Configuring RADIUS authentication over TLS (RadSec)

Session Monitor Release 6.1 offers secure RADIUS (RadSec) as an optional alternative to traditional UDP‑based RADIUS. With RadSec, RADIUS messages are transmitted over TCP and secured using TLS, providing confidentiality, integrity, and certificate‑based authentication, while avoiding the risks associated with legacy MD5 mechanisms.

Session Monitor employs the radsecproxy module to serve as an intermediary between the application and the RADIUS server. It receives local RADIUS requests from Session Monitor, encapsulates them within a TLS-protected TCP tunnel with certificate validation, forwards them to the external RADIUS server, and relays the responses back to Session Monitor.

Key Capabilities

Note:

Use of RadSec is optional. There is no impact on current RADIUS authentication mechanisms.

• Secure RADIUS communication using TLS (RadSec) instead of traditional UDP.
• Support for both internal (nginx) and external (httpd) RADIUS authentication configurations within Session Monitor.
• Compatible with TLS 1.2 and TLS 1.3
• Seamless integration with existing RADIUS infrastructure using the radsecproxy module.
• Failover support with multiple RADIUS servers.