Setting up RADIUS authentication between Cisco devices and Network Policy Server (NPS) in Windows Server 2008 is a bit different than in previous versions of Windows.

Here is a technet page with lots of good info on NPS:

http://technet.microsoft.com/en-us/network/bb629414.aspx

For now, I am just going to list the instructions needed to get up and going with NPS to allow your server to act as an authentication point for your Cisco switches/routers. This may work with other devices that can use radius authentication, but I have not tested it. YMMV.

1. Install the Network Policy Server service. It is a component under ‘Network Policy and Access Services’.

2. Open the Network Policy Server console from Administrative Tools.

3. Create a new radius client for the Cisco device. The process for this is very similar to the process in Server 2000/2003. You just need the device IP, choose the “radius standard” type, and make up a shared secret.

4. “Register server in Active Directory” by right-clicking on the “NPS (local)” item in the console. This will allow NPS to query AD when an authentication request comes in.

5.  Next, create a “Connection Request Policy”.  This is the step that is new to the process, and was not required before Server 2008.  Before, this was integrated into the remote access policy, as it was previously called.  The connection request policy doesn’t need to be anything complex.  The first step is to set the network access server type to “Unspecified”.

Next, add at least one condition to the policy.  I usually use the “day and time restrictions”, and then set it to ‘permitted’ 24×7.  Obviously, the condition(s) you choose should conform to your company’s security policy, so you may need something different here.

Finally, On the Settings tab, under Authentication, choose the radio button for “Authenticate requests on this server”.

6.  Create a Network Policy, formerly known as a remote access policy in previous versions of Windows Server.  On the Overview tab, configure the policy to use the network access server type of “Unspecified”.  In addition, set the access permission setting to “Grant Access”.

On the Conditions tab, add at least one condition.  Typically, this will be the Windows Group that is allowed to log in to the network devices.  As I said before, you may need to use different conditions than I show here due to your company security policy.

On the Constraints tab, the only change you should need to make is to enable the authentication method of “Unencrypted authentication (PAP, SPAP)”

Lastly, on the Settings tab, under Encryption, make sure that the “No Encryption” option is enabled.

7.  Point your network device(s) at this server for authentication.  The method for doing this varies depending on the make and model of your device.  With recent IOS images on Cisco switches, the commands will look something like this.

aaa new-model

aaa session-id common

aaa authentication login default group radius local

radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 key putyoursecretkeyhere

8.  Finally, test it!

6 Replies to “Network Policy Server and Cisco RADIUS Authentication”

  1. Thank you for the great and easy to follow tutorial. Everything works as instructed above. However, I am a bit concerned about “Unencrypted authentication (PAP, SPAP)” as well as the “No Encryption” parts. Yours comments on this will be appreciated. Thank you. Imran

    1. If the radius communication is occurring only over your internal, switched network, and physical and management access to your network equipment is secure, the risk of using unencrypted authentication is minimal.

  2. Also, if you want to setup a password for enable on your cisco with the line:

    “aaa authentication enable default group radius enable”

    Then you need to create a Domain Admin named “$enab15$” remove the quotes! The radius will check for this user if you have the enable password set to radius. By creating this user the enable password basically becomes this users password.

  3. If you choose a long RADIUS key (I’ve seen recomendations of 22+ random ascii characters) and make it unique for each device you should be ok.

Leave a Reply

Your email address will not be published. Required fields are marked *