Home > Networking > Cisco RADIUS configuration with Server 2008 R2

Cisco RADIUS configuration with Server 2008 R2


Configuring Cisco devices to authenticate via Active Directory isn’t a common practice. From what I’ve seen, most network admins simply have passwords set on the vty lines and an enable password set. Amazingly it seems most passwords are either cisco or cisco123. I couldn’t find very many resources out there for how to set things up so after much trial and error I finally have it working so I’m posting it here in hopes it will help someone else. Later I’ll be trying to get 802.1x wired authentication going but this is a start.

We have a cluster of 2008 R2 Datacenter servers running the Hyper-V role which allows an unlimited number of VMs. Since we don’t like multi-purpose servers we simply created a new VM using 2008R2 Datacenter for the OS. Why Datacenter? Because Datacenter allows an unlimited number of RADIUS clients, which will be important when we get around to using 802.1x authentication. Now let’s start with the server configuration.

First we need to add the NPS role.

  1. Start Server Manager
  2. Click Roles on the left
  3. Click Add Roles on the right – the add roles wizard starts
  4. Select Network Policy and Access Services
  5. Select Network Policy Server
  6. Click Install
  7. When it’s done open the Network Policy Server console from Administrative Tools
  8. Right click the NPS (Local) node on the left, then click Register in Active Directory

Next we need to create records for the RADIUS clients

  1. Expand RADIUS Clients and Servers
  2. Right click RADIUS Clients, then click New
  3. Enter a friendly name and IP address of the device
  4. Select the Generate radio button then click the Generate button
  5. Copy the Shared secret over to notepad or somewhere else because you’ll need this when you configure the Cisco device.
  6. Click OK

Now that we’ve created a client it’s time to create the network policy that applies to that client.

  1. Expand Policies
  2. Right click Network Policies and select New
  3. Enter a policy name then click Next
  4. On the Specify Conditions page we are going to add three things
    1. Click Add; select User Groups; click Add again; click Add groups
    2. Enter or select the AD group you want to allow access
    3. Click Add; scroll down and select Client Friendly Name.
    4. Enter a client friendly name (This is the hostname of the cisco device) You can use pattern matching to reduce the number of policies. For example if you specify a friendly name of switchx, cisco devices with hostnames of switch1, switch2, etc… will have this policy applied.
    5. Click Add; scroll all the way down and select NAS Port Type.
    6. Select VPN then click OK.
  5. Click Next and make sure Access Granted is selected
  6. Click Next
  7. Uncheck everything then select Unencrypted authentication (PAP, SPAP)
  8. Click Next then click No in the popup for viewing the help topic.
  9. Click Next
  10. Select and remove the Framed-Protocol and Service-Type attributes
  11. Select Vendor Specific on the left then click Add
  12. Select Cisco for Vendor then click Add
  13. Click Add again and enter shell:priv-lvl=15
  14. Click OK, OK, Close
  15. Click Next and you should see a screen like the one below. Then click Finish.

Now it’s time to work on the Cisco device.

First I’d suggest setting up some basic security settings as follows:

Switch>enable
Switch#configure terminal
Switch(config)#aaa new-model
Switch(config)#username xxxx secret xxxx
Switch(config)#enable secret xxxx
Switch(config)#crypto key generate rsa
Switch(config)#ip ssh time-out 60
Switch(config)#ip ssh version 2
Switch(config)#line vty 0 4
Switch(config-line)#transport input ssh
Switch(config-line)#exit
Switch(config)#line vty 5 15
Switch(config-line)#transport input ssh
Switch(config-line)#exit

The above turns on the new aaa model, creates a user with a password, sets an enable password and turns on ssh version 2 (you do have PuTTY don’t you?).

Now it’s time to configure the device to communicate with the RADIUS server:


Switch(config)#ip domain-name foo.com
Switch(config)#radius-server host x.x.x.x
Switch(config)#radius-server key xxxxxxxxxxxxxxxxx (this is where you paste in the shared secret from above)
Switch(config)#aaa group server radius NPSSERVER (You can put whatever you want for NPSSERVER)
Switch(config-sg-radius)#server x.x.x.x
Switch(config-sg-radius)#exit
Switch(config)#aaa authentication login default group NPSSERVER local
Switch(config)#aaa authorization exec default group NPSSERVER local
Switch(config)#exit
Switch#

Before you copy the running config to the startup open PuTTY and type in the IP address of the device. You will be presented with a login as: prompt followed by a password prompt. Use your regular AD login credentials (hopefully you’re in the AD group you selected above when creating the network policy) and if all goes well you’ll be presented with a privileged command prompt. The privileged command prompt is the result of two things. First the policy specified a Cisco-AV-Pair of shell:priv-lvl=15.  Second the aaa authorization exec line tells the Cisco device to get your authorization level from the NPSSERVER group.

