Cisco Authentication Via IAS Radius Server

mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
I have received many messages asking how to configure Cisco devices to authenticate with a Windows
2000/2003 Active Directory using RADIUS. So I figured I'd write this toturial real fast.

Also this feature is more of a CCNP topic then a CCNA, so please dont attempt this
if you are not fluent in Cisco configuration. To make it easy, dont try this if you dont
have your CCNA yet...


If you are not fimular with Active Directory or IAS (Internet Authentication Services) Then you SHOULD NOT attempt this.

First off lets get the IAS RADIUS Server configured correctly first.

In Active Directory make a 2 Global Security Distribution groups called;

CISCO_AAA_LVL1
CISCO_AAA_LVL15

Now exit Active Directory and go to IAS (Internet Authentication Service) in Administrative Tools

First, right click "Internet Authentication Service (Local)" and click Register in Active Directory

Then right click on RADIUS Clients in the left hand window pane and click "New RADIUS Client"
Then type in the Friendly name for it such as "Cisco 2610"
Whatever, then type in the IP address of this device and click next.

Leave the Client-Vender as "RADIUS Standard" and create a shared secret randomly.
Its a good practice to use random char's and numbers such as CQ6Q6TMC7P
Somthing complicated which cannot be guessed.

Now lets create the 2 policies we need for the remote authentication to take place.

Click on "Remote Access Policies" in the left hand window pane in IAS and you should see a few policies already,
if you want remove them all (unless your using IAS to authenticate wifi users" then leave that policy at #1

Right click "Remote Access Policies and click "New Remote Access Policy"

Select "Setup a custom policy" and type in policy name "Cisco AAA Level 1"

Then click ADD and go down to "Windows-Groups" and click ADD agian and type in "CISCO_AAA_LVL1" click next
select "Grant Permission" then next and then click on "Edit Profile" Click the Authentication TAB and only checkmark
"Unencrypted Authentication (PAP, SPAP)

Then click the "Advanced" Tab and double click "Service-Type" and change Framed to Login
Remove the "Framed-Protocol" and then click ADD and select Vender-Specific and select ADD
change "RADIUS Standard" to Cisco then select "Yes. It Conforms" then click Configure Attribute

Vender-assigned Attribute number: 1
Attribute format: String
Attribute Value: shell:priv-lvl=1

Click ok, ok, close, then ok, then a help thing will probably pop up, click no" then next. and finish

Do the same thing for the policy named "Cisco AAA Level 15" and add the different user security
distro group and set the configure attributes to

Vender-assigned Attribute number: 1
Attribute format: String
Attribute Value: shell:priv-lvl=15

And the radius server policies should be created.

If you use IAS to authenticate WiFi users then make sure they policy is in order number 1
Then make sure Cisco AAA Level 1 is 2nd, and Level 15 is 3rd.

As for the Cisco Device, issue the following commands at Terminal Configuration
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
radius-server host x.x.x.x
radius-server key SHAREDKEY


And save configuration, when you console back into the router, or even try to telnet into it,I
t will prompt you for a username/password and authenticate those credentials via Active Directory.

I had to finish this in a hurry, sorry if its not more straight forward, but you shouldnt
try this if you cannot understand what I've told ya to do.

Hope you enjoye this cool feature.

George
There is no place like 127.0.0.1

Comments

  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    Has any one tried this yet, and if so can they confirm that this guide is accurate, if i left somthing out feel free to post...
    There is no place like 127.0.0.1
  • forbeslforbesl Member Posts: 454
    Note to self: Continue using Cisco ACS for radius authentication
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    You could use TACACS+ yes, but if you dont have it then you can improvise ;)

    on the other hand, this is simple and cheep...
    There is no place like 127.0.0.1
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & Switchi Bay Area, CaliforniaMod Posts: 5,161 Mod
    Thanks for the tutorial, mgeorge27. I'd set this kind of authentication up for my school, using IAS and some clunky Linksys access points so that they could have a more secure wireless solution. I'd wanted to look into trying it with Cisco equipment, and when I'm up to snuff on CCNA (and CCNP) topics, this will be one of the first projects I'll throw myself into. Thanks again, it's just what I needed.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • mgeorgemgeorge Member Posts: 774 ■■■□□□□□□□
    Slowhand wrote:
    Thanks for the tutorial, mgeorge27. I'd set this kind of authentication up for my school, using IAS and some clunky Linksys access points so that they could have a more secure wireless solution. I'd wanted to look into trying it with Cisco equipment, and when I'm up to snuff on CCNA (and CCNP) topics, this will be one of the first projects I'll throw myself into. Thanks again, it's just what I needed.

    It's nice that some one appreciates my work icon_lol.gif
    There is no place like 127.0.0.1
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & Switchi Bay Area, CaliforniaMod Posts: 5,161 Mod
    mgeorge27 wrote:
    It's nice that some one appreciates my work icon_lol.gif

    Hey, I love AD and I'm quite fond of Cisco, so it's a no-brainer that this kind of thing would come in handy. icon_cool.gif

    I wanted to add some support info, for people who want to learn a little more about this process, (and are crazy enough to draw outside the lines):

    Some info regarding Microsoft IAS

    Cisco's thoughts on the subject.



