Configuring RADIUS Server Certificates
If the RADIUS service uses a TLS connection, a valid RADIUS server certificate must be used with the service. A RADIUS server's certificate can be CA-signed or self-signed. This section describes how to initially configure certificates and how to manage a new certificate when the previous certificate expires. This section does not apply to the UDP protocol.
Initially Configuring RADIUS Server Certificates
For more information about trusted certificates, see the sections about trusted certificates in Configuring Certificates.
You can supply a list of trusted CA certificates. RADIUS server certificates issued by those trusted CAs and marked as trusted by RADIUS do not require special management.
If a RADIUS server's certificate is not issued by a trusted CA, whether the certificate is issued by a CA or is self-signed, you will be asked to review and approve the certificate. If you accept the certificate, that certificate is added to the list of trusted certificates.
Managing Expired and New RADIUS Server Certificates
If you individually accepted a certificate, either a CA-signed certificate or a self-signed certificate, then when the RADIUS server's certificate expires, you must approve the new certificate. Select the server, test the connection, and examine and approve the new certificate. See Approving a New RADIUS Server Certificate - BUI, CLI.
If you supply CA certificates, changes in the individual server certificates are handled automatically. When your server changes CA certificates, ensure that the new CA certificate is added to the appliance before your RADIUS server starts using it. If the server starts using the new CA certificate before you add it to the appliance, your RADIUS service will be interrupted.
Approving a New RADIUS Server Certificate (BUI)
Use the following procedure to accept a new certificate after the previous certificate has expired.
Related Topics