Networking

Configure Cisco routers to use Active Directory authentication -- the router side

Did you know that you can leverage the Windows Active Directory username/password database to log in to your Cisco routers and switches? Last time, David Davis explained how to <a href='http://www.techrepublic.com/article/5100-1035-6180954.html' target='_blank'>install, configure, and troubleshoot Windows' Internet Authentication Service (IAS)</a>. To wrap up this series, this week he tells you how to configure your routers and switches to use the authentication.

In organizations that use Windows, employees use their Active Directory (AD) username and password to access their PCs every day. So why do you need separate credentials on your routers? You don't -- you can use the Windows AD database to log in to your Cisco routers and switches.

In this two-part series, I'm explaining how to configure AD authentication on your routers and switches. Last time, I told you how to install, configure, and troubleshoot Windows' Internet Authentication Service (IAS). This week, let's wrap things up by explaining how to configure your routers and switches to use the authentication.

Before we begin, let's go over this article's assumptions. We're assuming that you've already connected your router or switch to the LAN, enabled its LAN interface, and have an IP address on that LAN interface. If access to the router or switch is through a routed network, it also needs a default gateway configured.

For this article, I used a Cisco 871W router that's running Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(4)XC2, RELEASE SOFTWARE (fc1). Specifically, it has this IOS file: c870-advipservicesk9-mz.124-4.XC2.

This router has a VLAN1 that four LAN Ethernet ports share by default. This is where I configured my IP address, as shown below:

interface Vlan1
ip address 192.168.1.100 255.255.255.0

interface FastEthernet0
no shutdown

Configure the router or switch

While I'm using a Cisco 871W router, you can also use a Cisco switch, and the configuration should be similar. You can even configure this type of RADIUS authentication on a Cisco PIX firewall or Adaptive Security Appliance (ASA).

To configure a router or switch to talk to the Windows IAS RADIUS server to authenticate logins for management, start by making sure you have a secret password enabled, as shown below:

enable secret 5 Secret!Pass1

Next, configure the router for RADIUS authentication. Listing A offers an example.

In this example, the IP address is the IP address of our Windows IAS RADIUS server, and the key is the key we entered when we configured the RADIUS client on the IAS server. In addition, we've configured the source interface to make sure the IP address of the RADIUS server matches the IP address of the RADIUS client we configured in IAS.

We also configured an authentication list called TRAuthList. While you can use the default authentication list, I don't recommend it. The default list automatically applies to all login devices, including the console. So failure of the RADIUS authentication could also lock you out of the console.

I also suggest configuring a local username/password in case the RADIUS server is ever unavailable and you need to access your network device. Because we used the login authentication method radius and then local, the router will fail back to the local authentication server if the RADIUS server ever goes down. Here's how to configure a local user:

R1-871W(config)# user netadmin pass secretpass1

Next, we need to configure all of our lines with the authentication list we created. For this example, we have the normal five lines (0 to 4), but your device may contain more. Here's an example:

R1-871W(config)# line vty 0 4
R1-871W(config-line)#  login authentication TRAuthList

At this point, Windows AD authentication would work if we used Telnet to connect to the router or switch. However, for security's sake, I recommend using SSH instead of Telnet, so now we need to configure SSH.

Start by making sure we have a hostname on the router. Here's an example:

Router(config)# hostname R1-871W

Then, make sure there's an IP domain name configured. Here's an example:

R1-871W(config)# ip domain-name TechRepublic.com 

Next, generate the crypto keys, as shown below, and answer all questions with their defaults:

R1-871W(config)# crypto key generate rsa

Finally, restrict VTY lines to use only SSH -- not Telnet. Here's an example:

R1-871W(config)# Line vty 0 4
R1-871W(config-line)# Transport input ssh

Test the configuration

I recommend leaving the console or other existing connection to the router up until you can verify that the new configuration works. In addition, don't save the configuration until you make sure it works. If it doesn't work, you can always remove it or reboot the device to go back to the previous configuration.

