RADIUS (Remote Authentication Dial-In User Service) is a security protocol which is used for centralized network access control for computers to connect and use network devices and services. RADIUS uses a client/server system where the RADIUS client will run on the networking devices (in our case it is Cisco router) and send the authentication request to the central RADIUS server (in our case it is NPS) that contain all the user authentication and network service access information. Refer Figure1 to see how the RADIUS works. AAA (Authentication, Authorization, and Accounting) is a network security service where you can set up access control on your router or access servers. AAA uses protocols such as RADIUS , TACACS+, or Kerberos to administer its security functions.
Microsoft NPS (Network Policy Server) is a feature in Windows Server 2008 that centrally manage and enforce the network access policies that determine whether the user can or cannot access the network. The NPS is using the RADIUS protocol to communicate with the servers and network devices for authentication. This service is mainly used for the Remote user who connect with VPN or wireless access points to access the network resources. Using an NPS server you can create network policies centrally and can be used in all the networking devices in your network.
This guide will show you the quick steps to configure a Microsoft NPS server for RADIUS authentication for Cisco router logins. Below are the tasks we are going to accomplish.
1. Configure Microsoft NPS server as RADIUS Server
2. Configure Cisco for RADIUS authentication.
1. Windows Server 2008R2
2. Active Directory Domain Services
3. NPS Server must be a member of a domain
Configure Microsoft NPS server as RADIUS Server
1. Go to Server Manger > Roles > Add Roles and select 'Network Policy and Access Services' click Next
2. Read the description and click Next
3. Select Network Policy Server and click Next
4. Confirm the Installation by clicking Finish
5. Now go to Start > Administrative Tools > Network Policy Server.
Now click Action and click Register Server in Active Directory to register the NPS in Active Directory.
6. Confirm that you want to authorize this computer (NPS) to read users' dial-in properties of the domain by clicking OK
7. Now you will see the confirmation screen and click OK
8. Now on the left panel under the RADIUS Clients and Servers right click RADIUS Clients and click New RADIUS Client.
9. Now specify the policy name and connection type. Here I am mentioning the policy name as 'Cisco Router Access' and Type of network access server is 'Unspecified'.
10. On the Specify Conditions page add a Windows group and specify a group from Active Directory.
Here I am adding Network Support group from the Active Directory.
11. On the Specify Access Permission page, select Access granted only and click Next.
12. Now select Unencrypted authentication [PAP, SPAP] on the Configure Authentication Methods.
13. On the Configure settings page in Standard Section add Service-Type parameter with the value NAS Prompt.
14. On the Configure settings page in Vendor Specific section add Cisco-AV-Pair parameter with value: shell:priv-lvl=15 . This particular example causes a user logging in from a network access server to have immediate access to EXEC commands.
15. On the Completing New Network Policy page review the settings and click Finish
Below you can see the screen-shot of the network policy that we have created.
2. Configuring Cisco Router for RADIUS authentication
The below configuration will enable the RADIUS Authentication on your Cisco Router.
Enable AAA on the router by using the below command in global configuration mode.
Cisco(config)#aaa group server radius NPS
Cisco(config-sg-radius)#server 172.17.0.52 auth-port 1812 acct-port 1813
Where 172.17.0.52 is the IP address of the RADIUS Server.
Cisco(config)#aaa authentication login ciscoauth local group NPS
Cisco(config)#aaa authorization exec ciscoauth local group NPS if-authenticated
Cisco(config)#aaa authorization network ciscoauth local group NPS
Cisco(config)#aaa accounting exec default start-stop group NPS
Cisco(config)#aaa accounting system default start-stop group NPS
Cisco(config)#aaa session-id common
Cisco(config)#ip radius source-interface GigabitEthernet0/0 (User facing Interface)
Cisco(config)#radius-server host 172.17.0.52 auth-port 1812 acct-port 1813 key sharedkey
Cisco(config)#line vty 0 4
Cisco(config-line)# authorization exec ciscoauth
Cisco(config-line)#login authentication ciscoauth
Cisco(config-line)#transport input telnet rlogin ssh
There we finish our configuration. Now you can test it by logging into the router as a user who is a member of the Network support group.