msgbartop
msgbarbottom

17 Aug 12 Cisco Authentication through Microsoft RADIUS Server

Configure AAA on Cisco switch and a router with Microsoft RADIUS Server 2008

I recently started a new job and found out that there was no AAA setup on any of the Cisco Network Gear – Switches, Routers and firewalls. Each one of them were using their local authentication methods, which to me is not acceptable. I like the single sign on and the ability to control access and log access from a central location. We discussed Cisco ACS which is really cool and gives you all kinds of features however I only needed the following features:

  • Single Sign on using Microsoft Active Directory
  • Control access from one single location
  • Ability to log access to all the Cisco Network equipment

To accomplish those tasks I didn’t see myself spending all that money on Cisco ACS instead I decided to save some money for my company and utilize our existing infrastructure and deploy a Microsoft RADIUS Server for AAA configuration on the Cisco Switches, Routers and Firewalls. Proper name would be Microsoft NPS (Network Policy Server) 2008. It offers many features and lots of configuration options. I just configured it for what I needed it for.

Here are the configuration steps for deploying the Microsoft NPS 2008 Server for Cisco device authentication:

  • First thing make sure you join it to the domain
  • Next from the control panel and Turn windows features on or off, right click on “Server Manager” and then hit Next
  • On the next screen choose Network Policy and Access Services and click Next
  • Now Next Screen will just show you the confirmation of what you are installing, go ahead and click on the “Install” button. Once the install finishes up and you fire up the Network Policy Server 2008 snap in, right click on the NPS (Local) icon and choose Register server in Active Directory
  • So I was done with the initial install and it was pretty simple. Now next phase for me was to configure it so that I can get Cisco Switches and routers to use this server and authenticate users from Microsoft Active Directory
  • I expanded Policies and then right clicked on Network Policies and then from the menu choose New and a new policy wizard comes up.
  • I named my policy CiscoAuth, under Type of network access server leave “Unspecified” and click on next:
  • Next screen will ask you to Specify Conditions. So since I wanted users to authenticate against Microsoft Active Directory and from a certain group I added that group under here:


  • Once that is done click Next and from that screen choose Access Granted:
  • Next I needed to configure the Authentication Methods, once you are on that screen you will have to check Unencrypted Authentcation (PAP,SPAP) as that is what is supported by Cisco IOS. Un check rest. You will get a pop up telling you that you have selected one or more insecure authentication methods….”. Just hit “Yes” on it and click Next:
  • Next screen asks about Idle Timeout. I set mine up for 5 min:
  • On the next screen under Standard you will see RADIUS Standard Attributes. There will be two already in there Framed-Protocol and Service-Type. I removed both of them and added Service-Type as Login:


  • Next screen under Vendor Specific I defined an attribute so that users can login and straight go to the privilege EXEC. So click on the Add button and then from the Vendor drop down choose Cisco. Cisco-AV-Pair will be there click on Add.
  • Next I clicked on Edit and updated the Value as shell:priv-lvl=15:

  • That is it I just hit next and everything was all set, next I added my RADIUS client under RADIUS Clients and Servers –> RADIUS Clients. Simply right click, choose New.
  • Client screen that comes up I made sure Enable this RADIUS client is checked. Then in the friendly name I just like to use the host name of the device, IP Address of the device and the shared secret:
  • Now I was done with the RADIUS part and it was time to configure the Cisco Switch to talk to the Microsoft NPS Server 2008 using the RADIUS protocol and allow users to log in with Microsoft Active Directory credentials
  • I used the following configuration lines on the Cisco Switch so that it allows users to log in using their Microsoft Active Directory Credentials:


    aaa new-model
    !
    !
    aaa authentication login vtylogin group radius local
    aaa authentication login conlogin group radius local
    aaa authentication enable default group radius enable
    aaa authorization console
    aaa authorization exec vtylogin group radius local
    aaa authorization exec conlogin group radius local
    !
    radius-server host 10.1.5.236 key xxxomittedxxxx
    !
    line con 0
    exec-timeout 5 0
    authorization exec conlogin
    logging synchronous
    login authentication conlogin
    line vty 0 4
    exec-timeout 0 0
    authorization exec vtylogin
    login authentication vtylogin
    transport input ssh
    line vty 5 15
    exec-timeout 0 0
    authorization exec vtylogin
    login authentication vtylogin
    transport input ssh

Now I was able to log into all my switches using my Microsoft Active Directory Credentials as well as rest of the users that were added earlier on the RADIUS server

Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂

Tags: , , ,

Reader's Comments

  1. |

    If I have 250 cisco devices, do I need a radius client line in NPS for each device?

  2. |

    Not necessarily. You should be able to use a range. Hope this link helps.
    https://technet.microsoft.com/en-us/library/cc731824%28v=ws.10%29.aspx

Leave a Comment

WordPress SEO