Cisco device RADIUS configuration with Server 2008R2
OS : Windows 2008 R2 Standard. 4G RAM
Window server is joined as domain server.
IP 192.168.1.100
* Windows 2008 Datacenter server for 802.1x
** Create a group of user as RADIUS-Access
Steps
A. Adding NPS role
1. From Server Manager, clock "Add roles"
2. Select "Network Policy and Access Services" and click "Next"
3. Showing page to explain what is NPS, click "Next"
4. Select the role services to install for network policy and Access Services: check box "Network Policy Server" and click "Next"
5. Click "Install"
6. Installation succeeded, click "Close"
B. Link NPS to Active Directory Domain Service (optional) – You could create local user goup instead of using pre-existing user group from AD.
1. Open NPS from Administrative Tools
2. Right click the NPS(Local), then click Register in "Active Directory"
C. Create policy for the RADIUS client
1. Open "NPS" from "Administrator Tools"
2. Right click RADIUS clients from left(under NPS(Local) > RADIUS Clients and Servers, then click "New"
3. From New RADIUS Client, type Friendly name : Cisco-SW
4. Put an IP of RADIUS Client
5. Type "Shared Secret" (and confirm shared secret)
6. Click "OK"
D. Create Network Policy
1. Expand "policies" menu on the left
2. Right click "Network Policies" and select "New"
3. Type "Policy name" ; Network-Access, choose "Unspecified" from Type of network access server and click "Next"
4. On "Specify Condition"
– Click "Add", then select "User Group" from "Select condition" window and click "Add" again and add RADIUS-Access group.
– Click "Add", then select "Client Friendly Name" from "Select condition" window and enter a RADIUS client name(ex, Cisco-SW)
– Click "Add", then select " NAS Port Type" from "Select condition" window and select Virtual(VPN) from "common dial-up and VPN tunnel types".
5. Click "Next"
6. Select "Access granted" and Click "Next"
7. Uncheck everything except "unencrypted authentication(PAP, SPAP)" and "Click Next"
8. Click "No" from "Connection Request Policy"
9. Click "Next" from "Configure Constraints"
10. Choose "Framed-Protocol" and "Service-Type" and remove those.
11. Select "Vendor Specific" on the left, then click "Add"
12. Select "Cisco" as vendor, then choose "Cisco-AV-Pair" and click "Next"
13. Click "Add" again, then type "shell:priv-lvl=15" and click "OK" and click "OK" and then click "Close"
14. Click "Next"
15. Click "Finish"
E. Cisco switch configuration
Cisco_3750>enable
Cisco_3750# configure terminal
Cisco_3750(config)# aaa net-model
Cisco_3750(config)# username xxxx privilege 15 secret yyyy
Cisco_3750(config)# crypto key generate rsa
Cisco_3750(config)# ip ssh version 2
Cisco_3750(config)# ip ssh time-out 30
Cisco_3750(config)# line vty 0 15
Cisco_3750(config-line)# transport input ssh
Cisco_3750(config-line)# exit
Cisco_3750(config)# ip domain-name ipbalance.com
Cisco_3750(config)# radius-server host IP 192.168.1.100 auth-port 1812 acct-port 1813 key zzzzz
Cisco_3750(config)# aaa group server radius rad_access
Cisco_3750(config-sg-radius)# server auth-port 1812 acct-port 1813
Cisco_3750(config-sg-radius)# exit
Cisco_3750(config)# aaa authentication login default group rad_access local
Cisco_3750(config)# aaa authorization exec default group rad_access local
Cisco_3750(config)# end
F. Troubleshooting tips.
1. Firewall off during a test
2. Ping to RADIUS server from client
3. Make sure any invisible space on shared key
G. Cisco commands
show aaa session
show aaa servers
debug radius authentication
The www.ipBalance.com runs by a volunteer group with IT professionals and experts at least over 25 years of experience developing and troubleshooting IT in general. ipBalance.com is a free online resource that offers IT tutorials, tools, product reviews, and other resources to help you and your need.
