If you have a lot of devices on your network, centralized authentication server is always handy for efficient control of devices, convenient and scalable. I don’t know about you, but I cannot remember or track all the passwords that are not using all the time. You don’t have to use Microsoft Windows Server, since a lot of opensource RADIUS server out there. However, If you have a Microsoft Windows client on your network, probably you already have one. This article will explain how to setup Windows Server 2012 as a RADIUS authentication server in steps. Network Policy Server(NPS) will provide RADIUS server functionality and for the RADIUS client, we will use Cisco 3750 Switch in this case. Let’s start.
Microsoft Windows Server 2012 as a RADIUS Authentication Server for Cisco Router & Switch
Notes;
OS : Microsoft Windows Server 2012 essential. 4G RAM
Window server is joined as domain server.
IP : 192.168.1.100
Steps
1. Create a user group for specific people can access desiganted device to access. In this case, user group name is "Network_Eng"
2. Adding NPS role, if you have not installed yet
1. From Server Manager, clock "Add roles"
2. Select "Network Policy and Access Services" and click "Next"
3. Showing page to explain what is NPS, click "Next"
4. Select the role services to install for network policy and Access Services: check box "Network Policy Server" and click "Next"
5. Click "Install"
6. Installation succeeded, click "Close"
3. Link NPS to Active Directory Domain Service (optional)
– Open NPS from Administrative Tools
– Right click the NPS(Local), then click Register in "Active Directory"
4. Create a RADIUS client(Already created on bewlow)
– Open "NPS" from "Administrator Tools"
– Right click RADIUS clients from left(under NPS(Local) > RADIUS Clients and Servers, then click "New"
4-1. RADIUS Client Properties – Setting
– Check a box "Enable the RADIUS client".
– From New RADIUS Client, type Friendly name : "Cisco_3750"
– Put an IP of RADIUS Client
– Type "Shared Secret" (and confirm shared secret), it should be matched with RADIUS Client side of setup (Cisco 3750 switch in this case)
4-2. RADIUS Client Properties – Advanced
– Vendor name : "Cisco"
5. Configure a Policies under "Connection Request Policies" from Network Policy Server(NPS)
5-1. Configure NPS Policies – Properties / Overview
– Policy name : "Cisco"
– Policy enabled : Check
– Type of network access server: "Unspecified"
5-2. Configure NPS Policies – Properties / Conditions
– Condition value : "Cisco_" : It will cover RADIUS client name start with "Cisco_"
5-3. Configure NPS Policies – Properties / Settings / Authentication Methods
– None
5-4. Configure NPS Policies – Properties / Settings / Authentication
– Choose "Authenticate requests on this server"
5-5. Configure NPS Policies – Properties / Settings / Accounting
– None
5-6. Configure NPS Policies – Properties / Settings / Attribute
– Attribute : "Called-Station-Id"
5-7. Configure NPS Policies – Properties / Settings / Standard
– Service-Type : "Login"
5-8. Configure NPS Policies – Properties / Settings / Vendor Specific
– Name : Attribute-AV-Pair
– Vendor : Cisco
– Value : shell:priv-lvl=15
6. Configure Network Policies
6-1. Configure Network Policies – Properties / Overview
– Policy name : "Network engineer"
– Policy enabled box : checked
– Choose "Grant Access……"
– Type of network access server : "Unspecified"
6-2. Configure Network Policies – Properties / Conditions
– Create conditions as below
6-3. Configure Network Policies – Properties / Constraints / Authentication Methods
– Check a box "Unencrypted Authentication (PAP, SPAP)"
6-4. Configure Network Policies – Properties / Constraints / NAS Port Type
– Choose "Virtual(VPN)"
6-5. Configure Network Policies – Properties / Settings
– RADIUS Attributes/ Standard : None.
6-6. Configure Network Policies – Properties / Settings / RADIUS Attribute / Vendor Specific
– Name : "Cisco-AV-Pair"
– Vendor : "Cisco"
– Value : "shell-priv-level=15"
6-7. Configure Network Policies – Properties / Settings / Network Access Protection / NAP Enforcement
– Choose "Allow full network access"
– Enable "Auto Remediation of client computers"
6-8. Configure Network Policies – Properties / Settings / Network Access Protection / Extended State
– Blank
6-9. Configure Network Policies – Properties / Settings / Routing and Remote Access / Multilink and Bandwidth Allocation Protocol
– Choose "Server settings determine Multilink usage"
6-10. Configure Network Policies – Properties / Settings / Routing and Remote Access /IP Filters
– None.
6-11. Configure Network Policies – Properties / Settings / Routing and Remote Access / Encryption
– Check all boxes
6-12. Configure Network Policies – Properties / Settings / Routing and Remote Access / IP Settings
– Choose "Server settings determine IP address assignment
7. Cisco switch configuration
Cisco_3750>enable
Cisco_3750# configure terminal
Cisco_3750(config)# aaa net-model
Cisco_3750(config)# username xxxx privilege 15 secret yyyy
Cisco_3750(config)# crypto key generate rsa
Cisco_3750(config)# ip ssh version 2
Cisco_3750(config)# ip ssh time-out 30
Cisco_3750(config)# line vty 0 15
Cisco_3750(config-line)# transport input ssh
Cisco_3750(config-line)# exit
Cisco_3750(config)# ip domain-name ipbalance.com
Cisco_3750(config)# radius-server host IP 192.168.1.100 auth-port 1812 acct-port 1813 key zzzzz
Cisco_3750(config)# aaa group server radius rad_access
Cisco_3750(config-sg-radius)# server auth-port 1812 acct-port 1813
Cisco_3750(config-sg-radius)# exit
Cisco_3750(config)# aaa authentication login default group rad_access local
Cisco_3750(config)# aaa authorization exec default group rad_access local
Cisco_3750(config)# end
7-1. Cisco commands
show aaa session
show aaa servers
debug radius authentication
8. Troubleshooting tips.
1. Firewall off during a test
2. Ping to RADIUS server from client
3. Make sure any invisible space on shared key
We hope it is informative for you.
The www.ipBalance.com runs by a volunteer group with IT professionals and experts at least over 25 years of experience developing and troubleshooting IT in general. ipBalance.com is a free online resource that offers IT tutorials, tools, product reviews, and other resources to help you and your need.