To test the new configuration, I connected to the router using SecureCRT, but you can also use PuTTY, which is free. Figure A displays the Session Options - New dialog box, which shows my connection settings. Note the SSH1 protocol -- not SSH2.

Figure A

Notice that we are using SSH1, not SSH2.

Figure B displays the Enter Username dialog box, which I use to log in with my Windows username.

Figure B

Log in with your Windows username.

With that, I have successfully connected, as shown in Figure C. I used the show users command to show that it's really me.

Figure C

Using the show users command displays a successful connection.

Troubleshoot the configuration

When it comes to troubleshooting the Cisco IOS side of this complex configuration, using the debugand testcommands is your best bet. Here's an example:

Router# debug aaa authentication
AAA Authentication debugging is on

Router# debug radius authentication
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol (authentication) debugging is on
Radius packet protocol (accounting) debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Router#

Router# test aaa group radius ddavis MyPass1 port 1645 new-code

In addition to using the IAS log files, which I discussed in the previous article, this lets you see what's going on in the background on both sides of this configuration (i.e., the router or switch and the RADIUS server). If you run across an error message that you don't recognize, search the Web -- someone else has likely run across it already and figured out the resolution.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

28 comments
rudresh02
rudresh02

The document is excellent. But I was successfully in authentication on the 1st level from the AD username and passowrd. I not able to authenticate for enable mode with AD username and password. Can any one help?

naylinthu
naylinthu

I do not recommend to hand in the Routers and Swtiches authentication under AD who managed by possibly another team (such as : server/systems support). network component authentication should be i it's own domain. We can use ACS servers. Nay Lin (CCNP)

jericho_g
jericho_g

David - Can you also authenticate via LDAP to Active Directory? I've been successful on the ASA5510, when my base DN encompasses my entire domain. However, I want to only give VPN to specific groups and when I do that, it fails (error when testing from ASDM is 'user not found'. Is group authentication only available via IAS / Radius?

rudresh02
rudresh02

I tried these steps on my 2950 series switch, . but my switch is not communication with ratidus server for authentication. When i turn on my debug command it is showing nothing. Please let me know a solution for this issue.

gulam76
gulam76

dear sir, this is gulam from bangalore. i am working one company as a system admin. we have two branch in bangalore that two branch we have connected to DAX router but two branch also diffirent serices in ip. now we can able to share the data one office to another office. now can i access internet one office internet connection to one more branch and what happen is two branch have diffirent serices.

nwelch
nwelch

If you are running an AD forest with multiple domains, you will need to add the "DOMAIN\" before the user name (though I have found that you do not need to do this for the domain the IAS server is joined to) when logging in to the Cisco Device and that you may have to add the IAS Server(s) to each domain's "RAS and IAS Servers" group. I did not have to add the server(s) to the groups, but I am only using IAS for Cisco equipment at this point.

prichter
prichter

How do I restrict access? I set this up, but everyone that logs in with the ASDM via RADIUS automatically gets privilege 15. I can't figure out how to even set it to require an 'enable' password for the ASDM.

erik
erik

How can i apply this radius solution to my vpn users. They login using local accounts now. My VPN setup is using a VPDN group and my users are using the standard built in windows vpn client (pptp /mppe) I've tried using the following: aaa authentication ppp AuthList group Radius local But they won't authenticate even though login works. Anything extra i need to change on the server side?

axl13
axl13

I was wondering if we could go stright to enable mode, after we authenticate

old_ndc
old_ndc

This article is useful and will be stored in my techtips File. Just a suggestion though, Why is listing A supplied as a popup rather than within the article general article ? It is not large and helps with the flow of the article if all is present.

rjstephan
rjstephan

I'm a Windows veteran but a relative Cisco newbie (Catalyst 2960). I've not used IOS and was wondering if this Radius configuration is possible using the Device Mgr web interface or the Cisco Network Assistant?

