Using Active Directory for Radius Authentication

March 31, 2011 Leave a Comment

When i started at my current job about 12 months ago, there was no means of centralized authentication. All the equipment used generic logins, and every device was different, so you need a spreadsheet of logins just to do the simplest of tasks!

My initial idea was to deploy a TACACS+ server, but no one wanted to spend on Cisco’s ACS and I couldn’t find a decent free one, so i looked at using Radius with Active Directory.

It turns out it’s actually quite easy to set up and administer!

Firstly, if you have more than 50 devices, you will need Windows Server Enterprise or Datacentre (2k3 or 2k8), or several servers, because Server Standard only supports 50 radius clients.

To start with you need to install he radius service on Windows, in 2003 this is called IAS (Internet Authentication Service) in 2008 this is called NPS (Network Policy Service). I’m not going to go over the install of this here as it’s quite simple, but follow the links below for more info

2003 – http://technet.microsoft.com/en-us/library/cc781690%28WS.10%29.aspx
2008 – http://technet.microsoft.com/en-us/library/cc725922%28WS.10%29.aspx

Next you need to set up the Radius Policy, at the moment i have only done this in 2003 as this i what i had when i set it up, i indent to move it over to 2008 once our Windows team have built the server for me!!! but i believe the process is pretty similar.

First Step, open us the IAS MMC, and right-click on the Remote Access Policies branch and select “New Remote Access Policy” you should get the below window;

 

Select “Setup a Customer Policy” and give it a name, press Next..

 

 

 

 

 

 

 

 

Next you will need to set “Policy Conditions” – these are what defines which users can access the devices. We are going to be using an Active Directory group to grant access, so members of this group will be allowed to login. Click Add and look for “Windows-Groups” (usually the last on the list) From here you can choose you group, it can be a local group on the server or an Active Directory group. Once you have selected your group it should look like this;

 

 

 

At the next window, you will define if this policy Grants or Deny’s access, the default is Deny, so make sure you change it! Next you will be asked to edit the Profile, this is where the magic happens! There are several changes you need to make in order for Radius to work.

 

1) Select Authentication, Select “unencrypted authentication”, uncheck everything else (Cisco on seems to support PAP, if anyone has a way to make it support CHAP, please let me know!!)

 

 

 

 

 

 

 

 

 

2) Go to the Advanced Tab, and remote the two attributes that are there by default. Now click “Add” and select “Vendor-Specific” from the list, click “Add” again on the window that pops up (This should be the “Multivalued Attribute Information” windows) Select “Cisco” from the drop down list, and say select “Yes, it conforms”

 

 

 

 

 

 

Now click “Configure Attribute”, Change the attribute number to 1, lease the format as string and enter the below as the value (enter is exactly as it appears in red below)

shell:priv-lvl=15

If you wanted to assigned a different privilege level to someone, you can do it here. (i.e. several different AD groups to assign several different privilege levels). Ok everything untill you get back to the “Add Attribute” window, click Add to add you Vendor Specific Attribute, the window wont close, but it does add it, you now need to add another Attribute – “Service-Type” – Change the Attribute Value to “Login” and click OK, add this again and now click close, you should now see the below;

 

 

And that is you Policy Done!


Now. time to add a client to the IAS and configure the Cisco Device.

1) Add a client to your radius – In the IAS MMC, right-click on the “Radius Clients” branch and choose “New Radius Client” Enter the Display anem and IP address of the device, click next. Change the Vendor to “Cisco” and enter your shared secret (keep a note of this for later)

2) Configure the Cisco Device.

First, you need to configure the device to use AAA by entering the command

aaa new-model

Then you need to configure the AAA Groups, There are 3 parts to AAA

Authentication – Who is allowed to login
Authorization -  What are you allowed to do once you have logged in
Accounting – What are you doing once you are logged in

We are only going to be concerned with the first to A’s – Authentication and Authorization, enter the following commands;

aaa authentication login default local group radius
aaa authorization exec default local group radius

This will create a authentication list called “default” you can name it what you want, but if you use default you don’t need to modify anything else.

The list defines what source the router users to authenticate you – i.e. Local usernames first, then the radius server.

Next you need to configure the Radius Server;

radius-server host 10.10.10.10 auth-port 1645 acct-port 1646 key SHAREDSECRET

the Host IP is the IP of the server, and the Key is the shared secret you entered into IAS.

If you device has multiple interfaces or routes to the IAS server, you might want to configure a source interface (i.e. the interface with the IP you entered into IAS);

ip radius source-interface Vlan1

And thats it, you should be done! give it a go.

The only extra is if you used your own name for the AAA List, you configure your VTY lines to user this list, type the following;

line vty 0 15
login authentication MYLISTNAME

Advertisement

Filed under Security Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.