Home > Cisco, Windows > Install Windows 2008 R2 NPS for RADIUS Authentication for Cisco Router Logins

Install Windows 2008 R2 NPS for RADIUS Authentication for Cisco Router Logins

(Page 3)

This next attribute setting is optional but often configured to allow users to automatically have their privileges elevated to privileged (15) EXEC mode when they login to the Cisco router.  Under RADIUS Attributes select Vendor Specific.  Click Add.

With Vendor set to “All”, select Vendor-Specific for the attribute and click Add.

Click Add.

For the attribute information select “Select from list” and choose Cisco from the menu.  Then select “Yes. It conforms” and click Configure Attribute.

For the Vendor-assigned attribute number enter 1, for Attribute format choose String, and in Attribute value type:

shell:priv-lvl=15

Then click OK.

Click OK.

Click Close.

Click Next.

Finally click Finish.

Now we need to specify the Cisco router as a RADIUS client to the Windows NPS server.  Back at the Network Policy Server console in the left open up RADIUS Clients and Servers, then right click RADIUS Clients and choose New from the menu.

In the New RADIUS Client dialog type the friendly name that you specified earlier in the network policy for this router.  Enter the IP address for the device, use the IP of the router interface closest to the Windows server or use the IP of the interface that you specified if you used the “ip radius” command when configuring the Cisco device.  Finally enter the shared secret RADIUS key that you specified over on the router.  Now click OK.

Now the NPS service needs to be activated in Active Directory.  Right click the NPS tree root on the left pane, and choose “Register server in Active Directory”.

Click OK.

Click OK again.

Finally I have noticed that NPS doesn’t seem to work after all this configuration until I’ve restarted the service.  So once again on the NPS tree root right click it and select “Stop NPS Service”.  It seems to take a few moments for the service to actually stop so wait 10-15 seconds then right click NPS again and choose “Start NPS Service”.  Switch over to your router and make an attempt to login.

One thing to keep in mind with these Network Policies in NPS is that some of their settings can be overridden by Connection Request Policies.  Daryl Hunter noted this in his blog on the subject, so keep this in mind of you have any difficulties.  Hope all goes well!

References

http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/

http://www.darylhunter.me/churchit/2010/06/cisco-iosfu-7-cisco-radius-windows-server-2008-nps.html

http://youritguy.wordpress.com/2009/10/02/aaa-radius-authentication-with-windows-server-2008/

Advertisements

Pages: 1 2 3

Categories: Cisco, Windows Tags: ,
  1. Shaun
    August 27, 2010 at 9:43 pm

    Seriously. Hands down one of the BEST guides out there. Thank you so much for getting me started!!!!!

    • November 9, 2010 at 5:39 pm

      I have a pretty much stright up setup of a Cisco WLC 4400.
      Authenticatin using Radius.
      After building my wn2008 R2 box, importing my config I am getting this error:

      There is no domain controller available for domain xxxx.com.
      Source:NPS Event ID: 4402

      Any pointers?
      Same config works fine on a 2008 system.

  2. Vin
    October 1, 2010 at 7:48 pm

    Great article, thanks for documenting this. I have a question though about the RADIUS client setup. I see the note about using wildcards but I’m a little confused. Do I need to setup a separate RADIUS client for each switch that I want to use NPS?

    • October 2, 2010 at 1:03 am

      Hi Vin,

      Yes, I believe you should be able to use a simple wildcard or a regular expression pattern to match multiple host names or IP addresses of your RADIUS clients. Unfortunately I did this writeup in a test environment which is no longer available and am using Windows 2003 IAS in production at the moment so I’m unable to test this functionality. More details on regex functions in NPS can be found below, in the middle they give an example of matching an IP address subnet range.

      http://technet.microsoft.com/en-us/library/cc755272%28WS.10%29.aspx

      Best wishes,

      Aaron

      • Vin
        October 2, 2010 at 2:56 pm

        Aaron,

        Thanks for the quick response, and the link. I’ll check that out. I ended up exporting all the switch names and addresses from the previous RADIUS server and using a NETSH script to create the clients in the new server. I attempted to setup one of the switches with the appropriate IOS config and I see it’s attempt in the log, but it seems to be failing to authenticate. I’ll have to do a bit more work on it. Thanks again.

