This guide will show you how to setup Cisco IOS authentication via Active Directory. This guide is based on Cisco 2600 Router and Windows Server 2008 R2 using NPS.


Active Directory NPS Setup


This section assumes that active directory is already setup and running in your environment. Now for the fun part.

  1. We will need to Add the NPS Role via Control Panel > Admin Tools > Server Manager. Click Add Roles then select Network Policy and Access Services then Network Policy Server use defaults and install.
  2. We will need to add a RADIUS Client by expanding Roles > Network Policy and Access Services > NPS (Local) > RADIUS Clients and Servers.
    Server Manager with NPS installed

  1. Right click or select RADIUS Clients then select New.
  2. Fill out the window with the Friendly Name, IP Address of the router doing the authentication, and the shared secret.
    New RADIUS Client
  3. You will need to add each Cisco router you wish to authenticate to the RADIUS clients.
  4. We will need to create a new Network Policy by selecting it and clicking New.
  5. Under Policy name you can name this ‘Cisco Administrators’ then click next.
    NPS Network Policy
  6. Under conditions click Add then select ‘Windows Groups’ then select which group you want to access the routers. For this I created a Cisco Admin group in active directory then selected it.
    Condition with Windows Group
  7. On the next page select Access Granted, then click Next.
  8. On the Configure Authentication Modes, uncheck everything except Unencrypted Authentication (PAP,SPAP) then click Next.
  9. You can skip the configuring of constraints if you wish.
  10. Under RADIUS Attributes > Standard, delete everything out of that list. You will then click Add then select Service-Type under the attribute list then select Others > Login.
    RADIUS Settings
  11. Under RADIUS Attributes > Vendor Specific you will click Add then select Vendor: Cisco, Attribute: Cisco AV Pair, then click add.
  12. You will then click add on the attribute information then enter the value ‘shell:priv-lvl=15’. This will make anyone authenticating to this policy an Administrator of the router.
    Radius Vendor Specific
  13. The final thing to check is to make sure the ‘Cisco Administrator’ policy is at the top of the list of network policies as they are executed in order. If the policy is below restrict all access, it will never authenticate (Think Cisco Access Lists).
  14. If you would like to add different policies for different user groups you can repeat steps 6-15 making sure you change the level in step 14 to the privilege level you wish.


Cisco IOS Configuration


Now for the easy part of the setup, configuring your Cisco IOS device to authenticate to Active Directory.

  • The first step is to make sure your router is using SSH. See Configuring SSH on Cisco IOS.
  • You will need to setup AAA Authentication on your device by running the following commands (ADAUTH is just a name given to the group, change the IP address to your Active Directory server).

aaa new-model
aaa group server radius ADAUTH
server-private key cisco

  • This next command will enable the authentication to work. It is very important that you do add local at the end of the following command. If the authentication server becomes unreachable then the router will fallback to the local user accounts. Also you will need to include the ‘aaa authorization’ command as well, if not you will get ‘Error in Authentication’ messages when you try to enable.

aaa authentication login default group ADAUTH local
aaa authorization exec default group ADAUTH local

  • Now to apply the login to the line information:

line vty 0 4
transport input ssh telnet
login authentication default

  • transport input ssh telnet will allow both telnet and ssh, if you do not want telnet, you may remove it.
  • If you need to specify which interface the requests will be sent you can do the following command ‘ip radius source-interface fa0/0’