Now there are other ways to configure the Cisco device and get the same results. Instead of specifying the radius-server host outside the group you could add it within the group like this.

Switch(config)#aaa group server radius NPSSERVER (You can put whatever you want for NPSSERVER)
Switch(config-sg-radius)#server x.x.x.x key xxxxxxxxxxxxxx
Switch(config-sg-radius)#exit

But the advantage to the way I’ve done it is that you can specify multiple radius-server hosts and use the same key for all of them without having to put it in every time. So as you grow the network and add a second NPS server you simply need to export the configuration of nps server 1 to nps server 2. Then log into the Cisco device and add the new radius-server host, then add the server to the group.

Something important to note about the configuration above. In the aaa authentication login and aaa authorization exec lines do NOT forget to put “local” at the end. The way these two lines work is that authentication will try the NPSSERVER group first and if there is no response is will try the local group (local username). If you don’t have local at the end and the NPS server(s) is down then you won’t have access to the device. If the NPS server is down when you try to log in, just close the window and SSH to the device again but use the local username and password. It will take 20-30 seconds to realize the NPS server isn’t responding and then revert to local accounts.

Have fun and secure those routers and switches.

Advertisements
  1. Bryce500
    January 27, 2011 at 5:31 AM

    How do you configure NPSSERVER GROUP?. Which command(s) make the link beetween active directory and ios cisco?.

    Thanks for your response

  2. January 31, 2011 at 7:07 AM

    @Bryce500: There is no direct link between the switch and active directory. The commands to add the RADIUS server and setting the aaa authentication and authorization tells the switch to consult with the RADIUS server. The RADIUS server (in this case a windows server with NPS role) verifies the credentials with active directory and responds back to the switch.

  3. Arjun
    April 25, 2011 at 1:53 AM

    Thanks buddy! i owe u beer for this!!

  4. Earl Marinus
    October 6, 2011 at 5:26 AM

    I was wondering how you are coming 802.1x wired authentication. We are looking to implement this at my place of business. What we are looking to do exactly is have users authenticate against a AD group and then they are placed into correct vlan and if not then put into a limited vlan. You have any suggestions on a guide to look at or is this something you are working on? Great article. I implemented this and works great.

  5. October 7, 2011 at 5:05 PM

    Yes! We have it working but I just haven’t had the time to write up a blog entry. Each workstation on our system has a computer PKI cert so we have it set so that if the computer has a valid cert it gets put into the regular vlan. If not it gets put into a limited vlan that can only get far enough to PXE boot to image the workstation. It should be pretty easy to modify for what you want to do. I’ll see if I can get around to writing the blog entry on Monday.

    UPDATE: It looks like my partner already wrote it up. Makes sense since he did most of the work. Here is the link: http://windowshell.wordpress.com/2011/01/04/a-sample-802-1x-configuration-guide/

  6. December 20, 2011 at 6:53 AM

    Hi Chuck, you have written one of the great articles on this and Thank you for this.

    I do have a question with regards to the aaa authentication default groups. Currently, we have the default group used to authenticate to all out switches. Is there a way that we can use a new aaa authentication group for RADIUS authentication.

    Thanks in Advance

  7. Henik Krai
    September 12, 2012 at 6:04 AM

    When i log in to the Cisco device, i cant log in with the specified user from the active directory. and i dont know where i have gone wrone?
    Im using a switch where im telnetting in to dose that have anything to say?
    Im using a cisco 2950 for test enviroment.

  8. Henik Krai
    September 13, 2012 at 2:11 AM

    And the local logon dosnt work either.

  9. September 13, 2012 at 3:47 PM

    Azmie Sally :

    Hi Chuck, you have written one of the great articles on this and Thank you for this.

    I do have a question with regards to the aaa authentication default groups. Currently, we have the default group used to authenticate to all out switches. Is there a way that we can use a new aaa authentication group for RADIUS authentication.

    Thanks in Advance

    Here you go: http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/serv_grp.html

  10. September 13, 2012 at 3:53 PM

    Henik Krai :

    And the local logon dosnt work either.

    I can’t tell what’s wrong without seeing the configuration of everything; sorry. Here is a tip when configuring these types of things. When you do finally get logged into the device keep that session open and after you make changes, open a separate session to the device to see if it works. If it doesn’t then you still have a session open that you can undo what you did or at least reboot the device to undo all your changes (don’t wr mem until it works).

  11. October 23, 2013 at 10:25 AM

    Great write up! I just completed something similar that also included privilege level settings as well with the radius server. Your readers might enjoy this as well: http://technologyordie.com/cisco-privilege-level-access-with-radius-and-nps-server

  12. Muhammad Younas
    October 28, 2013 at 10:18 PM

    Hi Chuck
    Nice article. I have a question. I want to add an additional condition to limit access from specific user machines on the basis of IP addresses. I have implemented the Windows user group already. I tried alot but no luck so far. Any help is highly appriciated.

    Regard,

  13. November 24, 2013 at 3:28 PM

    Muhammad Younas :

    Hi Chuck
    Nice article. I have a question. I want to add an additional condition to limit access from specific user machines on the basis of IP addresses. I have implemented the Windows user group already. I tried alot but no luck so far. Any help is highly appriciated.

    Regard,

    This would be done with an ACL. I’ll have to look it up when I get to work.

  14. Muhammad Younas
    November 29, 2013 at 12:30 AM

    Hi Chuck,

    I did that with ACL. Thanks. Actually ACLs were there before configuring AAA. After AAA configurations ACLs were of no use. Then I reconfigure those ACLs and got it.

  15. Eleven
    December 2, 2013 at 8:43 AM

    Nice post,
    I was trying this out myself and found some things that would not work from the first time.
    Maybe these things can help others to troubleshoot.
    Don’t know if it is important, but I was testing this on a 2960X

    The first tip I wanted to share is the following command:
    test aaa group NPSSERVER MyDomain\MyUserName MyPassword legacy

    Attempting authentication test to server-group NPSSERVER using radius
    User was successfully authenticated.

    With this command you can see if the radius server is reachable and if he can successfully authenticate the user.

    Another thing to check is the Windows server security eventlog, here you can check if the user is authenticated and what parameters are sent.

    By doing this I discovered the following.
    – authentication via SSH was successfull and the NASPortType was Virtual (VPN)
    – authentication via console failed and the NASPortType was Async.
    (the test aaa command also seems to use async)

    So I edited the Network Policy and and under “Conditions” -> “NAS Port Type” I selected “Virtual(VPN)” as well as “Async(Modem)”. Now both SSH en console work.

  16. shyamrajs
    May 4, 2014 at 7:38 PM
  17. August 19, 2014 at 4:43 AM

    Thanks for this! Totally helpful!

  18. August 27, 2014 at 1:16 AM

    How Setup Cisco ASA VPN to add two-factor authentication to VPN Client

    I have setup the NPS ( Windows 2008 R2 ) server. How do i setup the certificates?
    How do i deploy the certificate and Cisco Client Profile?

    Like to see step by step guide.

    AS

  19. December 15, 2016 at 11:41 PM

    Thanks Buddy. Really helped me establish RADIUS in my organization. I was wondering if I could bypass or avoid entering the local password after typing in the Domain username and password in the CLI of my Cisco 3750X Switch via Telnet/SSH as it seemed kind of redundant, I suppose. The local password is set on the lines “con 0” and “vty 0 4”.

    Also, will the command “aaa authentication enable default enable” do the needful or is there something else?

    Cheers !

  20. December 16, 2016 at 7:13 AM

    When the device is setup to use RADIUS for login you should not have to enter the local username or password. Remove the password from the con and vty lines. This is all you should need for a local username and password:
    Switch(config)#aaa new-model
    Switch(config)#username xxxx secret xxxx
    Switch(config)#enable secret xxxx

    This will be used if the device can’t reach a RADIUS server.

  1. January 4, 2011 at 3:43 PM
  2. October 29, 2013 at 6:19 AM
  3. March 1, 2015 at 3:32 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: