How-to : Integrate Cisco Easy VPN authentication with Microsoft NPS RADIUS on Windows Server 2008 R2


In this article will go through configuration of Cisco Easy VPN along with Microsoft NPS RADIUS on Windows Server 2008 R2.

Article covers:

  1. Basic information about Cisco Easy VPN
  2. Cisco IOS router configuration for Easy VPN
  3. Windows Server 2008 R2 NPS and RADIUS configuration

Let’s go…



Apps : Cisco7PCF for Windows


Just released small app for Windows platform. This app allows to decrypt type 7 password from Cisco devices as well as passwords from Cisco VPN profiles (PCF files).

Password which can be recovered using this app:

  • wireless keys fro Cisco access points,
  • RADIUS/TACACS shared secrets
  • NTP authentication keys
  • Enable passwords (NOT enable secrets, which are stored using MD5)
  • enc_GroupPwd – VPN group password from PCF file
  • enc_UserPassword – VPN user password from PCF file

Application also allows to store password and/or send tchem via email after decryption.

You can find app in Windows Store:

Cisco Password Decryptor


Config snippets : Cisco: Reload command might be handy


Few times in the past when I was doing some changes on Cisco devices remotely I was a victim of myself, when wrong order of commands just disconnected me from device without ability to connect back. After few experiences of this kind I discovered magic command “reload” which can help and save the day.

So, when doing changes which can impact remote terminal connection to device it’s a good idea to initiate reload before making changes. In case something goes wrong device will reboot itself and will come back with previous configuration.

lab-r01#reload in 15
Reload scheduled in 15 minutes by admin on console
Reload reason: Reload Command
Proceed with reload? [confirm]
*Mar  1 03:11:11.659: %SYS-5-SCHEDULED_RELOAD: Reload requested for 03:26:09 UTC Fri Mar 1 2002 at 03:11:09 UTC Fri Mar 1 2002 by admin on console. Reload Reason: Reload Command.

Once everything is configured and connectivity to device was not lost we can cancel reload process.

lab-r01#reload cancel


*Mar  1 03:11:19.415: %SYS-5-SCHEDULED_RELOAD_CANCELLED: Scheduled reload cancelled at 03:11:19 UTC Fri Mar 1 2002

It is very helpful and can save time and rescue from trouble.


Config snippets : Setting NTP server on Cisco IOS device


Quick config snippet to setup external NTP server to synchronize time on Cisco IOS router.

labisr-01(config)#ip name-server
labisr-01(config)#ntp server 0.europe.pool.ntp.org
Translating "0.europe.pool.ntp.org"...domain server ( [OK]
labisr-01(config)#clock timezone GMT 0
Please note that first I setup nameserver on router to be able to resolve NTP server FQDN.

Once NTP server is set we can check status of it:

labisr-01#sh ntp associations
address         ref clock     st  when  poll reach  delay  offset    disp
*~    3    37    64  377    38.7    2.04     1.4
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
labisr-01#sh ntp status
Clock is synchronized, stratum 4, reference is
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D442C30E.7A93ED17 (22:58:22.478 GMT Mon Nov 5 2012)
clock offset is 2.0449 msec, root delay is 71.69 msec
root dispersion is 61.25 msec, peer dispersion is 1.36 msec

Config snippets : Timezones for Cisco devices


One thing which came handy for me was list of timezones I can use on Cisco devices. That came very useful during NTP deployment. So, here is is… timezones available for use on Cisco platform.