Having your Cisco devices authenticate/ authorization via Radius is very useful in simplifying your management of your users. The problem is if the Radius fails then how do you access your Cisco devices? The solution is to have the authentication/ authorisation default back to the devices local user database when the Radius become unresponsive .
This is a simple config for your Cisco devices to enable Authorisation/ Authentication initially via the Radius and then via the local if the Radius becomes unavailable.
example
username <username> priviledge <1-15> password <password>
aaa new-model
aaa authentication logon default group radius local
aaa authorization exec default group radius local
aaa authorization consol
line vty 0 15
login authentication default
authorization exec default
Sunday, 29 April 2012
Cisco Authorisation via 2008 NPS ( Radius)
Cisco Authentication Via 2008 NPS Server
authenticating AD users for access to CISCO equipment
Basic NPS setup
Create a entry in 'Radius Clients' located in 'Radius Clients and Servers'.
Create an entry in 'Connection Request Policies' under 'Policies'
Create an entry in 'Network Policies'
These three entry's are required and need to configured correctly for authentication to work.
Radius Clients' entry configuration
Right click on 'RADIUS Clients' and select 'New'
In the 'Settings' tab in the 'New RADIUS Client' enter the following
under 'Friendly name:' enter a description
Under 'Address (IP or DNS): inter the IP address or domain dame of device authenticating against RADIUS
Under 'Shared secret:' enter the shared password for the radius and the device authenticating against RADIUS
In the 'advanced' tab in the 'New RADIUS Client' window enter the following
Under 'Vendor Name' select 'RADIUS Standard' from the drop down list.
Connection Request Policies
Right Click on 'Connection Request Policies' and select 'New'
Under 'Policy name:' enter a name for the policy then select 'Next'
Enter a single or multiple conditions by selecting 'Add' note the conditions should be kept simple here as more granular conditions will be set under 'network policies'. select 'Next'
Select 'Next'
Select 'Next'
Select 'Next'
Select 'Finish'
Network Policies
Right click on 'Network Policies' and select 'New'
Under 'Policy name:' enter a name for the policy then select 'Next'
Enter a single or multiple conditions by selecting 'Add' , select 'Next' when finished
Select 'Access granted' and select 'Next'
Select ‘Unecrypted authentication (PAP, SPAP) and deselect anything else
Select 'Next'
Select ‘Standard’ and then remove all attributes
Select 'Vendor Specific' and select 'Add'
Select 'Cisco-AV-Pair' and select 'Add'
Select 'Add' and enter the following 'shell:priv-lvl=6' where 6 can be set the privilege level
Select 'OK' and then, 'Close' and then 'Next'
Select 'Finish' to complete the setup
Event Log on NPS to Help Diagnose Issues
Windows Logs/ Security
Task category: Network Policy Server
Audit Failure
Event 6278
This will give a successful authentication
-----------------------------------------
Windows Logs/ Security
Task category: Network Policy Server
Audit Failure
Event 6273
This will give information about the reason for failed authentications.
-----------------------------------------
Windows Logs/ Security
Task category:Logon
Audit failure
Event 4625
This will show user credentials do not match and will be in association with Event 6273
-----------------------------------------
Windows Logs/ Security
Task category: Network Policy Server
Audit Failure
Event 6274
This will give information about the reason for failed authentications.
-----------------------------------------
Cisco IOS Configuration
IOS Configuration
conf t
aaa new-model
enables AAA
aaa authorization console
applys authorization to a console
aaa authentication login <name1> group radius
defines this authentication as list name1 against radius server
aaa authentication login <name2> local
defines this authentication as list name2 against local database
aaa authorization exec <name3> group radius
defines this authorization in exec mode as list name 3 against radius server
aaa authorization exec <name4> local
defines this authorization in exec mode as list name 4 against local database
radius-server host <radius ip address> key <preshared key/ secret key>
defines the radius server IP and the secret key
ip radius source-interface <vland id>
define the vlan the radius server is on
line con 0
login authentication <name2>
authentication via session name2 which is local
authorization exec <name4>
authorization from list name4
Line vty 0 15
login authentication <name1>
authentication via session name1 which is radius
authorization exec <name3>
authorization from list name3
Subscribe to:
Posts (Atom)