Configuring a Cisco Switch for AAA with Windows NPS RADIUS

This post provides step by step commands to configure a Cisco Catalyst switch to authenticate administrator users to a Windows 2008 R2 NPS RADIUS server.

Configuring the Switch

The first step is configuring the switch to use RADIUS authentication.
Switch1(config)# aaa new-model
Switch1(config)# aaa authentication login AAA_RADIUS group radius local
Switch1(config)# radius-server host 192.168.20.20 key cisco123
Switch1(config)# line vty 0 4
Switch1(config-line)# login authentication AAA_RADIUS

Configuring the Windows RADIUS Server

Assuming NPS is already installed and configured correctly we need to define a RADIUS client and create a Network Policy.

  • Open the NPS console and select “RADIUS Clients”
  • Create a new “RADIUS Client” specifying the IP address and the shared secret as used in the Cisco configuration (cisco123)
  • Once completed click OK
  • Select “Policies” > “Network Policies”
  • Create a new Network Policy called “Authenticating Helpdesk users for Switches”, leave “Type of network access server” to be UNSPECIFIED
  • Add a “Condition” of “Windows Groups” , choose a suitable domain group e.g. “NetAdmins”. Add more conditions if required.
  • “Specify Access Permission” as “Granted”
  • “Configure Authentication Methods”, untick all pre-select methods (MS-CHAPv2 and MS-CHAP) and tick “Unencrypted authentication (PAP,SPAP). Click Next
  • “Configure Contraints”, nothing to configure. Click Next
  • “Configure Settings”, select “Standard” and remove “Framed-Protocol” and “Service Type”
  • Add a new attribute of “Service Type” and a value of “Login”
  • “Configure Settings”, select “Vendor Specific”
  • Click “Add”, select “Cisco” from the drop down box
  • Click “Add” and click “Add” again

  • Add the “Attribute Value” shell:priv-lvl=15
  • Click Next and then Finish

To test authentication is successful and we can telnet/ssh to the switch  and enter our Domain credentials to authenticate to the switch. However the user is in “User Exec” and would be have still have to input the enable password/secret to login to “Privilege EXEC” mode.


To automatically authenticate the user to login to Privilege EXEC mode, we would need an AAA authorization command

Switch1(config)# aaa authorization exec default group radius local if-authenticated

NOTE – the previously configured RADIUS attribute “shell:priv-lvl=15” works in conjunction the aaa authorization command. In other words you need both configured to automatically log a user into Privilege EXEC mode.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s