I recently started a new job and found out that there was no AAA setup on any of the Cisco Network Gear – Switches, Routers and firewalls. Each one of them were using their local authentication methods, which to me is not acceptable. I like the single sign on and the ability to control access and log access from a central location. We discussed Cisco ACS which is really cool and gives you all kinds of features however I only needed the following features:
To accomplish those tasks I didn’t see myself spending all that money on Cisco ACS instead I decided to save some money for my company and utilize our existing infrastructure and deploy a Microsoft RADIUS Server for AAA configuration on the Cisco Switches, Routers and Firewalls. Proper name would be Microsoft NPS (Network Policy Server) 2008. It offers many features and lots of configuration options. I just configured it for what I needed it for.
Here are the configuration steps for deploying the Microsoft NPS 2008 Server for Cisco device authentication:
aaa new-model
!
!
aaa authentication login vtylogin group radius local
aaa authentication login conlogin group radius local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec vtylogin group radius local
aaa authorization exec conlogin group radius local
!
radius-server host 10.1.5.236 key xxxomittedxxxx
!
line con 0
exec-timeout 5 0
authorization exec conlogin
logging synchronous
login authentication conlogin
line vty 0 4
exec-timeout 0 0
authorization exec vtylogin
login authentication vtylogin
transport input ssh
line vty 5 15
exec-timeout 0 0
authorization exec vtylogin
login authentication vtylogin
transport input ssh
Now I was able to log into all my switches using my Microsoft Active Directory Credentials as well as rest of the users that were added earlier on the RADIUS server
Note:Use this as a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂
Tags: Cisco AAA setup with Microsoft NPS 2008, Cisco AAA setup with Microsoft RADIUS Server 2008, Microsoft NPS 2008 for Cisco switch and router, Microsoft RADIUS Server 2008 for Cisco Switch and router authentication
If I have 250 cisco devices, do I need a radius client line in NPS for each device?
Not necessarily. You should be able to use a range. Hope this link helps.
https://technet.microsoft.com/en-us/library/cc731824%28v=ws.10%29.aspx