Wednesday, August 27, 2014

Cisco RADIUS Authentication w/ Active Directory and Network Policy Server


I'll try to keep this short and sweet. It took me a bit to find the exact commands I used. The configuration below has been validated to work on Cisco routers, switches, and voice gateways.

Part 1. RADIUS Server Configuration

Assuming you already have a Network Policy Server installed on a DC somewhere...

RADIUS Clients and Servers > RADIUS Clients > Right Click > New RADIUS Client
  • Add Friendly Name
  • IP
  • Vendor = Cisco
  • Shared Secret
    • Manual
    • Enter a key (same as used on the cisco device)
Policies > Network Policies > Right Click > New (use defaults unless specified)
  • Policy Name (I just called this the same as the client friendly name)
  • Conditions
    • Windows Groups: AD Group with network administrator accounts
    • Client Friendly Name: same as friendly from "RADIUS Clients" (prevents policies from inadvertently being applied to the wrong devices. Optional precaution)
  • Authentication Methods > Check "Unencrypted authentication"
  • "Configure Settings"
    • RADIUS Attributes
      • Standard > Remove Framed-Protocol PPP
      • Vendor Specific > Add (allows user to launch in to enable mode by default)
        • Vendor = Cisco
        • Attribute Name = Cisco-AV-Pair
        • Value = shell:priv-lvl=15

Part 2: SSH to Cisco Switch/Router

You'll need...
  • VLAN/IP that authentication will originate from
  • IP of your RADIUS Server
  • RADIUS Secret used in part 1.
Run the following from the command line... ​conf t
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
ip radius source-interface <<VLAN/IP>> Interface (e.g. Vlan1 or GigabitEthernet0/0)
radius-server host <<IP of RADIUS Server>> auth-port 1645 acct-port 1646
radius-server key <<RADIUS SECRET>>
service password-encryption

Part 3: Testing

  1. Ensure your admin account can log in
  2. Ensure that other accounts cannot log in. Especially if you have other RADIUS auth policies like we did.
  3. Validate that your local account no longer works by default.
  4. "Disable" your RADIUS client. Validate that your local account works as a fail safe.