How to: Setup Cisco IOS to authenticate via Active Directory
Introduction
This guide will show you how to setup Cisco IOS authentication via Active Directory. This guide is based on Cisco 2600 Router and Windows Server 2008 R2 using NPS.
Active Directory NPS Setup
This section assumes that active directory is already setup and running in your environment. Now for the fun part.
- We will need to Add the NPS Role via Control Panel > Admin Tools > Server Manager. Click Add Roles then select Network Policy and Access Services then Network Policy Server use defaults and install.
- We will need to add a RADIUS Client by expanding Roles > Network Policy and Access Services > NPS (Local) > RADIUS Clients and Servers.
- Right click or select RADIUS Clients then select New.
- Fill out the window with the Friendly Name, IP Address of the router doing the authentication, and the shared secret.
- You will need to add each Cisco router you wish to authenticate to the RADIUS clients.
- We will need to create a new Network Policy by selecting it and clicking New.
- Under Policy name you can name this ‘Cisco Administrators’ then click next.
- Under conditions click Add then select ‘Windows Groups’ then select which group you want to access the routers. For this I created a Cisco Admin group in active directory then selected it.
- On the next page select Access Granted, then click Next.
- On the Configure Authentication Modes, uncheck everything except Unencrypted Authentication (PAP,SPAP) then click Next.
- You can skip the configuring of constraints if you wish.
- Under RADIUS Attributes > Standard, delete everything out of that list. You will then click Add then select Service-Type under the attribute list then select Others > Login.
- Under RADIUS Attributes > Vendor Specific you will click Add then select Vendor: Cisco, Attribute: Cisco AV Pair, then click add.
- You will then click add on the attribute information then enter the value ‘shell:priv-lvl=15’. This will make anyone authenticating to this policy an Administrator of the router.
- The final thing to check is to make sure the ‘Cisco Administrator’ policy is at the top of the list of network policies as they are executed in order. If the policy is below restrict all access, it will never authenticate (Think Cisco Access Lists).
- If you would like to add different policies for different user groups you can repeat steps 6-15 making sure you change the level in step 14 to the privilege level you wish.
Cisco IOS Configuration
Now for the easy part of the setup, configuring your Cisco IOS device to authenticate to Active Directory.
- The first step is to make sure your router is using SSH. See Configuring SSH on Cisco IOS.
- You will need to setup AAA Authentication on your device by running the following commands (ADAUTH is just a name given to the group, change the IP address to your Active Directory server).
aaa new-model
aaa group server radius ADAUTH
server-private 192.168.20.2 key cisco
- This next command will enable the authentication to work. It is very important that you do add local at the end of the following command. If the authentication server becomes unreachable then the router will fallback to the local user accounts. Also you will need to include the ‘aaa authorization’ command as well, if not you will get ‘Error in Authentication’ messages when you try to enable.
aaa authentication login default group ADAUTH local
aaa authorization exec default group ADAUTH local
- Now to apply the login to the line information:
line vty 0 4
transport input ssh telnet
login authentication default
- transport input ssh telnet will allow both telnet and ssh, if you do not want telnet, you may remove it.
- If you need to specify which interface the requests will be sent you can do the following command ‘ip radius source-interface fa0/0’
June 14th, 2013 at 12:01 am
Cisco IOS config worked perfectly for IOS 15.0. Thanks!
March 27th, 2025 at 8:34 am
Hey there! Quick question that’s completely off topic.
Do you know how to make your site mobile friendly?
My web site looks weird when viewing from my apple iphone.
I’m trying to find a template or plugin that might be able to fix this issue.
If you have any suggestions, please share. Thanks!
March 27th, 2025 at 9:21 am
Hello! I could have sworn I’ve visited this site before but
after looking at a few of the articles I realized it’s new to me.
Anyhow, I’m definitely pleased I came across it and I’ll be book-marking it and checking back often!
