Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Active Directory / Configuring Network Devices Authentication using Active Directory

May 14, 2015 Active Directory

Configuring Network Devices Authentication using Active Directory

When servicing large networks, system administrators often face authentication problems on the network devices. In particular, it is quite hard to arrange normal work of several network administrators under individual accounts on a large amount of equipment (you have to support and keep up to date the database of the local accounts on each device). The logical solution would be to use the existing Active Directory account database for authentication. In this article we’ll consider how to configure the domain (Active Directory) authentication on the active network devices (switches, routers).

Some network equipment by popular vendors (CISCO, HP, Huawei) doesn’t support direct access to LDAP catalog and such a decision will not be universal. The AAA (Authentication Authorization and Accounting) protocol that has become a de facto standard for network equipment is suitable to fulfill our task. An AAA client (a network device) sends the data of the user to be authenticated to the RADIUS server, and based on the response from the server it grants or denies access.

Remote Authentication Dial In User Service (RADIUS) protocol in Windows Server 2012 R2 is included in the NPS (Network Policy Server) role. In the first part of this article we’ll install and configure the Network Policy Server role, and in the second part we’ll demonstrate typical configurations of network devices with RADIUS support for HP Procurve switches and Cisco equipment.

Contents:
  • How to Install and Configure the Network Policy Server Role
  • How to Configure the Network Devices to Work with the RADUIS Server

How to Install and Configure the Network Policy Server Role

NPS Server role is recommended to be installed on a dedicated server (it is not recommended to install this role on the domain controller). In this example, we’ll install the NPS role on the server running Windows Server 2012 R2.

Open the Server Manager console and install the Network Policy Server role (it is located in Network Policy and Access Services section).

Install Network Policy Server role on WIndows Server 2012

After the installation is over, run the MMC console to manage Network Policy Server. We need the following three sections:

  • RADIUS Clients contains the list of devices able to authenticate on the server
  • Connection Request Policies defines the type of devices able to get authentication
  • Network Polices contains authentication rules

NPS console on Windows Server 2012

Let’s add a new RADIUS client (it is HP ProCurve Switch 5400zl) by right-clicking RADIUS Clients section and select New. Specify:

  • Friendly Name:sw-HP-5400-l
  • Address (IP or DNS): 10.10.1.2
  • Shared secret (a password/secret key): a password can be entered manually (it has to be strong enough) or generated using a special button (the generated password should be copied, since you will have to enter it on a network device).

New RADIUS client

Disable a standard policy (Use Windows authentication for all users) in the Connection Request Policies section by right-clicking it and select Disable.

Create a new policy Network-Switches-AAA and click Next. In the Condition section create a new condition. Find RADIUS Client Properties and select Client Friendly Name.

Client Friendly Name - NPS policy

Specify the value  sw-?. I.e., this condition will be applied to all RADIUS clients starting from ”sw-“. Click Next->Next-> Next to agree with all standard settings.

Then, in the Network Policies section create a new authentication policy. Enter its name, e.g., Network Switch Auth Policy for Network Admins. Create two conditions: in the first one, Windows Groups, specify the domain group, which members can get authentication (the accounts of the network administrators are in the AD Network Admins group in our example). The second condition, Authentication Type, is to select PAP as the authentication protocol.

Authentication Type - PAP

Then in the Configure Authentication Methods window, uncheck all authentication types, but for Unencrypted authentication (PAP. SPAP).

In the Configure Settings window, change the value of the Service-Type attribute to Administrative.

Configure network policy settings

In other cases agree with the standard settings and close the wizard.

And finally, move the new policy to the first place in the list of policies.

Network policies priority

How to Configure the Network Devices to Work with the RADUIS Server

It remains to configure our network equipment to work with the RADIUS server. Connect to HP ProCurve Switch 5400 and make the following changes to its configuration (change the IP address of the RADIUS server and the password to your ones).
aaa authentication console enable radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication login privilege-mode
radius-server key YOUR_SECRET_KEY
radius-server host 10.10.1.14 YOUR-SECRET-KEY auth-port 1645 acct-port 1646
radius-server host 10.10.1.14 auth-port 1645
radius-server host 10.10.1.14 acct-port 1646

Tip. If for security reasons you have prevented connection to the network equipment using telnet, you have to delete these lines from your configure file:
aaa authentication telnet login radius local
aaa authentication telnet enable radius local

Without closing the switch window (It is important! If something goes wrong, you won’t be able to connect to your switch.), start a new telnet session. A new authentication window should appear, where you will have to enter the account name and the password. Try to specify your AD account data (it has to be in the Network Admins group). If the connection is established, you have done it right!

HP ProCurve aaa config

The configuration of a Cisco switch that uses domain accounts for authentication and authorization can look like that:

Note. Depending on the model of Cisco network equipment and the IOS version, the configuration can be a bit different.

aaa new-model
radius-server host 10.10.1.14 auth-port 1645 acct-port 1646 key YOUR_SECRET_KEY
aaa authentication login default group radius local
aaa authorization exec default group radius local
ip radius source-interface Vlan421
line con 0
line vty 0 4
line vty 5 15

Note. This authentication configuration uses the RADIUS server in the first place, and if it isn’t available, then the local account is used.

For Cisco ASA, the configuration is as follows:
aaa-server RADIUS protocol radius
aaa-server RADIUS host 10.10.1.14 key YOUR_SECRET_KEY
radius-common-pw YOUR_SECRET_KEY
aaa authentication telnet console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL

Tip. If it doesn’t work, check if:

  • the secret keys on the NPS server and the switch are the same (to test it, a simple password can be used)
  • the right NPS server address is specified in they configuration. Is it pinged?
  • the firewalls block 1645 and 1646 ports between the switch and the server
  • examine the NPS server logs

2 comments
0
Facebook Twitter Google + Pinterest
previous post
Display Last Logon Info on the Windows Welcome Screen
next post
Manage Domains and Email Address Whitelist in Exchange Server 2013

Related Reading

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

How to Find Inactive Computers and Users in...

January 29, 2021

Checking User Logon History in Active Directory Domain...

January 22, 2021

Restoring Deleted Active Directory Objects/Users

December 21, 2020

2 comments

James June 2, 2016 - 1:05 pm

By selecting Unencrypted authentication (PAP, SPAP) methods, is that mean the traffic between the radius sever and switch/router is not encrypted? Can you explain what kind of the encryption is between the radius server and switch/router?

Reply
Bill October 2, 2019 - 11:37 pm

Article seem to have little relevance to ldap auth of network.
equipment. Change tithe title.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Troubleshoot, Repair and Rebuild the WMI Repository?

    March 2, 2021
  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Additional Account Info Tab in AD Users And Computers Console
  • How Automatically Fill Computer Description Field in Active Directory
  • Kerberos Token Size and Issues of Its Growth
  • Temporary Membership in Active Directory Groups
  • Active Directory: Managed Service Accounts
  • Password Security with Group Policy Preferences
  • Java Settings Management with Group Policies
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top