        Vin

  3. Jon Cole
    November 1, 2010 at 9:41 am

    Brilliant blog, thanks for your time with this document.
    Can you help me for when I do not want to use my W2008 servers as DC but as AAA only.

    Jon

    • November 1, 2010 at 9:04 pm

      Hi Jon,

      You should be able to configure a Win2008 server as a AAA server without it also being a DC. In fact in my environment I currently have a 2008 domain member server running NPS/AAA. I think the configuration procedure should basically be the same. Good luck!

      Aaron

  4. November 9, 2010 at 5:40 pm

    I have a pretty much stright up setup of a Cisco WLC 4400.
    Authenticatin using Radius.
    After building my wn2008 R2 box, importing my config I am getting this error:
    There is no domain controller available for domain xxxx.com.
    Source:NPS Event ID: 4402
    Any pointers?
    Same config works fine on a 2008 system

    • November 10, 2010 at 5:28 am

      Hi Christian,

      Are you saying that you exported your settings from 2008 NPS and imported them to 2008 R2? If so I haven’t used that functionality so I cannot confirm that it works without the error you are experiencing. Unfortunately I don’t have 2008 R2 NPS set up at the moment to try this out.

      All the best,

      Aaron

  5. November 10, 2010 at 4:28 pm

    Yes, works just greta on the 2008 side..
    when I run the same config on a R2 – I get that 4401 error.
    Very strange and there is not much info out there.

  6. Wesley
    November 18, 2011 at 5:22 pm

    Something I am concerned with, is where you say

    “The Cisco IOS requires unencrypted authentication methods so select “Unencrypted authentication (PAP, SPAP)”. Click Next.”

    I believe our settup needs to use the CHAP authentication, using an unencrypted authentication method is not a viable option for where I am working. How much would this document change, or the cisco router setup change, to use CHAP instead of unencrypted?

    Thanks! Fantastic writeup!

    • Volpi
      June 8, 2012 at 1:49 pm

      Hello do you find solution for crypting authentification.
      It will vert helpfull form me.
      Thanks.

  7. January 9, 2012 at 11:29 am

    Thanks!

    Works like a charm with OpenVPN too!

  8. Andrew
    March 6, 2012 at 8:45 pm

    Great tutorial!! How would I set it up so I also have users log in with read only access?

    • Matt
      August 17, 2012 at 4:41 pm

      You should be able to specify priv-lvl=7 if you need to.

  9. Joao Marcos
    July 30, 2012 at 5:20 pm

    Boa Tarde, amigo, qual seria o passo a passo para instalar o Radius no 2008 R2 para sincronizar autenticacao com um Lynksys 2500 da Cisco. Voces possui?

  10. Tom Praill
    October 29, 2012 at 8:39 pm

    FYI, I used this guide to apply 802.1x authentication for a wireless connection and there was one crucial difference that took me awhile to sort out.
    On the authentication configuration page there is no need to select “unencrypted authentication” but you do have to add “Protected EAP (PEAP)” under EAP types.

    Im assuming this is because WPA Enterprise uses PEAP by default and, at least on the Cisco AP541N, there was no way to change authentication method.

    Perhaps this could also be applied to the IOS config for wired 802.1x to make things a bit more secure?

  1. August 18, 2010 at 7:47 am
  2. March 17, 2011 at 10:31 am
  3. August 13, 2011 at 9:33 am
  4. September 29, 2011 at 10:45 am
  5. October 26, 2011 at 11:31 am
  6. January 22, 2012 at 7:11 am
  7. May 20, 2012 at 8:51 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: