When servicing large networks, system administrators often face authentication problems on the network devices. In particular, it is quite hard to arrange normal work of several network administrators under individual accounts on a large amount of equipment (you have to support and keep up to date the database of the local accounts on each device). The logical solution would be to use the existing Active Directory account database for authentication. In this article we’ll consider how to configure the domain (Active Directory) authentication on the active network devices (switches, routers).
Some network equipment by popular vendors (CISCO, HP, Huawei) doesn’t support direct access to LDAP catalog and such a decision will not be universal. The AAA (Authentication Authorization and Accounting) protocol that has become a de facto standard for network equipment is suitable to fulfill our task. An AAA client (a network device) sends the data of the user to be authenticated to the RADIUS server, and based on the response from the server it grants or denies access.
Remote Authentication Dial In User Service (RADIUS) protocol in Windows Server 2012 R2 is included in the NPS (Network Policy Server) role. In the first part of this article we’ll install and configure the Network Policy Server role, and in the second part we’ll demonstrate typical configurations of network devices with RADIUS support for HP Procurve switches and Cisco equipment.
How to Install and Configure the Network Policy Server Role
NPS Server role is recommended to be installed on a dedicated server (it is not recommended to install this role on the domain controller). In this example, we’ll install the NPS role on the server running Windows Server 2012 R2.
Open the Server Manager console and install the Network Policy Server role (it is located in Network Policy and Access Services section).
After the installation is over, run the MMC console to manage Network Policy Server. We need the following three sections:
- RADIUS Clients contains the list of devices able to authenticate on the server
- Connection Request Policies defines the type of devices able to get authentication
- Network Polices contains authentication rules
Let’s add a new RADIUS client (it is HP ProCurve Switch 5400zl) by right-clicking RADIUS Clients section and select New. Specify:
- Friendly Name:sw-HP-5400-l
- Address (IP or DNS): 10.10.1.2
- Shared secret (a password/secret key): a password can be entered manually (it has to be strong enough) or generated using a special button (the generated password should be copied, since you will have to enter it on a network device).
Disable a standard policy (Use Windows authentication for all users) in the Connection Request Policies section by right-clicking it and select Disable.
Create a new policy Network-Switches-AAA and click Next. In the Condition section create a new condition. Find RADIUS Client Properties and select Client Friendly Name.
Specify the value sw-?. I.e., this condition will be applied to all RADIUS clients starting from ”sw-“. Click Next->Next-> Next to agree with all standard settings.
Then, in the Network Policies section create a new authentication policy. Enter its name, e.g., Network Switch Auth Policy for Network Admins. Create two conditions: in the first one, Windows Groups, specify the domain group, which members can get authentication (the accounts of the network administrators are in the AD Network Admins group in our example). The second condition, Authentication Type, is to select PAP as the authentication protocol.
Then in the Configure Authentication Methods window, uncheck all authentication types, but for Unencrypted authentication (PAP. SPAP).
In the Configure Settings window, change the value of the Service-Type attribute to Administrative.
In other cases agree with the standard settings and close the wizard.
And finally, move the new policy to the first place in the list of policies.
How to Configure the Network Devices to Work with the RADUIS Server
It remains to configure our network equipment to work with the RADIUS server. Connect to HP ProCurve Switch 5400 and make the following changes to its configuration (change the IP address of the RADIUS server and the password to your ones).
aaa authentication console enable radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication login privilege-mode
radius-server key YOUR_SECRET_KEY
radius-server host 10.10.1.14 YOUR-SECRET-KEY auth-port 1645 acct-port 1646
radius-server host 10.10.1.14 auth-port 1645
radius-server host 10.10.1.14 acct-port 1646
Without closing the switch window (It is important! If something goes wrong, you won’t be able to connect to your switch.), start a new telnet session. A new authentication window should appear, where you will have to enter the account name and the password. Try to specify your AD account data (it has to be in the Network Admins group). If the connection is established, you have done it right!
The configuration of a Cisco switch that uses domain accounts for authentication and authorization can look like that:
aaa new-model
radius-server host 10.10.1.14 auth-port 1645 acct-port 1646 key YOUR_SECRET_KEY
aaa authentication login default group radius local
aaa authorization exec default group radius local
ip radius source-interface Vlan421
line con 0
line vty 0 4
line vty 5 15
For Cisco ASA, the configuration is as follows:
aaa-server RADIUS protocol radius
aaa-server RADIUS host 10.10.1.14 key YOUR_SECRET_KEY
radius-common-pw YOUR_SECRET_KEY
aaa authentication telnet console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
By selecting Unencrypted authentication (PAP, SPAP) methods, is that mean the traffic between the radius sever and switch/router is not encrypted? Can you explain what kind of the encryption is between the radius server and switch/router?