How-To: Issue a RadSec Client Certificate for Your Network Device

Overview - How to Create a RadSec Certificate for Your Network Device

When configuring RadSec (RADIUS over TLS) with EZRADIUS, you will need to create a client certificate and private key for your network device, and also upload the EZRADIUS RadSec CA certificate to your network device so that it can trust the EZRADIUS RadSec server.

The RadSec client certificate and private key are used by your network device to authenticate itself to the EZRADIUS RadSec server when establishing a secure RADIUS connection. The EZRADIUS RadSec CA certificate is used by your network device to verify the identity of the EZRADIUS RadSec server and establish trust. This two-way trust relationship ensures that your network device can securely communicate with the EZRADIUS RadSec server for RADIUS authentication.

How to Create a RadSec Certificate and Private Key for Your Network Device

A RadSec Client Certificate is required to authenticate your network controller (RADIUS client) to the EZRADIUS server over a secure TLS connection. You can create a RadSec Client Certificate using EZCA or a 3rd Party Certificate Authority.

How to Create a RadSec Client Certificate Using EZCA

EZRADIUS is integrated with EZCA to make it easy to generate a new RadSec Certificate directly in your browser.

1. First, make sure you’ve added your EZCA Certificate Authority to your EZRADIUS policy under RadSec (RADIUS TLS) Client Configuration > Trusted Certificate Authorities and saved the policy.

2. In the EZRADIUS dashboard, from the left-hand menu click on Create RadSec Certificate. (If you don’t see this option, make sure you have added an EZCA Certificate Authority to your policy as mentioned in the previous step.)

3. Under the Issuing CA dropdown, select the EZCA Certificate Authority you previously added to your EZRADIUS policy. If you just have one, it will be selected by default.

4. Optionally add Tags for your certificate to help identify it later.

5. Keep the Subject Name as CN=radsec.

6. Enter at least one IP address of your network controller in the IP Address field and click Add. This field isn’t used for RadSec authentication so even if you have a dynamic IP, you can still proceed with your current IP.

   

7. In the Certificate Location dropdown, select Generate Locally.

8. Click on Request Certificate. It will take a few seconds to generate the certificate.

   

9. Click on Download Full Certificate.

   

10. This will download 2 files. The .key file is the private key and the .pem file is the certificate.

    

How to Create a RadSec Client Certificate Using a 3rd Party Certificate Authority

Refer to your PKI documentation for creating a new RadSec Client Certificate. You will need both the certificate (.pem) and the private key (.key) files.

Any 3rd Party Certificate Authority that can generate a certificate with the appropriate fields can be used to create a RadSec Client Certificate.

1. First, make sure you’ve added your 3rd Party Certificate Authority to your EZRADIUS policy under RadSec (RADIUS TLS) Client Configuration > Trusted Certificate Authorities and saved the policy.
2. Refer to your PKI documentation for creating a new RadSec Client Certificate. You will need both the certificate (.pem) and the private key (.key) files.

How to Get the RadSec CA Certificate from EZRADIUS

The RadSec CA Certificate is used by your network controller to verify the identity of the EZRADIUS server when establishing a secure TLS connection. You can download the RadSec CA Certificate directly from the EZRADIUS dashboard.

1. Navigate to the EZRADIUS Policies page from the left-hand menu.

2. Click Download RadSec CA Certificate and save it to your local machine. It should be named radsec_ca.cer, or similar.