Windows Server 2012 as RADIUS for Cisco Router & Switch

 

If you have a lot of devices on your network, centralized authentication server is always handy for efficient control of devices, convenient and scalable.  I don’t know about you, but I cannot remember or track all the passwords that are not using all the time. You don’t have to use Microsoft Windows Server, since a lot of opensource RADIUS server out there. However, If you have a Microsoft Windows client on your network, probably you already have one. This article will explain how to setup Windows Server 2012 as a RADIUS authentication server in steps. Network Policy Server(NPS) will provide RADIUS server functionality and for the RADIUS client, we will use Cisco 3750 Switch in this case. Let’s start.

Microsoft Windows Server 2012 as a RADIUS Authentication Server for Cisco Router & Switch

Notes;

OS : Microsoft Windows Server 2012 essential. 4G RAM
Window server is joined as domain server.
IP : 192.168.1.100 

Steps
 

 1. Create a user group for specific people can access desiganted device to access. In this case, user group name is "Network_Eng"

Win2012R2-Active-Directory-Authentication-Cisco-1

 

2. Adding NPS role, if you have not installed yet

1. From Server Manager, clock "Add roles"
2. Select "Network Policy and Access Services" and click "Next"
3. Showing page to explain what is NPS, click "Next"
4. Select the role services to install for network policy and Access Services: check box "Network Policy Server" and click "Next"
5. Click "Install"
6. Installation succeeded, click "Close"
 

3. Link NPS to Active Directory Domain Service (optional)

 

– Open NPS from Administrative Tools
– Right click the NPS(Local), then click Register in "Active Directory

 

4. Create a RADIUS client(Already created on bewlow)

 

– Open "NPS" from "Administrator Tools"
– Right click RADIUS clients from left(under NPS(Local) > RADIUS Clients and Servers, then click "New"

 

Win2012R2-Active-Directory-Authentication-Cisco-2

 

 

4-1. RADIUS Client Properties – Setting

– Check a box "Enable the RADIUS client".
– From New RADIUS Client, type Friendly name : "Cisco_3750"
– Put an IP of RADIUS Client
– Type "Shared Secret" (and confirm shared secret), it should be matched with RADIUS Client side of setup (Cisco 3750 switch in this case)
 

Win2012R2-Active-Directory-Authentication-Cisco-3

 

 

4-2. RADIUS Client Properties – Advanced

– Vendor name : "Cisco"

 

Win2012R2-Active-Directory-Authentication-Cisco-4

 

 

5. Configure a Policies under "Connection Request Policies" from Network Policy Server(NPS)

 

Win2012R2-Active-Directory-Authentication-Cisco-5

 

 

5-1. Configure NPS Policies – Properties / Overview

– Policy name : "Cisco"
– Policy enabled : Check
– Type of network access server: "Unspecified"

 

Win2012R2-Active-Directory-Authentication-Cisco-5-1

 

 

5-2. Configure NPS Policies – Properties / Conditions

 – Condition value : "Cisco_" : It will cover RADIUS client name start with "Cisco_"

 

Win2012R2-Active-Directory-Authentication-Cisco-5-2

 

 

5-3. Configure NPS Policies – Properties / Settings / Authentication Methods

 – None

 

Win2012R2-Active-Directory-Authentication-Cisco-5-3-1

 

 

5-4. Configure NPS Policies – Properties / Settings / Authentication

– Choose "Authenticate requests on this server"

 

Win2012R2-Active-Directory-Authentication-Cisco-5-3-2

 

 

5-5. Configure NPS Policies – Properties / Settings /  Accounting

– None

Win2012R2-Active-Directory-Authentication-Cisco-5-3-3

 

 

5-6. Configure NPS Policies – Properties / Settings / Attribute

– Attribute : "Called-Station-Id"

 

Win2012R2-Active-Directory-Authentication-Cisco-5-3-4

 

 

5-7. Configure NPS Policies – Properties / Settings / Standard

–  Service-Type : "Login"

 

Win2012R2-Active-Directory-Authentication-Cisco-5-3-5

 

 

5-8. Configure NPS Policies – Properties / Settings / Vendor Specific

– Name : Attribute-AV-Pair
– Vendor : Cisco
– Value : shell:priv-lvl=15

 

Win2012R2-Active-Directory-Authentication-Cisco-5-3-6

 

 

6. Configure Network Policies  

 

Win2012R2-Active-Directory-Authentication-Cisco-6-1

 

 

6-1. Configure Network Policies – Properties / Overview

– Policy name : "Network engineer"
– Policy enabled box : checked
– Choose "Grant Access……"
– Type of network access server : "Unspecified"

 

Win2012R2-Active-Directory-Authentication-Cisco-6-1-1

 

 

6-2. Configure Network Policies – Properties / Conditions

– Create conditions as below

 

Win2012R2-Active-Directory-Authentication-Cisco-6-1-2

 

 

6-3. Configure Network Policies – Properties / Constraints / Authentication Methods

– Check a box "Unencrypted Authentication (PAP, SPAP)"

 

Win2012R2-Active-Directory-Authentication-Cisco-6-1-3-1

 

 

6-4. Configure Network Policies – Properties / Constraints / NAS Port Type

– Choose "Virtual(VPN)"

 

Win2012R2-Active-Directory-Authentication-Cisco-6-1-3-2

 

 

6-5. Configure Network Policies – Properties / Settings

–  RADIUS Attributes/ Standard : None.

 

Win2012R2-Active-Directory-Authentication-Cisco-6-1-4-1

 

 

6-6. Configure Network Policies – Properties / Settings / RADIUS Attribute / Vendor Specific

–  Name : "Cisco-AV-Pair"
– Vendor : "Cisco"
– Value : "shell-priv-level=15"
 

Win2012R2-Active-Directory-Authentication-Cisco-6-1-4-2

 

 

6-7. Configure Network Policies – Properties / Settings / Network Access Protection / NAP Enforcement 

– Choose "Allow full network access"
– Enable "Auto Remediation of client computers"

 

Win2012R2-Active-Directory-Authentication-Cisco-6-1-4-3

 

 

6-8. Configure Network Policies – Properties / Settings / Network Access Protection / Extended State  

– Blank

 

Win2012R2-Active-Directory-Authentication-Cisco-6-1-4-4

 

 

6-9. Configure Network Policies – Properties / Settings / Routing and Remote Access / Multilink and Bandwidth Allocation Protocol

–  Choose "Server settings determine Multilink usage"

 

Win2012R2-Active-Directory-Authentication-Cisco-6-1-4-5

 

 

6-10. Configure Network Policies – Properties / Settings / Routing and Remote Access /IP Filters

– None.

 

Win2012R2-Active-Directory-Authentication-Cisco-6-1-4-6

 

 

6-11. Configure Network Policies – Properties / Settings / Routing and Remote Access / Encryption

– Check all boxes

 

Win2012R2-Active-Directory-Authentication-Cisco-6-1-4-7

 

 

6-12. Configure Network Policies – Properties / Settings / Routing and Remote Access / IP Settings

– Choose "Server settings determine IP address assignment

 

Win2012R2-Active-Directory-Authentication-Cisco-6-1-4-8

 

 

7.   Cisco switch configuration

Cisco_3750>enable
Cisco_3750# configure terminal
Cisco_3750(config)# aaa net-model
Cisco_3750(config)# username xxxx privilege 15 secret yyyy
Cisco_3750(config)# crypto key generate rsa
Cisco_3750(config)# ip ssh version 2
Cisco_3750(config)# ip ssh time-out 30
Cisco_3750(config)# line vty 0 15
Cisco_3750(config-line)# transport input ssh
Cisco_3750(config-line)# exit

Cisco_3750(config)# ip domain-name ipbalance.com
Cisco_3750(config)# radius-server host IP 192.168.1.100 auth-port 1812 acct-port 1813 key zzzzz
Cisco_3750(config)# aaa group server radius rad_access
Cisco_3750(config-sg-radius)# server auth-port 1812 acct-port 1813
Cisco_3750(config-sg-radius)# exit
Cisco_3750(config)# aaa authentication login default group rad_access local
Cisco_3750(config)# aaa authorization exec default group rad_access local
Cisco_3750(config)# end
 

7-1. Cisco commands

show aaa session
show aaa servers
debug radius authentication

8. Troubleshooting tips.

1. Firewall off during a test
2. Ping to RADIUS server from client
3. Make sure any invisible space on shared key
 

 

We hope it is informative for you.

 

 

Leave a Reply