March 27th, 2025 at 8:40 pm
Its such as you learn my thoughts! You appear to understand so much
approximately this, like you wrote the book in it or something.
I think that you just could do with some % to
pressure the message home a little bit, however other than that, that is magnificent blog.
An excellent read. I will certainly be back.
March 29th, 2025 at 10:40 am
Greetings! I know this is kind of off topic but I was wondering if you knew where I could find a captcha plugin for my comment form?
I’m using the same blog platform as yours and I’m having problems finding one?
Thanks a lot!
April 11th, 2025 at 12:29 am
Every weekend i used to pay a quick visit this web site, because i wish for enjoyment, since this this web
site conations really good funny material too.
April 11th, 2025 at 12:33 am
I don’t know if it’s just me or if perhaps everybody else encountering problems with your blog.
It appears as if some of the written text on your content are running off the screen. Can someone else please comment and let me know if
this is happening to them too? This could be a problem with my web browser because I’ve had this happen before.
Many thanks
April 11th, 2025 at 1:40 am
What i don’t understood is in reality how you are now not actually much more neatly-preferred
than you may be right now. You’re very intelligent.
You know therefore significantly with regards to this subject, produced me for
my part consider it from so many varied angles. Its like
women and men don’t seem to be involved unless it’s one thing to
do with Girl gaga! Your personal stuffs outstanding.
All the time maintain it up!
April 11th, 2025 at 2:19 am
That is very attention-grabbing, You’re an overly skilled blogger.
I have joined your rss feed and look ahead to searching
for extra of your magnificent post. Additionally,
I’ve shared your site in my social networks
April 11th, 2025 at 2:42 am
You are so interesting! I do not suppose I have read through anything like this before.
So nice to discover someone with genuine thoughts on this issue.
Really.. thank you for starting this up. This website is
something that is required on the web, someone with a bit of originality!
April 11th, 2025 at 2:46 am
My brother suggested I might like this website.
He was entirely right. This post truly made my day.
You cann’t imagine just how much time I had spent for this info!
Thanks!
April 11th, 2025 at 3:23 am
Hello my loved one! I wish to say that this post is amazing, nice written and come with almost all significant infos.
I would like to peer more posts like this .
April 23rd, 2025 at 7:23 am
We’re a group of volunteers and starting a new scheme in our community.
Your web site offered us with valuable information to work on. You have done an impressive job and our entire community will be
grateful to you.
April 23rd, 2025 at 6:27 pm
Aw, this was a really good post. Taking a few minutes and actual
effort to create a good article… but what can I say… I hesitate a lot and never seem to get nearly anything done.
April 24th, 2025 at 7:36 am
I’ve been surfing online greater than 3 hours
nowadays, yet I by no means discovered any interesting article like
yours. It’s pretty price sufficient for me. Personally, if
all webmasters and bloggers made just right content as you did, the internet shall be much more useful than ever before.
April 24th, 2025 at 12:38 pm
Hey! This is my 1st comment here so I just wanted
to give a quick shout out and tell you I genuinely enjoy reading your blog posts.
Can you recommend any other blogs/websites/forums that cover the same subjects?
Thanks a ton!
April 25th, 2025 at 4:41 am
I’ve been surfing online more than 2 hours today, yet I never
found any interesting article like yours. It is pretty
worth enough for me. In my opinion, if all site owners and bloggers made good content as you did, the web will be
much more useful than ever before.
April 25th, 2025 at 4:05 pm
I think that what you said was very reasonable. But, what about
this? suppose you added a little content? I am not
saying your content isn’t good., however suppose
you added a post title that grabbed people’s
attention? I mean How to: Setup Cisco IOS to authenticate via Active Directory – Arthur's Journal is a little plain. You could peek at
Yahoo’s front page and note how they write article titles to grab viewers interested.
You might try adding a video or a related picture or two to grab people excited about everything’ve got to
say. In my opinion, it might make your posts a little livelier.