Collaboration

Configure Cisco routers to use Active Directory authentication -- the Windows side

Did you know that you can leverage the Windows Active Directory username/password database to log in to your Cisco routers and switches? In this two-part series, David Davis walks you through the process. This time, he explains how to install, configure, and troubleshoot Windows' Internet Authentication Service (IAS).

If your organization uses Windows, you probably use your Active Directory (AD) username and password to log onto your PC every day. So why do you need separate credentials on your routers?

Even if you just need to remember an extra password, it can be annoying -- but it doesn't have to be. In fact, you can leverage the Windows AD username/password database to log in to your Cisco routers and switches.

In this two-part series, I'll explain how to configure AD authentication on your routers and switches. This week, we'll start off by discussing how to install, configure, and troubleshoot Windows' Internet Authentication Service (IAS); next week, we'll wrap it up by explaining how to configure your routers and switches to use the authentication.

Before we begin, let's go over this article's assumptions. For this configuration, we'll use IAS, the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy, which comes built into Windows 2000 Server and Windows Server 2003.

In addition, we're assuming that you've already connected your router or switch to the LAN, enabled its LAN interface, and have an IP address on that LAN interface. If access to the router or switch is through a routed network, it also needs a default gateway configured.

Install IAS

Start off by installing IAS if you haven't already done so. For Windows Server 2003, follow these steps:

  1. Log in as an administrator.
  2. Go to Start | Control Panel, and double-click the Add Or Remove Programs applet.
  3. Click Add/Remove Windows Components.
  4. In the Windows Components Wizard, click Networking Services, and click Details.
  5. In the Networking Services dialog box, select Internet Authentication Service, click OK, and click Next.
  6. The system may prompt you to insert your Windows Server 2003 CD, so have it handy.
  7. After IAS is installed, click Finish, and then Close.

To keep track of who can log in to your Cisco network devices, I suggest creating an AD group called ciscoadmin. Then, make your existing Windows account a member of the ciscoadmin group.

Configure IAS

Now that we've installed IAS, we need to configure it. Begin by going to Start | Control Panel and double-clicking the Administrative Tools applet. Double-click the Internet Authentication Service applet, as shown in Figure A.

Figure A

To begin configuring IAS, go to Start | Control Panel | Administrative Tools | Internet Authentication Service.

This will open the Internet Authentication Service window, as shown in Figure B.

Figure B

You must open the Internet Authentication Service window to configure IAS.

Now we need to add a RADIUS client. Follow these steps:

  1. In the left pane, right-click RADIUS Clients, and select New RADIUS Client.
  2. In the New RADIUS Client dialog box, as shown in Figure C, enter a display name for the client (i.e., your router or switch). I suggest using the router's hostname.
  3. Enter the LAN IP address of the client.

Figure C

Enter a friendly name for the new client, and enter the IP address.
  1. Click Next, and select Cisco for the Client-Vendor.
  2. Enter a password (called a key on a router or switch) that the two devices will share for the authentication process. For this example, I used cisco as my test password.
  3. Click Finish.

Figure D shows the Internet Authentication Service window with the newly added client.

Figure D

The Internet Authentication Service window displays the newly added client.

Next, we need to create a remote access policy. Follow these steps:

  1. In the Internet Authentication Service window, click Remote Access Policies in the left pane.
  2. In the right pane, right-click the default policy, and select Delete.
  3. Right-click inside the right pane, and select New Remote Access Policy.
  4. In the Remote Access Policy Wizard, click Next.
  5. Click Set Up A Custom Policy, name it ciscoauth, and click Next.
  6. Click Add, select Windows-Groups, and click Add, as shown in Figure E.

Figure E

Select Windows-Groups, and click the Add button.

Enter ciscoadmin (or whatever group you want to use). In this example, we're using a local Windows server group. You can also use a Windows AD group -- which, of course, is preferable. Figure F shows the Groups dialog group with the ciscoadmin group listed.

Figure F

The Groups dialog box will list the group you add.

Select the new group, and click OK. This takes you to the Policy Conditions screen of the New Remote Access Policy Wizard, as show in Figure G.

Figure G

Select Windows-Groups, and click the Add button.
  1. Click Next, select Grant Remote Access Permission, and click Next.
  2. Click Edit Profile, and select the Authentication tab.
  3. Deselect all check boxes; only select the Unencrypted Authentication (PAP/SPAP) check box, as shown in Figure H, and click OK.

Figure H

Select the Unencrypted Authentication (PAP/SPAP) check box only.
  1. Next, select the Advanced tab.
  2. Select Service-Type, and click Edit.
  3. In the Enumerable Attribute Information dialog box, select Login from the Attribute Value drop-down list, as shown in Figure I, and click OK.

