Configure Cisco routers to use Active Directory authentication -- the router side

Did you know that you can leverage the Windows Active Directory username/password database to log in to your Cisco routers and switches? Last time, David Davis explained how to <a href='' target='_blank'>install, configure, and troubleshoot Windows' Internet Authentication Service (IAS)</a>. To wrap up this series, this week he tells you how to configure your routers and switches to use the authentication.

In organizations that use Windows, employees use their Active Directory (AD) username and password to access their PCs every day. So why do you need separate credentials on your routers? You don't — you can use the Windows AD database to log in to your Cisco routers and switches.

In this two-part series, I'm explaining how to configure AD authentication on your routers and switches. Last time, I told you how to install, configure, and troubleshoot Windows' Internet Authentication Service (IAS). This week, let's wrap things up by explaining how to configure your routers and switches to use the authentication.

Before we begin, let's go over this article's assumptions. We're assuming that you've already connected your router or switch to the LAN, enabled its LAN interface, and have an IP address on that LAN interface. If access to the router or switch is through a routed network, it also needs a default gateway configured.

For this article, I used a Cisco 871W router that's running Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(4)XC2, RELEASE SOFTWARE (fc1). Specifically, it has this IOS file: c870-advipservicesk9-mz.124-4.XC2.

This router has a VLAN1 that four LAN Ethernet ports share by default. This is where I configured my IP address, as shown below:

interface Vlan1
ip address

interface FastEthernet0
no shutdown

Configure the router or switch

While I'm using a Cisco 871W router, you can also use a Cisco switch, and the configuration should be similar. You can even configure this type of RADIUS authentication on a Cisco PIX firewall or Adaptive Security Appliance (ASA).

To configure a router or switch to talk to the Windows IAS RADIUS server to authenticate logins for management, start by making sure you have a secret password enabled, as shown below:

enable secret 5 Secret!Pass1

Next, configure the router for RADIUS authentication. Listing A offers an example.

In this example, the IP address is the IP address of our Windows IAS RADIUS server, and the key is the key we entered when we configured the RADIUS client on the IAS server. In addition, we've configured the source interface to make sure the IP address of the RADIUS server matches the IP address of the RADIUS client we configured in IAS.

We also configured an authentication list called TRAuthList. While you can use the default authentication list, I don't recommend it. The default list automatically applies to all login devices, including the console. So failure of the RADIUS authentication could also lock you out of the console.

I also suggest configuring a local username/password in case the RADIUS server is ever unavailable and you need to access your network device. Because we used the login authentication method radius and then local, the router will fail back to the local authentication server if the RADIUS server ever goes down. Here's how to configure a local user:

R1-871W(config)# user netadmin pass secretpass1

Next, we need to configure all of our lines with the authentication list we created. For this example, we have the normal five lines (0 to 4), but your device may contain more. Here's an example:

R1-871W(config)# line vty 0 4
R1-871W(config-line)#  login authentication TRAuthList

At this point, Windows AD authentication would work if we used Telnet to connect to the router or switch. However, for security's sake, I recommend using SSH instead of Telnet, so now we need to configure SSH.

Start by making sure we have a hostname on the router. Here's an example:

Router(config)# hostname R1-871W

Then, make sure there's an IP domain name configured. Here's an example:

R1-871W(config)# ip domain-name 

Next, generate the crypto keys, as shown below, and answer all questions with their defaults:

R1-871W(config)# crypto key generate rsa

Finally, restrict VTY lines to use only SSH — not Telnet. Here's an example:

R1-871W(config)# Line vty 0 4
R1-871W(config-line)# Transport input ssh

Test the configuration

I recommend leaving the console or other existing connection to the router up until you can verify that the new configuration works. In addition, don't save the configuration until you make sure it works. If it doesn't work, you can always remove it or reboot the device to go back to the previous configuration.

To test the new configuration, I connected to the router using SecureCRT, but you can also use PuTTY, which is free. Figure A displays the Session Options - New dialog box, which shows my connection settings. Note the SSH1 protocol — not SSH2.

Figure A

Notice that we are using SSH1, not SSH2.

Figure B displays the Enter Username dialog box, which I use to log in with my Windows username.

Figure B

Log in with your Windows username.

With that, I have successfully connected, as shown in Figure C. I used the show users command to show that it's really me.

Figure C

Using the show users command displays a successful connection.

Troubleshoot the configuration

When it comes to troubleshooting the Cisco IOS side of this complex configuration, using the debugand testcommands is your best bet. Here's an example:

Router# debug aaa authentication
AAA Authentication debugging is on

Router# debug radius authentication
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol (authentication) debugging is on
Radius packet protocol (accounting) debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off

Router# test aaa group radius ddavis MyPass1 port 1645 new-code

In addition to using the IAS log files, which I discussed in the previous article, this lets you see what's going on in the background on both sides of this configuration (i.e., the router or switch and the RADIUS server). If you run across an error message that you don't recognize, search the Web — someone else has likely run across it already and figured out the resolution.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Editor's Picks