Intermediate CA, client certificate, and private key)

In Your Network Infrastructure:

  • Access points or controller with RadSec/RADIUS over TLS support
  • Network connectivity to IronWifi RadSec servers on port 2083
  • Ability to import and configure TLS certificates
  • Hotspot 2.0 (Passpoint) capable hardware for OpenRoaming

What is RadSec?

RadSec (defined in RFC 6614) is RADIUS over TLS/DTLS. It provides:

  • Encrypted transport - All RADIUS traffic encrypted via TLS
  • Certificate authentication - Mutual TLS for server/client verification
  • Reliable transport - TCP instead of UDP
  • Federation support - Required for OpenRoaming

Why Use RadSec?

Traditional RADIUS Limitations

Standard RADIUS has security limitations:

  • UDP-based (no guaranteed delivery)
  • Shared secret for authentication
  • Traffic not encrypted (only attributes)
  • Difficult to federate across organizations

RadSec Benefits

FeatureStandard RADIUSRadSec
TransportUDPTCP/TLS
EncryptionPartialFull
AuthenticationShared SecretCertificates
Port1812/18132083
FederationDifficultNative support

IronWifi RadSec Servers

Server Addresses

IronWifi provides RadSec servers in multiple regions:

RegionServer AddressPort
Globalradsec.ironwifi.com2083
US Eastus-east.radsec.ironwifi.com2083
US Westus-west.radsec.ironwifi.com2083
Europeeu.radsec.ironwifi.com2083

Certificate Requirements

To connect to IronWifi RadSec:

  1. Root CA Certificate - IronWifi Root CA
  2. Intermediate CA - RadSec Signing CA
  3. Client Certificate - Your organization's certificate
  4. Client Key - Private key for client certificate

Enabling RadSec in IronWifi

Step 1: Enable RadSec

  1. Log in to IronWifi Console
  2. Navigate to Networks > select your network
  3. Find RadSec option
  4. Select Enabled from dropdown
  5. Page reloads with certificate download link

Step 2: Download Certificates

  1. Click the certificate bundle download link
  2. Download and extract the ZIP file
  3. Contents include:
    • iw-rsa-root-ca.cert.pem - Root CA
    • iw-rsa-radsec-signing-ca.cert.pem - Intermediate CA
    • client.cert.pem - Your client certificate
    • client.key.pem - Your private key

Step 3: Configure Access Points

Upload certificates to your wireless infrastructure:

Certificate Chain

IronWifi Root CA
    └── RadSec Signing Intermediate CA
            └── Your Client Certificate

All three certificates must be installed and trusted on your access points.

RadSec + OpenRoaming

RadSec is required for OpenRoaming federation:

Device → Access Point → RadSec → IronWifi → OpenRoaming Federation
                         (TLS)              (Roaming Hub)

Benefits for OpenRoaming

  1. Secure federation - Encrypted communication with roaming hub
  2. Trust verification - Certificate-based authentication
  3. Global reach - Connect to worldwide OpenRoaming network
  4. Compliance - Meets WBA OpenRoaming requirements

Troubleshooting

Connection Failures

  1. Certificate Issues

    • Verify all certificates installed
    • Check certificate validity dates
    • Ensure proper chain order

  2. Network Issues

    • Verify port 2083 is open
    • Check firewall rules
    • Test connectivity to RadSec server

  3. TLS Handshake Failures

    • Verify TLS version compatibility
    • Check certificate trust chain
    • Review server name verification

Debug Steps

# Test RadSec connectivity
openssl s_client -connect radsec.ironwifi.com:2083 \
  -cert client.cert.pem \
  -key client.key.pem \
  -CAfile ca-chain.pem

# Check certificate validity
openssl x509 -in client.cert.pem -text -noout

Common Errors

ErrorCauseSolution
Certificate verify failedMissing CAInstall root + intermediate CA
Connection refusedPort blockedOpen port 2083 outbound
Handshake failureWrong cert/keyVerify certificate matches key
Unknown CATrust not configuredMark CA as trusted

Best Practices

  1. Protect private keys - Secure storage, restrict access
  2. Monitor expiration - Certificates expire, plan renewal
  3. Use all regions - Configure backup RadSec servers
  4. Test connectivity - Verify before production
  5. Keep certificates current - Download fresh when needed

Vendor Guides

Standard RADIUS Guides (No Native RadSec)