How to: Setup Cisco IOS to authenticate via Active Directory

Jun.24, 2012 in Cisco IOS like on or

Introduction

This guide will show you how to setup Cisco IOS authentication via Active Directory. This guide is based on Cisco 2600 Router and Windows Server 2008 R2 using NPS.

Active Directory NPS Setup

This section assumes that active directory is already setup and running in your environment. Now for the fun part.

We will need to Add the NPS Role via Control Panel > Admin Tools > Server Manager. Click Add Roles then select Network Policy and Access Services then Network Policy Server use defaults and install.
We will need to add a RADIUS Client by expanding Roles > Network Policy and Access Services > NPS (Local) > RADIUS Clients and Servers.

Right click or select RADIUS Clients then select New.
Fill out the window with the Friendly Name, IP Address of the router doing the authentication, and the shared secret.
You will need to add each Cisco router you wish to authenticate to the RADIUS clients.
We will need to create a new Network Policy by selecting it and clicking New.
Under Policy name you can name this ‘Cisco Administrators’ then click next.
Under conditions click Add then select ‘Windows Groups’ then select which group you want to access the routers. For this I created a Cisco Admin group in active directory then selected it.
On the next page select Access Granted, then click Next.
On the Configure Authentication Modes, uncheck everything except Unencrypted Authentication (PAP,SPAP) then click Next.
You can skip the configuring of constraints if you wish.
Under RADIUS Attributes > Standard, delete everything out of that list. You will then click Add then select Service-Type under the attribute list then select Others > Login.
Under RADIUS Attributes > Vendor Specific you will click Add then select Vendor: Cisco, Attribute: Cisco AV Pair, then click add.
You will then click add on the attribute information then enter the value ‘shell:priv-lvl=15’. This will make anyone authenticating to this policy an Administrator of the router.
The final thing to check is to make sure the ‘Cisco Administrator’ policy is at the top of the list of network policies as they are executed in order. If the policy is below restrict all access, it will never authenticate (Think Cisco Access Lists).
If you would like to add different policies for different user groups you can repeat steps 6-15 making sure you change the level in step 14 to the privilege level you wish.

Cisco IOS Configuration

Now for the easy part of the setup, configuring your Cisco IOS device to authenticate to Active Directory.

The first step is to make sure your router is using SSH. See Configuring SSH on Cisco IOS.
You will need to setup AAA Authentication on your device by running the following commands (ADAUTH is just a name given to the group, change the IP address to your Active Directory server).

aaa new-model
aaa group server radius ADAUTH
server-private 192.168.20.2 key cisco

This next command will enable the authentication to work. It is very important that you do add local at the end of the following command. If the authentication server becomes unreachable then the router will fallback to the local user accounts. Also you will need to include the ‘aaa authorization’ command as well, if not you will get ‘Error in Authentication’ messages when you try to enable.

aaa authentication login default group ADAUTH local
aaa authorization exec default group ADAUTH local

Now to apply the login to the line information:

line vty 0 4
transport input ssh telnet
login authentication default

transport input ssh telnet will allow both telnet and ssh, if you do not want telnet, you may remove it.
If you need to specify which interface the requests will be sent you can do the following command ‘ip radius source-interface fa0/0’

Tags: active directory, cisco ios, radius

5 Comments on “How to: Setup Cisco IOS to authenticate via Active Directory”

Duck
June 14th, 2013 at 12:01 am
Cisco IOS config worked perfectly for IOS 15.0. Thanks!

online assistant clinical method health and wellness welness
March 27th, 2025 at 8:34 am
Hey there! Quick question that’s completely off topic.

Do you know how to make your site mobile friendly?

My web site looks weird when viewing from my apple iphone.
I’m trying to find a template or plugin that might be able to fix this issue.
If you have any suggestions, please share. Thanks!

moveupaba.com
March 27th, 2025 at 9:21 am
Hello! I could have sworn I’ve visited this site before but
after looking at a few of the articles I realized it’s new to me.

Anyhow, I’m definitely pleased I came across it and I’ll be book-marking it and checking back often!

medical virtual receptionist
March 27th, 2025 at 8:40 pm
Its such as you learn my thoughts! You appear to understand so much
approximately this, like you wrote the book in it or something.
I think that you just could do with some % to
pressure the message home a little bit, however other than that, that is magnificent blog.
An excellent read. I will certainly be back.

wellness and wellness benefits of a clinical virtual assistant
March 29th, 2025 at 10:40 am
Greetings! I know this is kind of off topic but I was wondering if you knew where I could find a captcha plugin for my comment form?

I’m using the same blog platform as yours and I’m having problems finding one?
Thanks a lot!

Welcome

If you like what you see here please let me know in the comment section below or use the like buttons at the top and bottom of the articles!

Categories
- Operating Systems
  - Android
  - Cisco IOS
  - Linux
  - OSX
- Software
  - Apache
  - DD-WRT
  - ISC-DHCP
  - VirtualPC
  - Vmware
Meta

Arthur's Journal

A journal of all the tidbits of information I gathered through the years.