Install Windows 2008 R2 NPS for RADIUS Authentication for Cisco Router Logins
(Page 3)
This next attribute setting is optional but often configured to allow users to automatically have their privileges elevated to privileged (15) EXEC mode when they login to the Cisco router. Under RADIUS Attributes select Vendor Specific. Click Add.
With Vendor set to “All”, select Vendor-Specific for the attribute and click Add.
Click Add.
For the attribute information select “Select from list” and choose Cisco from the menu. Then select “Yes. It conforms” and click Configure Attribute.
For the Vendor-assigned attribute number enter 1, for Attribute format choose String, and in Attribute value type:
shell:priv-lvl=15
Then click OK.
Click OK.
Click Close.
Click Next.
Finally click Finish.
Now we need to specify the Cisco router as a RADIUS client to the Windows NPS server. Back at the Network Policy Server console in the left open up RADIUS Clients and Servers, then right click RADIUS Clients and choose New from the menu.
In the New RADIUS Client dialog type the friendly name that you specified earlier in the network policy for this router. Enter the IP address for the device, use the IP of the router interface closest to the Windows server or use the IP of the interface that you specified if you used the “ip radius” command when configuring the Cisco device. Finally enter the shared secret RADIUS key that you specified over on the router. Now click OK.
Now the NPS service needs to be activated in Active Directory. Right click the NPS tree root on the left pane, and choose “Register server in Active Directory”.
Click OK.
Click OK again.
Finally I have noticed that NPS doesn’t seem to work after all this configuration until I’ve restarted the service. So once again on the NPS tree root right click it and select “Stop NPS Service”. It seems to take a few moments for the service to actually stop so wait 10-15 seconds then right click NPS again and choose “Start NPS Service”. Switch over to your router and make an attempt to login.
One thing to keep in mind with these Network Policies in NPS is that some of their settings can be overridden by Connection Request Policies. Daryl Hunter noted this in his blog on the subject, so keep this in mind of you have any difficulties. Hope all goes well!
References
http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/
http://www.darylhunter.me/churchit/2010/06/cisco-iosfu-7-cisco-radius-windows-server-2008-nps.html
http://youritguy.wordpress.com/2009/10/02/aaa-radius-authentication-with-windows-server-2008/
Aaron Walrath - Another IT Guy's Meanderings 
Seriously. Hands down one of the BEST guides out there. Thank you so much for getting me started!!!!!
I have a pretty much stright up setup of a Cisco WLC 4400.
Authenticatin using Radius.
After building my wn2008 R2 box, importing my config I am getting this error:
There is no domain controller available for domain xxxx.com.
Source:NPS Event ID: 4402
Any pointers?
Same config works fine on a 2008 system.
Great article, thanks for documenting this. I have a question though about the RADIUS client setup. I see the note about using wildcards but I’m a little confused. Do I need to setup a separate RADIUS client for each switch that I want to use NPS?
Hi Vin,
Yes, I believe you should be able to use a simple wildcard or a regular expression pattern to match multiple host names or IP addresses of your RADIUS clients. Unfortunately I did this writeup in a test environment which is no longer available and am using Windows 2003 IAS in production at the moment so I’m unable to test this functionality. More details on regex functions in NPS can be found below, in the middle they give an example of matching an IP address subnet range.
http://technet.microsoft.com/en-us/library/cc755272%28WS.10%29.aspx
Best wishes,
Aaron
Aaron,
Thanks for the quick response, and the link. I’ll check that out. I ended up exporting all the switch names and addresses from the previous RADIUS server and using a NETSH script to create the clients in the new server. I attempted to setup one of the switches with the appropriate IOS config and I see it’s attempt in the log, but it seems to be failing to authenticate. I’ll have to do a bit more work on it. Thanks again.
Vin
Brilliant blog, thanks for your time with this document.
Can you help me for when I do not want to use my W2008 servers as DC but as AAA only.
Jon
Hi Jon,
You should be able to configure a Win2008 server as a AAA server without it also being a DC. In fact in my environment I currently have a 2008 domain member server running NPS/AAA. I think the configuration procedure should basically be the same. Good luck!
Aaron
I have a pretty much stright up setup of a Cisco WLC 4400.
Authenticatin using Radius.
After building my wn2008 R2 box, importing my config I am getting this error:
There is no domain controller available for domain xxxx.com.
Source:NPS Event ID: 4402
Any pointers?
Same config works fine on a 2008 system
Hi Christian,
Are you saying that you exported your settings from 2008 NPS and imported them to 2008 R2? If so I haven’t used that functionality so I cannot confirm that it works without the error you are experiencing. Unfortunately I don’t have 2008 R2 NPS set up at the moment to try this out.
All the best,
Aaron
Yes, works just greta on the 2008 side..
when I run the same config on a R2 – I get that 4401 error.
Very strange and there is not much info out there.
Something I am concerned with, is where you say
“The Cisco IOS requires unencrypted authentication methods so select “Unencrypted authentication (PAP, SPAP)”. Click Next.”
I believe our settup needs to use the CHAP authentication, using an unencrypted authentication method is not a viable option for where I am working. How much would this document change, or the cisco router setup change, to use CHAP instead of unencrypted?
Thanks! Fantastic writeup!
Hello do you find solution for crypting authentification.
It will vert helpfull form me.
Thanks.
Thanks!
Works like a charm with OpenVPN too!
Great tutorial!! How would I set it up so I also have users log in with read only access?
You should be able to specify priv-lvl=7 if you need to.
Boa Tarde, amigo, qual seria o passo a passo para instalar o Radius no 2008 R2 para sincronizar autenticacao com um Lynksys 2500 da Cisco. Voces possui?
FYI, I used this guide to apply 802.1x authentication for a wireless connection and there was one crucial difference that took me awhile to sort out.
On the authentication configuration page there is no need to select “unencrypted authentication” but you do have to add “Protected EAP (PEAP)” under EAP types.
Im assuming this is because WPA Enterprise uses PEAP by default and, at least on the Cisco AP541N, there was no way to change authentication method.
Perhaps this could also be applied to the IOS config for wired 802.1x to make things a bit more secure?