SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Sponsor:

Would you like to sponsor this site?
Or buy me a beer?:


Recently Changed Pages:

View All Pages
View All Q Pages


View All Tags


Sign up for Q to post comments.





WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Terms And Conditions for Q users


Pages with comments

PageDateDiscussionTags
2019/06/22 10:36 1 Comment
2019/03/15 16:02 1 Comment
2019/03/15 16:02 1 Comment
2019/03/15 16:02 3 Comments
2017/04/20 15:28 1 Comment
2017/04/20 15:23 1 Comment
2017/04/19 14:44 1 Comment
2017/04/17 20:10 1 Comment
2017/04/17 20:07 1 Comment
2017/04/17 19:58 1 Comment
2017/04/17 19:52 1 Comment

View All Comments

ciscoradiusad2008

Cisco Radius Authentication on Active Directory 2008

This article describes the installation and configuration how to authenticate on Cisco devices with the use of Microsofts Active Directory. The Active Directory will be running on a Windows Server 2008 SP2, standard edition (64 bits). The steps coming towards this configuration are these:

  • Installation Network Policy Server (NPS)
    • NPS is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008
  • Configuration of a 'Remote Access Policy'
  • Configuration of a 'Radius Client'
  • Configuring of Cisco Devices for authentication through radius

Common Network Configuration

Create A and PTR records for the switches you want authentication on:

switch04.company.local 10.10.10.133

Create a CNAME for the server who is going to provide the RADIUS service:

radius.company.local ad.company.local

Installation NPS

  • Open Server Manager by clicking Start → 'Server Manager'
  • Click on 'Roles' from the left panel in Server Manager
  • Click on 'Add Roles'
  • If you start in the 'Before You Begin' page click 'Next', if not go to the next step
  • Check the 'Network Policy and Access Services'
  • Click 'Next' twice
  • Select these roles:
    • Network Policy Server
    • Routing & Remote Access Services
      • Remote Access Service
      • Routing
  • Click 'Next' and then 'Install', and after a while 'Close'

The 'Network Policy and Access Services' role is now installed. You can use a wizard in the NPS console to configure Network Access Protection (NAP). To open the NPS console after installation, go to Server Manager or click Start, Administrative Tools, Network Policy Server.

To make sure you have all the tools required to administrate NPS also install the feature 'Network Policy and Access Services Tools'

  • Open Server Manager by clicking Start → 'Server Manager'
  • Click on 'Features' from the left panel in Server Manager
  • Click on 'Add features'
  • Expand the 'Remote Server Administration Tools' feature
  • Expand the 'Role Administration Tools' feature
  • Check the 'Network Policy and Access Services Tools'
  • Click 'Next' and then 'Install', and after a while 'Close'

The Network Policy and Access Services Tools are now installed.

Create Access Group

To grant network administrators access you should create a group, and the group will be granted access and the network administrators will be assigned member of the group.

Create a global security group called 'NetworkAdministrators' and make the network administrators member.

Remote Access Network Policy

  • Go to Start → All Programs → Administrative Tools → Network Policy Server
  • Expand 'Policies', rightclick 'Network Policies' and click 'New'
  • Follow the wizard specifying these details:
  • Policy name: Cisco
  • Type of network access server: Unspecified
  • Add a condition based on the 'Windows Group' you just created: 'NetworkAdministrators':

ciscoradiusad2008-01.jpg

  • Specify Access Permission: Access Granted
  • Authentication Methods: Select Unencrypted authentication (PAP, SPAP), which is required for the Cisco IOS:

ciscoradiusad2008-02.jpg

  • Constraints: Set Idle Timeout to 30 minutes and leave all other constraints unconfigured
  • Settings - RADIUS Attributes - Standard:
  • Change 'Service-Type' from 'Framed' to 'Login'
  • Remove the 'Framed-Protocol' (which is set to PPP)
  • Settings - RADIUS Attributes - Vendor Specific:
  • Click on 'Add' and:
  • Set Vendor to 'All' and set the attribute to 'Vendor-Specific':

ciscoradiusad2008-03.jpg

  • Add an attribute value and:
  • Set 'Select from list' to Cisco
  • Set that the attribute conforms to the RADIUS RFC
  • And configure the attribute:

ciscoradiusad2008-04.jpg

ciscoradiusad2008-05.jpg

  • Click 'OK' three times and finish with 'Close' so you can continue with the network policy.


The network policy only needs to be checked now, so when you're done click Finish and you're done.

Create Radius Client

  • Go to Start → All Programs → Administrative Tools → Network Policy Server
  • Expand 'RADIUS Clients and Servers', rightclick 'Radius Clients' and click 'New RADIUS Client'

Fill in the required field and remember the shared secret you enter here:
ciscoradiusad2008-06.jpg

  • Click OK when you're done and you're finished with the RADIUS configuration.

Cisco Configuration

Basic Cisco Configuration

  • logon to switch
conf t
hostname switch04
ip domain-name company.local
ip name-server 10.10.10.53

Authentication Configuration

All these commands should be issued after logging in to the server and issuing conf t.

  • Configure AAA security services (authentication, authorization, and accounting) on the switch to support the RADIUS security protocol
aaa new-model
  • Configure the radius server
radius-server host radius.company.local timeout 3 retransmit 2 key <shared-secret>

Note:

default timeout = 5
default retransmit = 3

* Force RADIUS to use the IP address of the management interface (Vlan1)for all outgoing RADIUS packets:

ip radius source-interface Vlan1
  • Configure the authentication methods
aaa authentication login default group radius local
aaa authorization exec default group radius local
  • Configure the authentication method for all virtual terminal sessions (vty):
line vty 0 15
(config-line)# login authentication default
end

Now check the configuration, and only write the configuration to the cisco device if you can login successfully. To do so:

write
exit

Sources

You could leave a comment if you were logged in.
ciscoradiusad2008.txt · Last modified: 2013/04/23 20:37 by sjoerd