This post provides step by step commands to configure a Cisco Catalyst switch to authenticate administrator users to a Windows 2008 R2 NPS RADIUS server.
Configuring the Switch
The first step is configuring the switch to use RADIUS authentication.
Switch1(config)# aaa new-model
Switch1(config)# aaa authentication login AAA_RADIUS group radius local
Switch1(config)# radius-server host 192.168.20.20 key cisco123
Switch1(config)# line vty 0 4
Switch1(config-line)# login authentication AAA_RADIUS
Configuring the Windows RADIUS Server
Assuming NPS is already installed and configured correctly we need to define a RADIUS client and create a Network Policy.
- Open the NPS console and select “RADIUS Clients”
- Create a new “RADIUS Client” specifying the IP address and the shared secret as used in the Cisco configuration (cisco123)
- Once completed click OK
- Select “Policies” > “Network Policies”
- Create a new Network Policy called “Authenticating Helpdesk users for Switches”, leave “Type of network access server” to be UNSPECIFIED
- Add a “Condition” of “Windows Groups” , choose a suitable domain group e.g. “NetAdmins”. Add more conditions if required.
- “Specify Access Permission” as “Granted”
- “Configure Authentication Methods”, untick all pre-select methods (MS-CHAPv2 and MS-CHAP) and tick “Unencrypted authentication (PAP,SPAP). Click Next
- “Configure Contraints”, nothing to configure. Click Next
- “Configure Settings”, select “Standard” and remove “Framed-Protocol” and “Service Type”
- Add a new attribute of “Service Type” and a value of “Login”
- “Configure Settings”, select “Vendor Specific”
- Click “Add”, select “Cisco” from the drop down box
- Click “Add” and click “Add” again
- Add the “Attribute Value” shell:priv-lvl=15
- Click Next and then Finish
To test authentication is successful and we can telnet/ssh to the switch and enter our Domain credentials to authenticate to the switch. However the user is in “User Exec” and would be have still have to input the enable password/secret to login to “Privilege EXEC” mode.
To automatically authenticate the user to login to Privilege EXEC mode, we would need an AAA authorization command
Switch1(config)# aaa authorization exec default group radius local if-authenticated
NOTE – the previously configured RADIUS attribute “shell:priv-lvl=15” works in conjunction the aaa authorization command. In other words you need both configured to automatically log a user into Privilege EXEC mode.