Tag Archives: RADIUS

Configuring Cisco IOS SSL-VPN with RADIUS

This post describes how to configure a Cisco IOS Router with WebVPN. Cisco ISE (v2.1) will be used as a RADIUS server, to provide authentication and authorization. For testing purposes group membership will be used to determined which RADIUS attributes will be pushed to the connecting client.

RADIUS Server Configuration

For authorization Admin users will be permitted to use split tunnel, these configuration settings will be controlled centrally and pushed to the clients if they pass authorization.

Step 1 – Define Network Device

Add the Router as a Network Device, ensure to enter the shared secret password, this must match the shared secret configured on the router.



Continue reading Configuring Cisco IOS SSL-VPN with RADIUS

Configuring Check Point Gaia with Windows NPS RADIUS Authentication

 

This post describes how to configure Check Point Gaia (R75.46) and Windows 2008 R2 NPS server to authenticate management access to the Check Point CLI or Web GUI. Please refer to the previous post to configure the Active Directory Groups and NPS Policies.

2 roles will be created in the Check Point Web GUI, one with Read Only permissions and another with Read Write. The NPS RADIUS Policy will match the Check Point roles to an Active Directory group and the members of these groups will be assigned the appropriate role when they login.

Continue reading Configuring Check Point Gaia with Windows NPS RADIUS Authentication

Configuring Check Point Security Management Server with RADIUS Authentication

 

This post describes how to configure Check Point Security Management Server to authenticate users against a Windows 2008 R2 NPS RADIUS Server.

 

Create Active Directory Groups

 

Create a new Active Directory group for administrators requiring Read/Write permissions e.g “Firewall Management RW”

Add users requiring Read/Write permissions to the new group

Create a new Active Directory group for administrators requiring Read/Only permissions e.g “Firewall Management RO”

Add users requiring Read/Only permissions to the new group

Continue reading Configuring Check Point Security Management Server with RADIUS Authentication

Configuring Dynamic VLAN assignment on ProCurve switches

Introduction

The information contained in this post describes how to configure an HP ProCurve switch and Windows 2008 R2 NPS RADIUS server to authorise and assign users dynamically into specific VLANs.

The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72

Configure VLANs

Create VLANs, define IP address and IP helper-address

VLAN 30

name “VLAN30”

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.20.20

VLAN 40

name “VLAN40”

ip address 192.168.40.1 255.255.255.0

ip helper-address 192.168.20.20

Continue reading Configuring Dynamic VLAN assignment on ProCurve switches

Configuring 802.1x authentication on ProCurve Switches

802.1x is an open standards protocol, used for network clients on a user id basis. This post describes how to configure 802.1x on an HP ProCurve switch and authenticate against a Windows 2008 R2 NPS (RADIUS) server.

Open VLAN mode will be used, this involves creating an “Authorized” and “Un-Authorized” VLAN. Using Open VLAN temporarily ignores the ports static VLAN configuration and places the port in the “Un-Authorized” VLAN at which point the client will attempt authentication, if successful the port will dynamically place the port in the “Authorized” VLAN.

The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72

Configuring the switch

Create the “Authorized” VLAN, define IP address and IP helper-address

VLAN 30

name “Auth”

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.20.20

Create the “Un-Authorized” VLAN, define IP address and IP helper-address

VLAN 40

name “Un-Auth”

ip address 192.168.40.1 255.255.255.0

ip helper-address 192.168.20.20


Continue reading Configuring 802.1x authentication on ProCurve Switches

Configuring 802.1x authentication on Cisco Catalyst switches

This post describes how to configure a Cisco Catalyst switch and a RADIUS server for 802.1x authentication. It is assumed that a Windows 2008 Active Directory domain, Certificate Authority and NPS RADIUS is already installed.

Configuring the Switch

Switch# configure terminal
Switch(config)# aaa new-model
Switch1(config)# radius-server host 192.168.20.20 key cisco123
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# dot1x port-control auto
Switch(config-if)# end 

Configuring the RADIUS Server

  • Open the “Network Policy Server” MMC console
  • Click “Policies” > “Network Policies”
  • Create a new “Network Policy” with a descriptive name e.g. “dot1x Authentication Policy”. Click Next
  • “Specify Condition”, click Add and select the “Machine Groups” option, add the “Domain Computers” group. Click Next
  • “Access Granted”, ensure “Access granted” is select. Click Next
  • “Constraints”, select “Authentication Methods”. For “EAP Types” click Add and select “Microsoft: Protected EAP (PEAP). Click Next


Continue reading Configuring 802.1x authentication on Cisco Catalyst switches

Configuring a Cisco Switch for AAA with Windows NPS RADIUS

This post provides step by step commands to configure a Cisco Catalyst switch to authenticate administrator users to a Windows 2008 R2 NPS RADIUS server.

Configuring the Switch

The first step is configuring the switch to use RADIUS authentication.
Switch1(config)# aaa new-model
Switch1(config)# aaa authentication login AAA_RADIUS group radius local
Switch1(config)# radius-server host 192.168.20.20 key cisco123
Switch1(config)# line vty 0 4
Switch1(config-line)# login authentication AAA_RADIUS

Configuring the Windows RADIUS Server

Assuming NPS is already installed and configured correctly we need to define a RADIUS client and create a Network Policy.

  • Open the NPS console and select “RADIUS Clients”
  • Create a new “RADIUS Client” specifying the IP address and the shared secret as used in the Cisco configuration (cisco123)
  • Once completed click OK
  • Select “Policies” > “Network Policies”
  • Create a new Network Policy called “Authenticating Helpdesk users for Switches”, leave “Type of network access server” to be UNSPECIFIED
  • Add a “Condition” of “Windows Groups” , choose a suitable domain group e.g. “NetAdmins”. Add more conditions if required.
  • “Specify Access Permission” as “Granted”
  • “Configure Authentication Methods”, untick all pre-select methods (MS-CHAPv2 and MS-CHAP) and tick “Unencrypted authentication (PAP,SPAP). Click Next
  • “Configure Contraints”, nothing to configure. Click Next
  • “Configure Settings”, select “Standard” and remove “Framed-Protocol” and “Service Type”
  • Add a new attribute of “Service Type” and a value of “Login”
  • “Configure Settings”, select “Vendor Specific”
  • Click “Add”, select “Cisco” from the drop down box
  • Click “Add” and click “Add” again

Continue reading Configuring a Cisco Switch for AAA with Windows NPS RADIUS