Learning Plan 3
We will be authenticating administrative users using the Authentication, Authorization, and Accounting (AAA) methodology. Our Authentication will be first attempted using remote authentication thru a RADIUS service running within Network Policy Server (NPS) on Windows Server 2012 R2. We will also use local authentication as a backup.
These steps will guide you through the installation and configuration of NPS and RADIUS.
Overview of the RADIUS Technology
Configuring Cisco devices to authenticate management users via RADIUS is a great way to maintain a centralized user management base. A popular, yet more costly alternative to implementing a centralized user management base is through Cisco’s very own Access Control Server (ACS).
Once a RADIUS service is configured, the users managed through the RADIUS service will be controlled with regards to what they can do on the router, if anything.
Our management users will be integrated with the RADIUS server through Active Directory. In most institutions, the users are already configured, so this step makes a lot of sense.
RADIUS actually stands for “Remote Authentication Dial-In User Service”, so it is an acronym.
First step, create two Security Groups.
Create an organizational unit (OU) called Cisco Device Security. Within the above mentioned OU create two security groups, one called Network Engineers and the other Network Support Technicians.
Click on this link to view this process if you wish: Create OUs.
Users that are members of Network Engineers will get full level 15 privileges to the Cisco CLI once authenticated successfully through RADIUS. Network Support Technicians will only be given Read access to the Cisco CLI. Please add one user of your choice to the Network Engieers group and one to the Network Support Technicians group for test purposes. See image below:
Don't limit yourself with the names that I chose, both the OU and the groups can be named whatever whatever you want.
Install Network Policy Server (NPS) and Register it with Active Directory.
From your Server Manager, add the Network Policy and Access Services (NPS) role and features shown in the image below.
For the NPS and thus RADIUS to be integrated with Active Directory, you must Register NPS in Active Directory. Therefore, once NPS is installed, register it with Active Directory. See image below.
CONFIGURE Network Policy Server (NPS) to SUpport use of RADIUS by a cisco device.
Now configure NPS to support the use of RADIUS AAA from a Cisco router or switch. Click on this link: Remaining NPS Steps
Please note that the above video only demonstrated the configuration of the Network Engineer group. You will also need to configure the Network Support Technicians group as well - this group will be set in a similar fashion, however they will get a diferent attribute value for the user's login settings. As you recall, the Network Engineer was given an Cisco-AV-PAIR atribute of shell:prv-lvl=15, for the Network Support Technicians it should be shell:prv-lvl=1, which will put the members of that group into a user mode of read-only. Also, be sure that when you specify the friendly name of the client (your router) it should match the spelling and case of your router's hostname. Therefore, if your router's host name is cmp20-r1 (lower case), so should the friendly name be that way. Also, if you use a different client secret key (referred to as a shared key) when configuring the RADIUS in NPS, be sure to use that same secret key when defining your RADIUS server in your router.
CONfigure your r1 router to use the radius service
Please configure your router using the following configuration:
Test by SSHing into your router and logging in as both a Network Engineer and a Network Support Technician. Perform the command: show privilege after logging on. It should show 15 for the network engineer and 1 for the support technician.
Signoff required at this point.