Thursday, February 9, 2012

NPS Server R2 2008 for Radius on Cisco Devices

How to Make an NPS your Radius Authentication Server for Cisco Device Admin Access
1. In NPS once you have your NPS server running, first add your client,
A. In the Server Manager, click on Roles > Network Policy and Access > NPS (Local) >Radius Clients and Servers > Radius Clients -à Click on New on the Right hand side of the window under Actions and you will get a window as follows:
B. Add your Friendly name for your device and the IP address, Add the Shared secret that you will also use as your Radius key in the Cisco devices

2. On the advance Tab either select Cisco or just leave it as Radius Standard as this does not really matter.


Click on Apply and then now we go to the interesting part.

3. Under Policies, you would want to create two policies:
I). Connection Request Policy
ii). Network Policy

Connection Request Policy


4. Click on Connection Request Policy and click on new under Actions:
On the window as below, Name your policy and click next

5. On the the next window you are going to set the conditions that are required for your devices to pass authorization :


6. Select One of the conditions that apply to your network, In mine I used the Client IPv4 Address so that I could use the wildcard and be selective on what range of IP address could get Authentication from the NPS.

Hit Ok and click next on to get the window below:


Hit next on this window as well:




Hit next and then finish on this window:



Now we go to the Network Policy and please follow this carefully as this can make or break your authentication and Authorization:

Network Policy


7. Click on the Network Policies and then new under the Actions:
8. Name your policy accordingly and click Next:


9. Now you have to add the conditions for your devices to be able to get Authenticated:
10. Click on ADD and you will get the following window and “Select User Group”, this is very important when you have an AD Group, let’s say Network_Admins:



Add the AD group that is supposed to have access to device management.

11. On the next window, select Access Granted


Hit next:

Unselect everything except Unencrypted authentication (PAP,SPAP)



Click No on the next annoying Windows help window:


Hit next and go to the Configure Constraints:

Hit Next:

IMPORTANT:


12. On the following window, under Radius Attributes > Standard : remove the Framed-Protocol - PPP and then Edit the Service Type



This is a very important step as some Cisco devices will not work without this Attribute.

Now Click on the Vendor Specific :


Click on add:


Click on the Cisco-AV-Pair and then Add:

Click on Add and then type in the following to give your shell access level 15 access:
shell:priv-lvl=15

This attribute can be changed and applied to different groups i.e level 1 , 15

Note:

By default, there are three privilege levels on the router.
  • privilege level 1 = non-privileged (prompt is router>), the default level for logging in
  • privilege level 15 = privileged (prompt is router#), the level after going into enable mode
  • privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout


Close the window and hit next:



Hit finish on this window and now you have fully configured your NPS to be a radius server for your Cisco devices.




Cisco Configuration


For your Cisco devices this is all you need:

aaa authentication login default group radius local-case
aaa authentication login vty group radius local-case
aaa authorization exec default group radius local if-authenticated
aaa accounting system default start-stop group radius
!
ip radius source-interface Vlan1   <<<--- Configure the interface that has the IP address on the NPS Client
!
radius-server host <ip address of the NPS server> auth-port 1645 acct-port 1646
radius-server key <Key that was configured on the Radius client in the NPS>
!
line vty 0 4
login authentication vty <<<------- Make sure this is the same as in the aaa authentication login command

Please note that the privelege levels can be changed and applied according your needs:



See Cisco documentation here:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml



9 comments:

  1. This was a huge help, I was missing the if-authenticated on the aaa authorization line and the priv 15 stuff on the RADIUS server.

    ReplyDelete
  2. The privilege level didn't work for me. It started working when i changed Service-Type to "NAS Prompt" (number 12 in the list).

    ReplyDelete
  3. This is awesome dude. It works for me.

    ReplyDelete
  4. how can i use encrypted authentication? as in step by step you showed "Unselect everything except Unencrypted authentication (PAP,SPAP)" but I want encrypted authentication instead.

    ReplyDelete
  5. My cisco switch does not have the same aaa commands. Are there a "newer version" of these commands for newer switches?

    ReplyDelete
  6. I followed the same steps,but it`s not working for me. I tried on Cisco 2960-X with IOS version 15.2(4r)E3. Please help

    ReplyDelete
  7. This works for Cisco 2960x and 3750x and 9200's

    ReplyDelete
  8. This works for 2960s&x. They were production switches, I needed the line

    aaa new-model

    Before the other aaa commands. Thanks for the help

    ReplyDelete