Home > Cisco, Windows > Install Windows 2008 R2 NPS for RADIUS Authentication for Cisco Router Logins

Install Windows 2008 R2 NPS for RADIUS Authentication for Cisco Router Logins

A while back I documented a procedure to allow RADIUS Authentication for Cisco Router Logins.  Shortly thereafter I included additional instructions on how to Set Up Windows 2003 IAS Server with RADIUS Authentication for Cisco Router Logins. This updated post will discuss the configuration of a Windows 2008 R2 server for Cisco router logins using RADIUS authentication.  In my example I will install the Network Policy Server to support RADIUS on a Windows 2008 R2 domain controller and give router login access to an Active Directory domain user.

First go into Server Manager.

Highlight Roles on the left side, then in the Role Summary section click Add Roles on the far right.

When you reach the Select Server Roles screen, check Network Policy and Access Services.  Click Next.

Check Network Policy Server only, then click Next.  Then click Install and and confirm the install was successful.

Now go to Start > Admin Tools > Network Policy Server.

In the left pane open up Policies, then right click Network Policies and select New from the menu.

Type a name for the new login policy, leave the network access server type at Unspecified and click Next.

Click Add to add the conditions necessary for this network policy to be run.

We will specify that this policy is run for users in a specific Windows group, so highlight Windows Group and click Add.

Click Add Groups.

Type the name of the user group that you want to grant Cisco login access to.  I will give this access to my Domain Admins.  Click Check Names to verify, then click OK.

Click OK.

About these ads

Pages: 1 2 3

Categories: Cisco, Windows Tags: ,
  1. Shaun
    August 27, 2010 at 9:43 pm

    Seriously. Hands down one of the BEST guides out there. Thank you so much for getting me started!!!!!

    • November 9, 2010 at 5:39 pm

      I have a pretty much stright up setup of a Cisco WLC 4400.
      Authenticatin using Radius.
      After building my wn2008 R2 box, importing my config I am getting this error:

      There is no domain controller available for domain xxxx.com.
      Source:NPS Event ID: 4402

      Any pointers?
      Same config works fine on a 2008 system.

  2. Vin
    October 1, 2010 at 7:48 pm

    Great article, thanks for documenting this. I have a question though about the RADIUS client setup. I see the note about using wildcards but I’m a little confused. Do I need to setup a separate RADIUS client for each switch that I want to use NPS?

    • October 2, 2010 at 1:03 am

      Hi Vin,

      Yes, I believe you should be able to use a simple wildcard or a regular expression pattern to match multiple host names or IP addresses of your RADIUS clients. Unfortunately I did this writeup in a test environment which is no longer available and am using Windows 2003 IAS in production at the moment so I’m unable to test this functionality. More details on regex functions in NPS can be found below, in the middle they give an example of matching an IP address subnet range.

      http://technet.microsoft.com/en-us/library/cc755272%28WS.10%29.aspx

      Best wishes,

      Aaron

      • Vin
        October 2, 2010 at 2:56 pm

        Aaron,

        Thanks for the quick response, and the link. I’ll check that out. I ended up exporting all the switch names and addresses from the previous RADIUS server and using a NETSH script to create the clients in the new server. I attempted to setup one of the switches with the appropriate IOS config and I see it’s attempt in the log, but it seems to be failing to authenticate. I’ll have to do a bit more work on it. Thanks again.

        Vin

  3. Jon Cole
    November 1, 2010 at 9:41 am

    Brilliant blog, thanks for your time with this document.
    Can you help me for when I do not want to use my W2008 servers as DC but as AAA only.

    Jon

    • November 1, 2010 at 9:04 pm

      Hi Jon,

      You should be able to configure a Win2008 server as a AAA server without it also being a DC. In fact in my environment I currently have a 2008 domain member server running NPS/AAA. I think the configuration procedure should basically be the same. Good luck!

      Aaron

  4. November 9, 2010 at 5:40 pm

    I have a pretty much stright up setup of a Cisco WLC 4400.
    Authenticatin using Radius.
    After building my wn2008 R2 box, importing my config I am getting this error:
    There is no domain controller available for domain xxxx.com.
    Source:NPS Event ID: 4402
    Any pointers?
    Same config works fine on a 2008 system

    • November 10, 2010 at 5:28 am

      Hi Christian,

      Are you saying that you exported your settings from 2008 NPS and imported them to 2008 R2? If so I haven’t used that functionality so I cannot confirm that it works without the error you are experiencing. Unfortunately I don’t have 2008 R2 NPS set up at the moment to try this out.

      All the best,

      Aaron

  5. November 10, 2010 at 4:28 pm

    Yes, works just greta on the 2008 side..
    when I run the same config on a R2 – I get that 4401 error.
    Very strange and there is not much info out there.

  6. Wesley
    November 18, 2011 at 5:22 pm

    Something I am concerned with, is where you say

    “The Cisco IOS requires unencrypted authentication methods so select “Unencrypted authentication (PAP, SPAP)”. Click Next.”

    I believe our settup needs to use the CHAP authentication, using an unencrypted authentication method is not a viable option for where I am working. How much would this document change, or the cisco router setup change, to use CHAP instead of unencrypted?

    Thanks! Fantastic writeup!

    • Volpi
      June 8, 2012 at 1:49 pm

      Hello do you find solution for crypting authentification.
      It will vert helpfull form me.
      Thanks.

  7. January 9, 2012 at 11:29 am

    Thanks!

    Works like a charm with OpenVPN too!

  8. Andrew
    March 6, 2012 at 8:45 pm

    Great tutorial!! How would I set it up so I also have users log in with read only access?

    • Matt
      August 17, 2012 at 4:41 pm

      You should be able to specify priv-lvl=7 if you need to.

  9. Joao Marcos
    July 30, 2012 at 5:20 pm

    Boa Tarde, amigo, qual seria o passo a passo para instalar o Radius no 2008 R2 para sincronizar autenticacao com um Lynksys 2500 da Cisco. Voces possui?

  10. Tom Praill
    October 29, 2012 at 8:39 pm

    FYI, I used this guide to apply 802.1x authentication for a wireless connection and there was one crucial difference that took me awhile to sort out.
    On the authentication configuration page there is no need to select “unencrypted authentication” but you do have to add “Protected EAP (PEAP)” under EAP types.

    Im assuming this is because WPA Enterprise uses PEAP by default and, at least on the Cisco AP541N, there was no way to change authentication method.

    Perhaps this could also be applied to the IOS config for wired 802.1x to make things a bit more secure?

  1. August 18, 2010 at 7:47 am
  2. March 17, 2011 at 10:31 am
  3. August 13, 2011 at 9:33 am
  4. September 29, 2011 at 10:45 am
  5. October 26, 2011 at 11:31 am
  6. January 22, 2012 at 7:11 am
  7. May 20, 2012 at 8:51 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 68 other followers

%d bloggers like this: