{"id":2022,"date":"2015-12-30T12:03:00","date_gmt":"2015-12-30T12:03:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=2022"},"modified":"2024-11-18T15:13:18","modified_gmt":"2024-11-18T15:13:18","slug":"configure-radius-authentication-on-server-2012-r2-for-cisco-devices","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/configure-radius-authentication-on-server-2012-r2-for-cisco-devices\/","title":{"rendered":"Configure RADIUS Authentication on Server 2012 R2 for Cisco Devices"},"content":{"rendered":"

In this step-by-step guide we will setup NPS\u00a0as a RADIUS server to authenticate users for our Cisco 3560X switch, this process will work on most Cisco switches and routers. In this example we will be using two AD security groups to define level 15 and level 1 user access. This is a good practice, for example if we wanted to allow some users read only access, we can give them level 1 privileges\u00a0and not hand out the enable password. The user would be assigned to the AD security group which is mapped back to an NPS policy that when these users authenticate, they will be in the user mode prompt >.<\/p>\n

Our network admins on the other hand can have level 15 and not have to keep entering the enable password every time\u00a0they login, the NPS policy defined for level 15 access will place the user into Exec Mode # upon successful authentication. Lets get started!<\/p>\n

Note: You must have the NPS server role installed to begin configuring access policies, have a look at\u00a0\u201cInstall Network Policy Server (NPS) on Server 2012 R2\u201d<\/a><\/p>\n

Create the AD security groups\u00a0<\/strong><\/p>\n

1.<\/strong>\u00a0\u00a0Log into windows server 2012 R2, and launch\u00a0\u201cActive Directory users and Computers\u201d<\/p>\n

\"0.1\"<\/p>\n

2.<\/strong>\u00a0Navigate to the\u00a0\u201cUsers\u201d\u00a0container and create a new security group. click\u00a0\u201cAction\u201d\u00a0from the top menu, scroll down to\u00a0\u201cNew\u201d\u00a0and\u00a0\u201cGroup\u201d<\/p>\n

\"0.2\"<\/p>\n

3.<\/strong>\u00a0Give the group a meaningful name, in this example we have used\u00a0\u201cRADIUS-lvl1-Users\u201d\u00a0This security group will be to control the users who will have level 1 access to the Cisco device upon login. Users will need to enter\u00a0the enable password should they want higher privilege access. They\u00a0will be placed at the > user mode prompt when authenticated.<\/p>\n

\"0.4\"<\/p>\n

4.<\/strong>\u00a0Create a second group with a meaningful name, in this example we have used\u00a0\u201cRADIUS-lvl15-Users\u201d\u00a0this group will be for users who will have level 15 access to the Cisco device, they will be prompted with the # user mode prompt and will not need to supply the enable password.<\/p>\n

\"0.3\"<\/p>\n

5.<\/strong>\u00a0Right click\u00a0\u201cRADIUS-lvl1-Users\u201d, select the properties of the group and add a user as a member of the group. In this case i have added a user called\u00a0\u201clvl1\u201d, you can use any user in the domain that will be accessing the device. Click\u00a0\u201cOK\u201d<\/p>\n

\"0.7\"<\/p>\n

Click\u00a0\u201cOK\u201d\u00a0and close the properties<\/p>\n

\"0.8\"<\/p>\n

6.<\/strong>\u00a0Right click\u00a0\u201cRADIUS-lvl15-Users\u201d, select the properties of the group and add a user as a member of the group. I have added a user called\u00a0\u201clvl15\u201d\u00a0for this group. Click\u00a0\u201cOK\u201d<\/p>\n

\"0.5\"<\/p>\n

Click\u00a0\u201cOK\u201d\u00a0and close the properties<\/p>\n

\"0.6\"<\/p>\n

Add the RADIUS Client<\/strong><\/p>\n

1.<\/strong>\u00a0Click\u00a0\u201cStart\u201d\u00a0and type\u00a0\u201cNPS\u201d\u00a0click and launch the\u00a0\u201cNetwork Policy Server\u201d<\/p>\n

\"1\"<\/p>\n

2.<\/strong>\u00a0Create a template of the shared secret, although this can be done\u00a0manually on the client device, its easier to work from a template when adding multiple client devices in the future. Expand\u00a0\u201cTemplates Management\u201d, Right click\u00a0\u201cShared Secret\u201d\u00a0and click\u00a0\u201cNew\u201d<\/p>\n

\"2a\"<\/p>\n

3.<\/strong>\u00a0Give the template a name and create a password that will be used by the RADIUS client to join to the RADIUS Server. Click\u00a0\u201cOK\u201d\u00a0and close the window<\/p>\n

\"2b\"<\/p>\n

\"2c\"<\/p>\n

4.<\/strong>\u00a0Expand\u00a0\u201cRADIUS Clients and Servers\u201d, right click\u00a0\u201cRADIUS Client\u201d\u00a0and select\u00a0\u201cNew\u201d<\/p>\n