    And a few more tidbits on RADIUS, in general:

    An Analysis of the RADIUS Authentication Protocol

    IETF's Paper on RADIUS

    And a Little Something for the Open-Sourcers Out There

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • pr3d4t0rpr3d4t0r Member Posts: 173
    Nice job, i tested and it works fine :D

    Just don't forget to check the allow remote access per user account.

    Everything else is flawless.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    I wrote simular for a Juniper Netscreen Firewall with RADIUS auth. It's all good!
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • fbatistafbatista Member Posts: 2 ■□□□□□□□□□
    I have found your tutorial very accurate an helpfull, but i'm still trying to solve an authentication problem between a Cisco AP 1130AG (autonomous) and a Microsoft IAS. I have tested what you told in your post and i can indeed authenticate do the console by using the credentials of a user in my AD, however the main purpose in our case would be to provide authentication to our wireless users. I have tried in several ways to point the 1130 AP to the remote radius server (IAS), but it's really complex and can't seem to use the AP local radius function...
    I'm feeling a little stupid with this.... i have read so many tutorials and documentation that i don't know what to do anymore.
    I would appreciate some help.
    Best regards.
    Francisco Batista - Portugal
  • GrigsbyGrigsby Member Posts: 69 ■■□□□□□□□□
    Just thought I would put in a helpful tip here.

    On the internal network that I am using I have DNS resolution to all of the Routers and Switches on my network. I have created static A records on my DNS server for each network node, be it a router, switch, or any other non-DHCP host. I use the IP address of a loopback interface that I never change.

    Typically, because of the routing protocols I have running on my internal network, the majority of Radius authentication packets will come from the same interface of the router or switch. But, because it is a lab, sometimes the packets will source from a different interface on the router. So the IAS config on the 2003 server would have to have multiple entries, or I would have to have multiple A records for the same host. Otherwise the IAS will reject Radius requests from IPs that it doesn't recognize

    You can control which interface the Radius request come from with the following configuration command:

    ip radius source-interface [interface name]

    This way I can specify the name of the host in the IAS setup. It would then would look to the DNS server for resolution to the IP of the loopback on the router, thus recognizing and allowing the Radius request.

    Hope this make sense. Thanks to mgeorge for the server 2003 configuration, not sure I would have nailed that on my own. icon_wink.gif
  • Tony niTony ni Registered Users Posts: 1 ■□□□□□□□□□
    Hi:I wanna configure windows 2003 ad+ias +cisco ap 1242,but i didn't find any documentation about that,so someone whoever have configured that give me some advise??my email is MODERATED, thank you!

    fbatista wrote: »
    I have found your tutorial very accurate an helpfull, but i'm still trying to solve an authentication problem between a Cisco AP 1130AG (autonomous) and a Microsoft IAS. I have tested what you told in your post and i can indeed authenticate do the console by using the credentials of a user in my AD, however the main purpose in our case would be to provide authentication to our wireless users. I have tried in several ways to point the 1130 AP to the remote radius server (IAS), but it's really complex and can't seem to use the AP local radius function...
    I'm feeling a little stupid with this.... i have read so many tutorials and documentation that i don't know what to do anymore.
    I would appreciate some help.
    Best regards.
    Francisco Batista - Portugal
  • jovan88jovan88 Member Posts: 393
    good work man, i should write up a guide for getting cisco to authenticate with freeradius, that was a huge hassle the first time I did it
  • burbankmarcburbankmarc Member Posts: 460
    jovan88 wrote: »
    good work man, i should write up a guide for getting cisco to authenticate with freeradius, that was a huge hassle the first time I did it

    Hooray for FreeRadius.

    If you do basic username/password file then FreeRadius isn't too bad. It's when you get into authing off LDAP/AD servers and stuff when things get tricky.
  • pham0329pham0329 Member Posts: 556
    Dont mean to bump such an old thread but I was searching on Google to see if it was possible to enable encrypted authentication when using radius for authentication and this thread popped up.

    Anyhow, I have everything setup to authenticate through RADIUS, but I'm a little concern about the PAP authentication method. Is there any way to get it to use an encrypted method instead?

    Edit: NVM, did a packet capture of the RADIUS traffic and found out that the password was encrypted. Did a little research and it appears the password is encrypted using the shared secret setup between the switches/routers and the RADIUS server.
  • garrinchagarrincha Registered Users Posts: 1 ■□□□□□□□□□
    Hello, i have exactly the same problem than fbatista. Im using a cisco 1240AG Access Point and i can get to auth with the AD users when connecting to the console, but not when i connect with an user to the AP...Any1 who know's whats going on and how we can fix this ?

    Thank you very much.
Sign In or Register to comment.