Many times I came across one issue… how to grant access to CLI (Command Line Interface) on Cisco devices without creating separate username and password for each user on each device? In order to resolve that I did use AAA features of Cisco IOS and built-in Windows Server 2008 R2 component – NPS (Network Policy Server).

Those two mixed together can create very nice environment which allows flexible management who, when and how can access network devices. Same time, Active Directory will be central place to grant or deny access to devices as well as enforce specific privilege level.

Below is simple diagram of the whole process and steps which take place when accessing Cisco device integrated with NPS/RADIUS.

What happenes when accesing router integrated with RADIUS:

  1. Operation initiates SSH or Telnet connection to device and enters credentials (username/password)
  2. Cisco router checks local database for username and password
  3. Once credentials found in local database operator has access to command line on router
  4. If credentials not present in local database then request for authentication and authorization is forwarded to RADIUS
  5. RADIUS checks credentials and group membership with Domain Controller
  6. If user is member of Network-Admins or Network-Support group access to CLI is granted and Operator can access router, otherwise Operator can’t access Cisco router

Let’s see how to configure whole solution step-by-step…

Objective

NPS integration with Cisco will deliver solution which will allow to authenticate and authorize access to Cisco devices Command Line Interface (CLI) with Active Directory credentials. In addition to that, privilege level will be detemined and enforced based on Active Directory group membership.

Actions which will be taken:

  1. Appropriate groups will be created in Active Directory
    • Network-Admins – for users which will have privilege 15 access to Cisco devices
    • Network-Support – for users which will have privilege 1 access to Cisco devices
  2. Microsoft NPS Role will be added to Windows Server 2008 R2
  3. Network Policies will be created on NPS/RADIUS
  4. Cisco router will be added to NPS/RADIUS as client
  5. Appropriate configuration will be applied to Cisco router

Microsoft NPS Server Role Installation

 First step is to install NPS on Windows Server 2008 R2. in order to do that Server Manager has to be used. In Server Manager right-clik on Roles and choose Add Roles from context menu.

On Before You Begin screen click Next to proceed to Role selection screen.

On Roles list locate Network Policy and Access Services, make sure that checkbox on the left side of that role is checked and click Next to proceed to next installation screen.

Next screen is Introduction to Network Policy and Access Services. Click Next to proceed to Role Services selection screen.

On Select Role Service screen make sure that Network Policy Server checkbox is checked and click Next to proceed to installation summary screen.

On Confirm Installation Selections screen review if Network Policy Server is shown on the list of services for installation and if everythign is correct click Install to proceed with installation and add new Role to system.

Once all components for new role are installed in the system you will see Installation Results screen where you can find indication if whole process went well ot some errors occured. Once everything went well click Close button.

Now you can go to Start / Administrative Tools and find Network Policy Server icon which has been recently added to system as the effect of new role isntallation. Click that to start NPS management console.

Once you will start NPS management console you can see that one of the components of NPS is RADIUS. This is service we will need and use to provide authentication and authorization to Cisco devices basec on Active Directory credentials and group membership.


Register NPS in Active Directory

First we have to register Network Policy Server in Active Directory to allow authentication based on user accounts we created in domain.

To authorize NPS in AD:

  • Logon to server with NPS using account with domain admin credentials.
  • Go to Start / Administrative Tools and then click Network Policy Server.
  • Right-click on NPS (Local) and from context menu click Register server in Active Directory.

  • Confirm that you want to authorize this computer (server with NPS) to access users’ dial-in properties by clicking OK in Network Policy Server dialog window. Make sure that authorization will happen in correct domain as per indication in message from system.

  • When operation will be completed with success notification confirmation iwll show on the screen that this computer is now authorized to read users’ dial-in properties from domain.

For everyone who likes to reconfigure servers from Command Prompt here is how to add NPS to default AD domain:

  1. Log on to the NPS server using account with domain admin credentials.
  2. Open Command Prompt.
  3. In CMD window type: netsh ras add registeredserver
  4. Then press ENTER.

Add Cisco router as RADIUS client

Now it’s time to inform NPS/RADIUS  about our router and establish shared secred as form of identification when router will be requesting authentication and authorization from RADIUS and Active Directory.

To add router as RADIUS client:

  • Logon to server with NPS using account with admin credentials.
  • Go to Start / Administrative Tools and then click Network Policy Server.
  • Expand RADIUS Client and Servers.
  • Right-click on RADIUS Clients and click New from context menu.

  • In New RADIUS Client window Settings tab enter:
    • Friendly name of the router – name to recognize router, usually same as hostname.
    • Address (IP and DNS) – IP address of the router or hostname – if hostname used proper hostname needs to be registered in DNS prior to RADIUS configuration.
    • Shared secret – passphrase which was configured on router which will allow to identify router when requesting AAA from RADIUS.

  • In New RADIUS Client window Advanced tab enter:
    • Vendor name – Cisco – as in this example Cisco router will communicate with RADIUS.

