Posted on May 14, 2015 · Posted in Active Directory

Configuring Network Devices Authentication using Active Directory

When servicing large networks, system administrators often face authentication problems on the network devices. In particular, it is quite hard to arrange normal work of several network administrators under individual accounts on a large amount of equipment (you have to support and keep up to date the database of the local accounts on each device). The logical solution would be to use the existing Active Directory account database for authentication. In this article we’ll consider how to configure the domain (Active Directory) authentication on the active network devices (switches, routers).

Some network equipment by popular vendors (CISCO, HP, Huawei) doesn’t support direct access to LDAP catalog and such a decision will not be universal. The AAA (Authentication Authorization and Accounting) protocol that has become a de facto standard for network equipment is suitable to fulfill our task. An AAA client (a network device) sends the data of the user to be authenticated to the RADIUS server, and based on the response from the server it grants or denies access.

Remote Authentication Dial In User Service (RADIUS) protocol in Windows Server 2012 R2 is included in the NPS (Network Policy Server) role. In the first part of this article we’ll install and configure the Network Policy Server role, and in the second part we’ll demonstrate typical configurations of network devices with RADIUS support for HP Procurve switches and Cisco equipment.

How to Install and Configure the Network Policy Server Role

NPS Server role is recommended to be installed on a dedicated server (it is not recommended to install this role on the domain controller). In this example, we’ll install the NPS role on the server running Windows Server 2012 R2.

Open the Server Manager console and install the Network Policy Server role (it is located in Network Policy and Access Services section).

Install Network Policy Server role on WIndows Server 2012

After the installation is over, run the MMC console to manage Network Policy Server. We need the following three sections:

  • RADIUS Clients contains the list of devices able to authenticate on the server
  • Connection Request Policies defines the type of devices able to get authentication
  • Network Polices contains authentication rules

NPS console on Windows Server 2012

Let’s add a new RADIUS client (it is HP ProCurve Switch 5400zl) by right-clicking RADIUS Clients section and select New. Specify:

  • Friendly Name:sw-HP-5400-l
  • Address (IP or DNS):
  • Shared secret (a password/secret key): a password can be entered manually (it has to be strong enough) or generated using a special button (the generated password should be copied, since you will have to enter it on a network device).

New RADIUS client

Disable a standard policy (Use Windows authentication for all users) in the Connection Request Policies section by right-clicking it and select Disable.

Create a new policy Network-Switches-AAA and click Next. In the Condition section create a new condition. Find RADIUS Client Properties and select Client Friendly Name.

Client Friendly Name - NPS policy

Specify the value  sw-?. I.e., this condition will be applied to all RADIUS clients starting from ”sw-“. Click Next->Next-> Next to agree with all standard settings.

Then, in the Network Policies section create a new authentication policy. Enter its name, e.g., Network Switch Auth Policy for Network Admins. Create two conditions: in the first one, Windows Groups, specify the domain group, which members can get authentication (the accounts of the network administrators are in the AD Network Admins group in our example). The second condition, Authentication Type, is to select PAP as the authentication protocol.

Authentication Type - PAP

Then in the Configure Authentication Methods window, uncheck all authentication types, but for Unencrypted authentication (PAP. SPAP).

In the Configure Settings window, change the value of the Service-Type attribute to Administrative.

Configure network policy settings

In other cases agree with the standard settings and close the wizard.

And finally, move the new policy to the first place in the list of policies.

Network policies priority

How to Configure the Network Devices to Work with the RADUIS Server

It remains to configure our network equipment to work with the RADIUS server. Connect to HP ProCurve Switch 5400 and make the following changes to its configuration (change the IP address of the RADIUS server and the password to your ones).
aaa authentication console enable radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication login privilege-mode
radius-server key YOUR_SECRET_KEY
radius-server host YOUR-SECRET-KEY auth-port 1645 acct-port 1646
radius-server host auth-port 1645
radius-server host acct-port 1646

Tip. If for security reasons you have prevented connection to the network equipment using telnet, you have to delete these lines from your configure file:
aaa authentication telnet login radius local
aaa authentication telnet enable radius local

Without closing the switch window (It is important! If something goes wrong, you won’t be able to connect to your switch.), start a new telnet session. A new authentication window should appear, where you will have to enter the account name and the password. Try to specify your AD account data (it has to be in the Network Admins group). If the connection is established, you have done it right!

HP ProCurve aaa config

The configuration of a Cisco switch that uses domain accounts for authentication and authorization can look like that:

Note. Depending on the model of Cisco network equipment and the IOS version, the configuration can be a bit different.

aaa new-model
radius-server host auth-port 1645 acct-port 1646 key YOUR_SECRET_KEY
aaa authentication login default group radius local
aaa authorization exec default group radius local
ip radius source-interface Vlan421
line con 0
line vty 0 4
line vty 5 15

Note. This authentication configuration uses the RADIUS server in the first place, and if it isn’t available, then the local account is used.

For Cisco ASA, the configuration is as follows:
aaa-server RADIUS protocol radius
aaa-server RADIUS host key YOUR_SECRET_KEY
radius-common-pw YOUR_SECRET_KEY
aaa authentication telnet console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL

Tip. If it doesn’t work, check if:

  • the secret keys on the NPS server and the switch are the same (to test it, a simple password can be used)
  • the right NPS server address is specified in they configuration. Is it pinged?
  • the firewalls block 1645 and 1646 ports between the switch and the server
  • examine the NPS server logs

Related Articles