bdmeyer44
bdmeyer44

I am trying to determine what devices this might work on. I have about 160 devices, switches are mostly 2950/3548 type. Also a LOT of 827/837 routers. On the 2950 I only have: 1401_sw2950-bdm(config-line)#login ? local Local password checking tacacs Use tacacs server for password checking No radius is available. This is the most current IOS. IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2006 by cisco Systems, Inc. Compiled Fri 28-Jul-06 17:00 by weiliu System image file is "flash:c2950-i6k2l2q4-mz.121-22.EA8a.bin" On the 837's I see: The same thing. No radius option. Am I missing something, or do these smaller devices just not support radius authentication? Bruce Meyer

khansen
khansen

Keep in mind that unless you are running Enterprise Server, IAS will cap you at 50 clients (I thought it was 25, but the help doc says 50). So, if you are going to be going above that, try and group all your authentications into a single subnet and define the IAS client as a range (10.1.34.0/24). This will keep you under that cap.

paul.stephenson
paul.stephenson

Thanks for the guide, this is something i have been working on for the past few weeks and it confirmed my setup was ok :) Is it possible to configure a warning when the switch failed to talk to the radius server and is attempting to use local auth?

virginia.tompkins
virginia.tompkins

At "Policy Conditions" of the New Remote Access Plicy Wizard (Figure G in the article), add a second policy. Click Add and select "Client-Vendor". On the Client-Vendor dialog box, select "Cisco" and Add.

alabibh
alabibh

Hi Folks, I am trying to configure RADIUS authenication on Cisco routers to use AD accounts, any help will be appreciated Thanks

paul.stephenson
paul.stephenson

aaa authorization exec default group radius if-authenticated should do the trick

paul.stephenson
paul.stephenson

I've seen no option within the CNA to configure AAA sadly, but then what did you expect from a free cisco tool :) It's not that hard to configure the IOS on the commandline, if you've used dos then you'll copy easy.

ddavis
ddavis

Hi Bruce, This is a good question. I don't have a list of "supported devices" as there are so many different Cisco devices. However, I looked up the two devices you talked about. 1) on the 2950 data sheet at the URL below, it said that the 2950 supports RADIUS. However, since you only have the options you showed us on the login command, I suspect the RADIUS offered on the 2950 is for 802.1x port authentication. http://cisco.com/en/US/products/hw/switches/ps628/products_data_sheet09186a00801cfb71.html 2) on the 837, the spec sheet says that the default image does not support RADIUS, however, if you upgrade to the IP/FW/IPSec 3DES PLUS featured IOS, you can get RADIUS. Here is the URL: http://www.cisco.com/en/US/products/hw/routers/ps380/products_data_sheet09186a008010e5c5.html Thanks for reading TechRepublic! -David

kaumell
kaumell

Can I make the ip http server authenticate off AD as well? I've tried by changing the config to read: ip http authentication aaa I followed this guide step by step and it works great for telnet, I'd just like to try and use it to auth the http server portion as well, if possible. Thanks for the help

ddavis
ddavis

Hi Paul, Thanks for taking the time to post! As far as I know, there is no automated way to configure a warning when radius authentication fails. Now, I could see this being possible if you- 1) configure syslog 2) enable debug of radius errors 3) on the syslog server, receive the inbound log info and write a script to parse the logs, find the error, and alert you Just a thought... Thanks for reading TechRepublic! -David

CG IT
CG IT

I'd like to see Cisco forum. There's really isn't a no cost Cisco forum where a user can ask questions on configuration of Cisco products [or test lab configurations] or question regarding certifications and get good solid advice.

bdmeyer44
bdmeyer44

I'll attempt that and post my results once done. I have a large amount of these devices, and it would be worth the effort. --Bruce D. Meyer

paul.stephenson
paul.stephenson

that should be all that is required. in my config for ip http i have: ip http server ip http authentication aaa ip http secure-server

paul.stephenson
paul.stephenson

Thanks, i have syslog setup already so i'll look into it. it's more just a case of visually whilst logging on.