SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


ciscoradiusad2008
Differences

This shows you the differences between two versions of the page.

Link to this comparison view

ciscoradiusad2008 [2013/04/23 20:37] (current)
sjoerd created
Line 1: Line 1:
 += Cisco Radius Authentication on Active Directory 2008 =
  
 +This article describes the installation and configuration how to authenticate on Cisco devices with the use of Microsofts Active Directory. The Active Directory will be running on a Windows Server 2008 SP2, standard edition (64 bits). The steps coming towards this configuration are these:
 +
 +* Installation Network Policy Server (NPS) 
 +** NPS is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008
 +* Configuration of a '​Remote Access Policy'​
 +* Configuration of a '​Radius Client'​
 +* Configuring of Cisco Devices for authentication through radius
 +
 += Common Network Configuration =
 +
 +Create A and PTR records for the switches you want authentication on:
 +<​code>​
 +switch04.company.local 10.10.10.133
 +</​code>​
 +
 +Create a CNAME for the server who is going to provide the RADIUS service:
 +<​code>​
 +radius.company.local ad.company.local
 +</​code>​
 +
 += Installation NPS =
 +* Open Server Manager by clicking Start -> '​Server Manager'​
 +* Click on '​Roles'​ from the left panel in Server Manager
 +* Click on 'Add Roles'
 +* If you start in the '​Before You Begin' page click '​Next',​ if not go to the next step
 +* Check the '​Network Policy and Access Services'​
 +* Click '​Next'​ twice
 +* Select these roles:
 +** Network Policy Server
 +** Routing & Remote Access Services
 +*** Remote Access Service
 +*** Routing
 +* Click '​Next'​ and then '​Install',​ and after a while '​Close'​
 +
 +The '​Network Policy and Access Services'​ role is now installed.
 +You can use a wizard in the NPS console to configure Network Access Protection (NAP). To open the NPS console after installation,​ go to Server Manager or click Start, Administrative Tools, Network Policy Server.
 +
 +To make sure you have all the tools required to administrate NPS also install the feature '​Network Policy and Access Services Tools'
 +
 +* Open Server Manager by clicking Start -> '​Server Manager'​
 +* Click on '​Features'​ from the left panel in Server Manager
 +* Click on 'Add features'​
 +* Expand the '​Remote Server Administration Tools' feature
 +* Expand the 'Role Administration Tools' feature
 +* Check the '​Network Policy and Access Services Tools'
 +* Click '​Next'​ and then '​Install',​ and after a while '​Close'​
 +
 +The Network Policy and Access Services Tools are now installed.
 +
 += Create Access Group =
 +To grant network administrators access you should create a group, and the group will be granted access and the network administrators will be assigned member of the group.
 +
 +Create a global security group called '​NetworkAdministrators'​ and make the network administrators member. ​
 +
 += Remote Access Network Policy =
 +* Go to Start -> All Programs -> Administrative Tools -> Network Policy Server
 +* Expand '​Policies',​ rightclick '​Network Policies'​ and click '​New'​
 +* Follow the wizard specifying these details:
 +* Policy name: Cisco
 +* Type of network access server: Unspecified
 +* Add a condition based on the '​Windows Group' you just created: '​NetworkAdministrators':​ \\
 +
 +{{ciscoradiusad2008-01.jpg}} \\
 +
 +* Specify Access Permission: Access Granted
 +* Authentication Methods: Select Unencrypted authentication (PAP, SPAP), which is required for the Cisco IOS: \\
 +
 +{{ciscoradiusad2008-02.jpg}} \\
 +
 +* Constraints:​ Set Idle Timeout to 30 minutes and leave all other constraints unconfigured
 +* Settings - RADIUS Attributes - Standard:
 +* Change '​Service-Type'​ from '​Framed'​ to '​Login'​
 +* Remove the '​Framed-Protocol'​ (which is set to PPP)
 +* Settings - RADIUS Attributes - Vendor Specific:
 +* Click on '​Add'​ and:
 +* Set Vendor to '​All'​ and set the attribute to '​Vendor-Specific': ​
 +
 +{{ciscoradiusad2008-03.jpg}} \\
 +
 +* Add an attribute value and:
 +* Set '​Select from list' to Cisco
 +* Set that the attribute conforms to the RADIUS RFC
 +* And configure the attribute: \\
 +
 +{{ciscoradiusad2008-04.jpg}} \\
 +
 +{{ciscoradiusad2008-05.jpg}} \\
 +
 +* Click '​OK'​ three times and finish with '​Close'​ so you can continue with the network policy. ​
 +\\
 +The network policy only needs to be checked now, so when you're done click Finish and you're done.
 +
 += Create Radius Client =
 +* Go to Start -> All Programs -> Administrative Tools -> Network Policy Server
 +* Expand '​RADIUS Clients and Servers',​ rightclick '​Radius Clients'​ and click 'New RADIUS Client'​
 +Fill in the required field and remember the shared secret you enter here: \\
 +{{ciscoradiusad2008-06.jpg}} \\
 +
 +* Click OK when you're done and you're finished with the RADIUS configuration.
 +
 += Cisco Configuration =
 +== Basic Cisco Configuration ==
 +
 +* logon to switch
 +<​code>​
 +conf t
 +hostname switch04
 +ip domain-name company.local
 +ip name-server 10.10.10.53
 +</​code>​
 +
 +== Authentication Configuration ==
 +All these commands should be issued after logging in to the server and issuing {{{conf t}}}.
 +
 +* Configure AAA security services (authentication,​ authorization,​ and accounting) on the switch to support the RADIUS security protocol
 +<​code>​
 +aaa new-model
 +</​code>​
 +
 +* Configure the radius server
 +<​code>​
 +radius-server host radius.company.local timeout 3 retransmit 2 key <​shared-secret>​
 +</​code>​
 +
 +Note:
 +> default timeout = 5
 +> default retransmit = 3
 +
 +* Force RADIUS to use the IP address of the management interface (Vlan1)for all outgoing RADIUS packets:
 +<​code>​
 +ip radius source-interface Vlan1
 +</​code>​
 +
 +* Configure the authentication methods
 +<​code>​
 +aaa authentication login default group radius local
 +aaa authorization exec default group radius local
 +</​code>​
 +
 +* Configure the authentication method for all virtual terminal sessions (vty):
 +<​code>​
 +line vty 0 15
 +(config-line)#​ login authentication default
 +end
 +</​code>​
 +
 +Now check the configuration,​ and only write the configuration to the cisco device if you can login successfully. To do so:
 +<​code>​
 +write
 +exit
 +</​code>​
 +
 += Sources =
 +http://​technet.microsoft.com/​en-us/​library/​dd346691%28WS.10%29.aspx \\
 +http://​aaronwalrath.wordpress.com/​2010/​06/​22/​install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/​ \\
 +http://​www.cisco.com/​en/​US/​docs/​ios/​12_0/​security/​command/​reference/​srrad.html \\
 +http://​www.cisco.com/​en/​US/​docs/​ios/​12_0/​security/​command/​reference/​srathen.html \\
 +
 +{{tag>​network security windows cisco}}
ciscoradiusad2008.txt ยท Last modified: 2013/04/23 20:37 by sjoerd