Radiator Server Documentation — v10.33.2
tls
The tls clause configures Transport Layer Security (TLS) for server listeners. This configuration applies to all server types that support TLS:
- HTTP servers - Enables HTTPS with HTTP/1.1 and HTTP/2 support
- RADIUS servers - Enables RadSec (RADIUS over TLS, RFC 6614) on port 2083
- TACACS+ servers - Enables TACACS+ over TLS
Parameters
| Parameter | Description | Required |
|---|---|---|
| certificate | Server certificate name (from certificates block) | Yes |
| certificate_key | Server private key name (from certificates block) | Yes |
| server_ca_certificate | Additional certificates to append to the presented server certificate chain, typically intermediates | No |
| require_client_certificate | Whether clients must present a certificate | No |
| client_ca_certificate | CA certificate for validating client certificates | Conditional |
| @verification | Custom certificate verification pipeline | No |
| min_protocol_version | Minimum TLS protocol version (Tlsv12, Tlsv13) | No |
| max_protocol_version | Maximum TLS protocol version (Tlsv12, Tlsv13) | No |
| tls13_session_tickets | Number of TLS 1.3 session tickets to send (0 to disable) | No |
| keylog_filename | File path for TLS key logging (for debugging with Wireshark) | No |
require_client_certificate defaults to true when omitted. Set
require_client_certificate false; for one-way TLS listeners such as a normal
HTTPS endpoint.
The client_ca_certificate parameter is required when
require_client_certificate is set to true.
server_ca_certificate is optional. Use it when the certificate configured in
certificate does not already contain the full chain that clients should
receive from the server.
Example: HTTPS Server
certificates {
x509 "SERVER_CERT" {
filename "/var/lib/radiator/certs/server.pem";
}
key "SERVER_KEY" {
filename "/var/lib/radiator/certs/server-key.pem";
}
}
servers {
http "HTTPS_SERVER" {
listen {
protocol tls;
port 8443;
ip 0.0.0.0;
tls {
certificate "SERVER_CERT";
certificate_key "SERVER_KEY";
require_client_certificate false;
}
}
}
}
Example: RadSec Server (RADIUS over TLS)
RadSec typically requires mutual TLS (mTLS) where both server and client authenticate with certificates:
certificates {
x509 "RADSEC_CERT" {
filename "/var/lib/radiator/certs/radsec-server.pem";
}
key "RADSEC_KEY" {
filename "/var/lib/radiator/certs/radsec-server-key.pem";
}
x509 "RADSEC_SERVER_CA" {
filename "/var/lib/radiator/certs/radsec-ca.pem";
}
x509 "RADSEC_CLIENT_CA" {
filename "/var/lib/radiator/certs/radsec-client-ca.pem";
}
}
servers {
radius "RADSEC" {
listen {
protocol tls;
port 2083;
ip 0.0.0.0;
tls {
certificate "RADSEC_CERT";
certificate_key "RADSEC_KEY";
server_ca_certificate "RADSEC_SERVER_CA";
# RadSec requires client certificates
require_client_certificate true;
client_ca_certificate "RADSEC_CLIENT_CA";
@verification {
if any {
cert.valid != true;
# Require certificate issued under network device policy
cert.policy != "1.3.6.1.4.1.99999.1.2.3";
# Require certificate from partner organization
cert.subject.o != "Partner Network Inc";
} then {
reject;
} else {
accept;
}
}
}
}
clients "RADSEC_CLIENTS";
}
}
Example: TACACS+ over TLS
Add a tls { ... } block to a TACACS+ server listen { protocol tls; ... }
section. The TLS listener honors ip-accept, listener timeout,
keepalive, and per-client timeout exactly like the plain TCP listener.
servers {
tacacs-plus "TACACS_TLS" {
listen {
protocol tls;
port 49;
ip 0.0.0.0;
ip-accept "TACACS_TLS_ACCESS";
timeout 30s;
tls {
certificate "TACACS_SERVER_CERT";
certificate_key "TACACS_SERVER_KEY";
require_client_certificate true;
client_ca_certificate "TACACS_CLIENT_CA";
}
}
clients "TACACS_TLS_CLIENTS";
policy "POLICY_TACACS_PLUS";
}
}
Notes:
- TACACS+ TLS listeners do not parse a PROXY header before the TLS handshake.
tlsandproxy-protocoltogether on the same TACACS+ listener is rejected at configuration load. Use a plain TCP listener if you need PROXY protocol. - TACACS+ clients matched on a TLS listener must declare
protocol tls;in theirsourceblock. See clients.tacacs-plus for the matching rules.
For policy, multistage authentication, and operational guidance, see TACACS+ Authentication, Authorization, and Accounting.
Example: Mutual TLS (mTLS)
When client certificate verification is required:
certificates {
x509 "SERVER_CERT" {
filename "/var/lib/radiator/certs/server.pem";
}
key "SERVER_KEY" {
filename "/var/lib/radiator/certs/server-key.pem";
}
x509 "SERVER_CA" {
filename "/var/lib/radiator/certs/ca.pem";
}
x509 "CLIENT_CA" {
filename "/var/lib/radiator/certs/client-ca.pem";
}
}
servers {
http "MTLS_SERVER" {
listen {
protocol tls;
port 8443;
ip 0.0.0.0;
tls {
certificate "SERVER_CERT";
certificate_key "SERVER_KEY";
server_ca_certificate "SERVER_CA";
# Require and validate client certificates
require_client_certificate true;
client_ca_certificate "CLIENT_CA";
}
}
}
}
See Also
- certificates - Certificate configuration
- tls.verification - Custom certificate verification rules
- servers.http.listen - HTTP listen configuration
- servers.http - HTTP server configuration
- clients.tacacs-plus - TACACS+ client matching, secrets, and timeouts
- servers.listen.ip-accept - Pre-admission IP filtering
- servers.listen.proxy-protocol - PROXY protocol behavior on TCP and TLS listeners
- servers.radius.listen - RADIUS listen configuration
- servers.radius - RADIUS server configuration
Navigation