  • Once confirmed with OK we will see that router has been added to RADIUS configuration as client.


Adding new NPS Policy for Network Admins

Now it’s time to create Network Policies, which will allow users to access certain devices and enforce particular privilege level on Cisco device.

To add Networ Policy:

  • Logon to server with NPS using account with admin credentials.
  • Go to Start / Administrative Tools and then click Network Policy Server.
  • Expand Policies.
  • Right-click on network Policies and click New from context menu.

  • On Specify Network Policy Name and Connection Type dialog specify policy name, which in that case is Network-Admin and leave Type of network access server as Unspecified.

  • On Specify Conditionsscreen add 2 parameters:
    • Windows Groups – and specify Network-Admins group from Active Directory
    • Client Friendly Name – and specify name of device(s) from which operator will have access (in that example router has name lab-r01, so I’m adding lab-r? as Client Friendly Name, which means all devices which have name starting with lab-r, question mark in client name means any string of characters)

  • On Specify Access Permissions make sure that Access granted option ich clicked and Access is determined by User Dial-in properties checkbox is cleared.

  • On Configure Authentication Methods make sure that Unencrypted authentication (PAP, SPAP) checkbox is checked.

  • On Configure Contraints screen no changes, so click Next to move on to next step

  • On Configure Settings screen in Standard section add Service-Type parameter with value NAS Prompt

  • On Configure Settings screen in Vendor Specific section add Cisco-AV-Pairparameter with value:
    • shell:priv-lvl=15 – for Network-Admins policy which will enforce privilege level 15
    • shell:priv-lvl=1 – for Network-Support policy which will enforce privilege level 1

  • On Completing New Network Policy screen review summary and click Finish to create network policy

Below created policy on Network Policies list.

Repeat steps in Adding new NPS Policy for Network Admins section to setup policy for each privilege level you want to enforce on Cisco devices.

Define appropriate parameters on Configure Settings screen in Vendor Specific section using Cisco-AV-Pair parameter with value:

  • shell:priv-lvl=15 – for Network-Admins policy which will enforce privilege level 15
  • shell:priv-lvl=1 – for Network-Support policy which will enforce privilege level 1

Of course shell:priv-lvl might contain numbers between 1 and 15.


Configuration on Cisco IOS

It is time to inform our router or switch that all attempts to access device via telnet or ssh should be authenticated and authorized in local database and if username or password doesn’t match then go to RADIUS.

aaa new-model
!
aaa group server radius IAS
 server 172.16.90.41 auth-port 1812 acct-port 1813
!
aaa authentication login userAuthentication local group IAS
aaa authorization exec userAuthorization local group IAS if-authenticated
aaa authorization network userAuthorization local group IAS
aaa accounting exec default start-stop group IAS
aaa accounting system default start-stop group IAS
!
aaa session-id common
radius-server host 172.16.90.41 auth-port 1645 acct-port 1646 key secret12key
radius-server host 172.16.90.41 auth-port 1812 acct-port 1813 key secret12key
!
privilege exec level 1 show config
!
ip radius source-interface fa0/1
!
line vty 0 4
 authorization exec userAuthorization
 login authentication userAuthentication
 transport input ssh telnet
!
line vty 5 15
 authorization exec userAuthorization
 login authentication userAuthentication
 transport input ssh telnet
Lines highlighted in configuration should be adjusted accordingly to environment in which device is running.

Test if implementation was successful

For testing purposes I setup 2 users i LAB domain:

  • akim – member of Network-Support group
  • apearson – member of Network-Admins group
  • apeters – member none of network admin or support groups

Network-Support member is accessing device

When member of Network-Support group will access deivce privilege level 1 is enforces and according to configuration with that privilege level user can display configu on the screen.

C:\>telnet 172.16.90.6

User Access Verification

Username: akim

Password:

lab-r01>sh conf
Using 1769 out of 57336 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname lab-r01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$U7IF$U8hEIH38g7KWwf9Sc8tt.1
!
aaa new-model
!
!
aaa group server radius IAS
server 172.16.90.41 auth-port 1812 acct-port 1813
!
aaa authentication login UserAuthentication local group IAS
aaa authorization exec UserAuthorization local group IAS
aaa authorization network UserAuthorization local group IAS
aaa accounting exec default start-stop group IAS
aaa accounting system default start-stop group IAS
!
lab-r01>

Network-Admins member is accessing device

When member of Network-Admins group will login to device automatically privilege level 15 is enforced, so full access to device is granted.

C:\>telnet 172.16.90.6

User Access Verification

Username: apearson

Password:

lab-r01#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
lab-r01(config)#

Member none of the network admin or support groups is accessing device

When user is not a member of any of authorized groups (neither Network-Admins nor Network-Support) access to device is refused.


C:\>telnet 172.16.90.6

User Access Verification

Username: apeters

Password:

% Authentication failed

Username:

Enjoy 🙂