\"2d\"<\/p>\n

5.<\/strong>\u00a0Make sure the tickbox\u00a0\u201cEnable this RADIUS client\u201d\u00a0is ticked, give the client a\u00a0\u201cFriendly name\u201d\u00a0and specify the\u00a0\u201cIP address\u201d\u00a0of the device. From the\u00a0\u201cShared Secret\u201d\u00a0dropdown box select the template we created earlier so that the client can use this.<\/p>\n

\"2e\"<\/p>\n

6.<\/strong>\u00a0Select the\u00a0\u201cAdvanced\u201d\u00a0tab, and from the\u00a0\u201cVendor name\u201d\u00a0drop down select the vendor of the device, in this case its\u00a0\u201cCisco\u201d. Click\u00a0\u201cOK\u201d\u00a0and close the window<\/p>\n

\"3\"<\/p>\n

The device will now be visible under the\u00a0\u201cRADIUS Clients\u201d\u00a0list<\/p>\n

\"4\"<\/p>\n

Create a Connection Request Policy<\/strong><\/p>\n

1.<\/strong>\u00a0Expand\u00a0\u201cPolicies\u201d\u00a0right click\u00a0\u201cConnection Request Policies\u201d\u00a0and click\u00a0\u201cNew\u201d<\/p>\n

\"5\"<\/p>\n

2.<\/strong>\u00a0Give the policy a name and click\u00a0\u201cNext\u201d<\/p>\n

\"6\"<\/p>\n

3.<\/strong>\u00a0Click\u00a0\u201cAdd\u201d<\/p>\n

\"7\"<\/p>\n

4.<\/strong>\u00a0Select\u00a0\u201cAccess Client IPv4 Address\u201d\u00a0we will use a subnet range with a wildcard to define what is allowed to request Authentication. Click\u00a0\u201cAdd\u201d<\/p>\n

\"8\"<\/p>\n

5.<\/strong>\u00a0Insert the\u00a0\u201cIP subnet\u201d\u00a0and\u00a0\u201cwildcard mask\u201d, in this example we are allowing anything from the 192.168.0.0 subnet,\u00a0\u201cclick OK\u201d<\/p>\n

\"9\"<\/p>\n

6.<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"10\"<\/p>\n

7.<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"11\"<\/p>\n

8.<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"12\"<\/p>\n

9.<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"13\"<\/p>\n

10.<\/strong>\u00a0\u00a0Click\u00a0\u201cFinish\u201d<\/p>\n

\"14\"<\/p>\n

The newly created policy will now be listed.<\/p>\n

\"15\"<\/p>\n

Create the Network Access Policies for Level 1 & 15\u00a0privileges<\/strong><\/p>\n

1.<\/strong>\u00a0Right click\u00a0\u201cNetwork Policies\u201d\u00a0and select\u00a0\u201cNew\u201d<\/p>\n

\"16\"<\/p>\n

2.<\/strong>\u00a0\u00a0Give the policy a name that will correspond with our security group created earlier, this policy will map\u00a0\u201cRADIUS-lvl1-Users\u201d. click\u00a0\u201cNext\u201d<\/p>\n

\"17\"<\/p>\n

3.<\/strong>\u00a0\u00a0Click\u00a0\u201cAdd\u201d<\/p>\n

<\/p>\n

4.<\/strong>\u00a0Select\u00a0\u201cUser Groups\u201d\u00a0and click\u00a0\u201cAdd\u201d<\/p>\n

<\/p>\n

5.<\/strong>\u00a0Specify the security group this policy will\u00a0use to authenticate users. Click\u00a0\u201cOK\u201d<\/p>\n

<\/p>\n

Click\u00a0\u201cOK\u201d<\/p>\n

\"20\"<\/p>\n

6.<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"21\"<\/p>\n

7.<\/strong>\u00a0Select\u00a0\u201cAccess Granted\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"22\"<\/p>\n

8.<\/strong>\u00a0De-select all the Microsoft authenticated methods and tick\u00a0\u201cUnencrypted authentication (PAP.SPAP)\u201d, RADIUS will still continue to use a hashing algorithm so the authentication process will be secure. Click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

At the warning\u00a0prompt select\u00a0\u201cNO\u201d<\/p>\n

\"23.1\"<\/p>\n

9.<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"24\"<\/p>\n

10.<\/strong>\u00a0From the RADIUS Attributes select\u00a0\u201cStandard\u201d\u00a0and remove the two listed default attributes highlighted and Click\u00a0\u201cAdd\u201d<\/p>\n

\"25\"<\/p>\n

11.<\/strong>\u00a0Select\u00a0\u201cService Type\u201d\u00a0and click\u00a0\u201cAdd\u201d<\/p>\n

\"26\"<\/p>\n

12.<\/strong>\u00a0Select\u00a0\u201cOthers\u201d\u00a0and define\u00a0\u201cLogin\u201d\u00a0from the drop down list. Click\u00a0\u201cOK\u201d<\/p>\n

\"27\"<\/p>\n

The Attributes should now contain the single\u00a0\u201cService-Type\u201d\u00a0of\u00a0\u201cLogin\u201d<\/p>\n