Figure I

Under Attribute Value, change it from Framed to Login.

Back on the Advanced tab, select Framed-Protocol, and click Remove. Figure J displays the resulting dialog box.

Figure J

All that's left to do is click OK.

All you have to do now is click OK. The system will likely ask if you want to view Help topics, as shown in Figure K.

Figure K

For corresponding Help topics, click Yes.

We're almost there. Click Next, click Finish, and that's it!

Troubleshoot IAS

When it comes to troubleshooting IAS, its logs can be very cryptic. For example, Figure L shows a log created while testing this article.

Figure L

IAS logs can be a little hard to interpret.

To help out with reading these logs, I use DeepSoftware.com's IAS Log Viewer. Figure M shows a screenshot of this tool.

Figure M

IAS Log Viewer helps simplify logs.

Stay tuned: Next time, we'll wrap up this tutorial by explaining how to configure your routers and switches to use AD authentication.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

19 comments
Rabijit
Rabijit

Hello I want to set up radius authentication on my wireless network so that every laptop need a username & password. Currently i am using 2003 standard edition as Domain. I want to use a user group of my domain's active directory. I already tried but not succesed actualy i create a group named WIFI access and add some users and a lynksys wrh54g router as main ap. I register the IAS in active durectory and the router as client. In the WIFI ap's security I choose as Radius. Now Laptops are prometed for username and password but not connected to the WiFi net please help

joe.mcgill2
joe.mcgill2

Anyone know or have the setup for Server 2008 since its no longer IAS and now NPS? We are now being told that we have to use AD to authenticate all of our Routers/switches/firewalls and so on. All routers and switches are Cisco devices, but the firewall is a Juniper Netscreen. Any info would help out! Thanks in advance

kolathaya
kolathaya

How to configure privilage levels for users. I tried using some help from some sites, but it did not worked out for me. any bosy can tell the steps. thanks pardeep

tomja_1978
tomja_1978

Full of knowledge and good information I visit this site 1st time But how can see switch and routes setup which is on next . so next week means Monday June 9, 2008. Please advice. Thanks Tom Tomja_1978@yahoo.com

nwelch
nwelch

If you are running an AD forest with multiple domains, you will need to add the "DOMAIN\" before the user name (though I have found that you do not need to do this for the domain the IAS server is joined to) when logging in to the Cisco Device and that you may have to add the IAS Server(s) to each domain's "RAS and IAS Servers" group.

klomph
klomph

Is there a way to use a wildcard for the radius clients and use a subnet definition to allow clients access to the radius server ?

3pdegeiso
3pdegeiso

Is there a way to combine the use of the Windows AD credentials AND use a secure connectivity protocol such as SSH (version 2)?

samuellthomasjr
samuellthomasjr

Excellent article! I look forward to the second part on the Cisco side.

PureCoffee
PureCoffee

We use the IAS for VPN connections to the LAN. We can clearly see when a person Authenticates and logs on but is there a way to capture when a person ends the session?

Fred123456
Fred123456

Quick someone open the wormhole and make it tomorrow!

bdmeyer44
bdmeyer44

Nice Article. I was getting ready to look at TACACS or Cisco's Radius product. I'm going to have to research this on my own now! Thanks!

samuellthomasjr
samuellthomasjr

Would Kerberos provided necessary security on ADS credentials?

ken.johnston
ken.johnston

Please hurry with the Cisco side of the config.

ITfor20+
ITfor20+

Yes and no - Radius/IAS does not support the notion of "log-off" as it is an authentication service. But virtually all VPN solutions (at least the 3-4 I have worked with) can keep extensive logs - in most cases you need to configure the appliance/service to keep the log and most will also send the log activity to another server.

gregory.c.fisher
gregory.c.fisher

I'm worried about using "unencrypted authentication". Does this mean that passwords will be sent in "clear text"? At least when I console in I don't have to worry about this.

ITfor20+
ITfor20+

you can find what you need if you search on the cisco website. Try searching for something like "console login authentication" - you are more-or-less setting up TACACS+. What you will find is likely more complex than will be found here, but is doable. BTW: I am not sure why the article above used only PAP (unencrypted) as CHAP should also work - there are MS specific instructions at cisco if I am not mistaken. GOOD LUCK

ckelly
ckelly

And if you're using telnet to get to the console, you're sending them clear text anyway.

nacht
nacht

So the question remains: if someone is sniffing your network, what good is configuring SSH connections to your network devices when the IAS authentication is still going over plaintext??