\"28\"<\/p>\n

13.<\/strong>\u00a0Click\u00a0\u201cVendor Specific\u201d\u00a0and Click\u00a0\u201cAdd\u201d<\/p>\n

\"29\"<\/p>\n

14.<\/strong>\u00a0Select\u00a0\u201cVendor Specific\u201d\u00a0from the list and click\u00a0\u201cAdd\u201d<\/p>\n

\"30\"<\/p>\n

15.<\/strong>\u00a0Click\u00a0\u201cAdd\u201d<\/p>\n

\"31\"<\/p>\n

16.<\/strong>\u00a0Select\u00a0\u201cCisco\u201d\u00a0from the drop down list, select\u00a0\u201cYes. It conforms\u201d\u00a0and click\u00a0\u201cConfigure Attribute\u201d<\/p>\n

\"32\"<\/p>\n

17.<\/strong>\u00a0Change the\u00a0\u201cVendor-assigned attribute number\u201d\u00a0to\u00a0\u201c1\u201d\u00a0the\u00a0\u201cAttribute format\u201d\u00a0to\u00a0\u201cString\u201d\u00a0and the\u00a0\u201cAttribute Value\u201d\u00a0to\u00a0\u201cshell:priv-lvl=1\u201d<\/strong>. In this attribute we are simply specifying that we want users that authenticate to our Cisco device to be allocated into user mode upon authentication. click\u00a0\u201cOK\u201d<\/p>\n

\"33\"<\/p>\n

18.<\/strong>\u00a0Click\u00a0\u201cOK\u201d<\/p>\n

\"34\"<\/p>\n

19.<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"35\"<\/p>\n

20.<\/strong>\u00a0At the summary window click\u00a0\u201cFinish\u201d<\/p>\n

\"36\"<\/p>\n

The\u00a0Access policy for users that will default to user mode is now complete, we must now setup the second policy for our users that will be using level 15.<\/p>\n

21.<\/strong>\u00a0Follow the above steps to configure the second policy using the the\u00a0\u201cRADIUS-lvl15-Users\u201d\u00a0AD security group and the\u00a0\u201cVendor Specific\u201d\u00a0attribute value of\u00a0\u201cshell:priv-lvl=15\u201d<\/strong><\/p>\n

\"33\"<\/p>\n

Once the second policy has been added, both policies should be visible in \u201cNetwork Policies\u201d pane<\/p>\n

\"42\"<\/p>\n

Configure the Cisco Switch<\/strong><\/p>\n

1.\u00a0<\/strong>Login into the switch using putty or console, and enter the following commands:<\/p>\n

# conf t\u00a0<\/strong>\u2013 Enter global Configuration mode<\/p>\n

(config)# aaa new-model<\/strong>\u00a0\u2013 Define a new aaa server<\/p>\n

(config)# radius-server host 192.168.10.23 auth-port 1645 acct-port 1646<\/strong>\u00a0\u2013 Define the IP address of the RADIUS server and the Authentication and Authorization ports<\/p>\n

(config)# radius-server key cisco\u00a0<\/strong>\u2013 Define the shared secret<\/p>\n

(config)# aaa authentication login default group radius local<\/strong>\u00a0\u2013 Define the login group and method, use RADIUS and only use local if RADIUS is unavailable but do not fail\u00a0over<\/p>\n

(config)# aaa authorization exec default group radius if-authenticated\u00a0<\/strong>\u2013 authorize the user with exec mode privileges if already previously authenticated in the event RADIUS is\u00a0unavailable during the session.<\/p>\n

(config)# ip radius source-interface Vlan 1<\/strong>\u00a0\u2013 VLAN1 is the source interface which the client device uses to communicate to the RADIUS server, this command is necessary only if SVIs are on the device or routing is enabled, this will not be required for access switches.<\/p>\n

\"sw<\/p>\n

Testing\u00a0<\/strong><\/p>\n

1.<\/strong>\u00a0Login using the user allocated to the level 1 RADIUS security group and verify the correct privilege level is allocated allocated to the user upon authentication<\/p>\n

\"lvl1<\/p>\n

debug radius output from the switch for user lvl1 with privilege level 1. (#debug radius)<\/p>\n

<\/p>\n

2.<\/strong>\u00a0Login using the user allocated to the level 15 RADIUS security group and verify the correct privilege level is allocated to the user upon authentication<\/p>\n

\"lvl15<\/p>\n

debug radius output from the switch for user lvl15 with privilege level 15. (#debug radius)<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

In this step-by-step guide we will setup NPS\u00a0as a RADIUS server to authenticate users for our Cisco 3560X switch, this process will work on most<\/p>\n","protected":false},"author":1,"featured_media":2018,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6,151,9],"tags":[106,104,124,112,113,125],"class_list":["post-2022","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-network","category-security","category-server-endpoint","category-switching","tag-aaa","tag-authentication","tag-cisco-radius","tag-nps","tag-radius","tag-switch-radius"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/2022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=2022"}],"version-history":[{"count":2,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/2022\/revisions"}],"predecessor-version":[{"id":2110,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/2022\/revisions\/2110"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/2018"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=2022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=2022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=2022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}