If your organization uses Windows, you probably use your
Active Directory (AD) username and password to log onto your PC every day. So
why do you need separate credentials on your routers?

Even if you just need to remember an extra password, it can
be annoying — but it doesn’t have to be. In fact, you can leverage the Windows
AD username/password database to log in to your Cisco routers and switches.

In this two-part series, I’ll explain how to configure AD
authentication on your routers and switches. This week, we’ll start off by discussing
how to install, configure, and troubleshoot Windows’ Internet Authentication
Service (IAS); next week, we’ll wrap it up by explaining how to configure your
routers and switches to use the authentication.

Before we begin, let’s go over this article’s assumptions.
For this configuration, we’ll use IAS, the Microsoft implementation of a Remote
Authentication Dial-in User Service (RADIUS) server and proxy, which comes
built into Windows 2000 Server and Windows Server 2003.

In addition, we’re assuming that you’ve already connected
your router or switch to the LAN, enabled its LAN interface, and have an IP
address on that LAN interface. If access to the router or switch is through a
routed network, it also needs a default gateway configured.

Install IAS

Start off by installing IAS if you haven’t already done so.
For Windows Server 2003, follow these steps:

  1. Log in
    as an administrator.
  2. Go to
    Start | Control Panel, and double-click the Add Or Remove Programs applet.
  3. Click
    Add/Remove Windows Components.
  4. In
    the Windows Components Wizard, click Networking Services, and click
  5. In
    the Networking Services dialog box, select Internet Authentication Service,
    click OK, and click Next.
  6. The
    system may prompt you to insert your Windows Server 2003 CD, so have it
  7. After
    IAS is installed, click Finish, and then Close.

To keep track of who can log in to your Cisco network
devices, I suggest creating an AD group called ciscoadmin. Then, make your existing Windows account a member of
the ciscoadmin group.

Configure IAS

Now that we’ve installed IAS, we need to configure it. Begin
by going to Start | Control Panel and double-clicking the Administrative Tools
applet. Double-click the Internet Authentication Service applet, as shown in Figure A.

Figure A

To begin configuring IAS, go to Start | Control Panel | Administrative
Tools | Internet Authentication Service.

This will open the Internet Authentication Service window,
as shown in Figure B.

Figure B

You must open the Internet Authentication Service window to configure IAS.

Now we need to add a RADIUS client. Follow these steps:

  1. In
    the left pane, right-click RADIUS Clients, and select New RADIUS Client.
  2. In
    the New RADIUS Client dialog box, as shown in Figure C, enter a display name for the client (i.e., your
    router or switch). I suggest using the router’s hostname.
  3. Enter
    the LAN IP address of the client.

Figure C

Enter a friendly name for the new client, and enter the IP address.

  1. Click
    Next, and select Cisco for the Client-Vendor.
  2. Enter
    a password (called a key on a router
    or switch) that the two devices will share for the authentication process.
    For this example, I used cisco
    as my test password.
  3. Click

Figure D shows
the Internet Authentication Service window with the newly added client.

Figure D

The Internet Authentication Service window displays the newly added client.

Next, we need to create a remote access policy. Follow these

  1. In
    the Internet Authentication Service window, click Remote Access Policies in
    the left pane.
  2. In
    the right pane, right-click the default policy, and select Delete.
  3. Right-click
    inside the right pane, and select New Remote Access Policy.
  4. In
    the Remote Access Policy Wizard, click Next.
  5. Click
    Set Up A Custom Policy, name it ciscoauth,
    and click Next.
  6. Click
    Add, select Windows-Groups, and click Add, as shown in Figure E.

Figure E

Select Windows-Groups, and click the Add button.

Enter ciscoadmin
(or whatever group you want to use). In this example, we’re using a local Windows server group. You can also
use a Windows AD group — which, of course, is preferable. Figure F shows the Groups dialog group with the ciscoadmin group listed.

Figure F

The Groups dialog box will list the group you add.

Select the new group, and click OK. This takes you to the Policy
Conditions screen of the New Remote Access Policy Wizard, as show in Figure G.

Figure G

Select Windows-Groups, and click the Add button.

  1. Click
    Next, select Grant Remote Access Permission, and click Next.
  2. Click
    Edit Profile, and select the Authentication tab.
  3. Deselect
    all check boxes; only select the Unencrypted Authentication (PAP/SPAP)
    check box, as shown in Figure H,
    and click OK.

Figure H

Select the Unencrypted Authentication (PAP/SPAP) check box only.

  1. Next,
    select the Advanced tab.
  2. Select
    Service-Type, and click Edit.
  3. In
    the Enumerable Attribute Information dialog box, select Login from the
    Attribute Value drop-down list, as shown in Figure I, and click OK.

Figure I

Under Attribute Value, change it from Framed to Login.

Back on the Advanced tab, select Framed-Protocol, and click
Remove. Figure J displays the
resulting dialog box.

Figure J

All that’s left to do is click OK.

All you have to do now is click OK. The system will likely
ask if you want to view Help topics, as shown in Figure K.


corresponding Help topics, click Yes.

We’re almost there. Click Next, click Finish, and that’s it!

Troubleshoot IAS

When it comes to troubleshooting IAS, its logs can be very
cryptic. For example, Figure L shows
a log created while testing this article.

Figure L

IAS logs can be a little hard to interpret.

To help out with reading these logs, I use DeepSoftware.com’s
IAS Log Viewer. Figure M shows a screenshot of this

Figure M

IAS Log Viewer helps simplify logs.

Stay tuned: Next time, we’ll wrap up this tutorial by
explaining how to configure your routers and switches to use AD authentication.

Miss a column?

Check out the Cisco Routers and Switches
, and catch up on David Davis’ most recent columns.

Want to learn more
about router and switch management? Automatically
sign up for our free Cisco Routers and Switches newsletter
, delivered each

David Davis has worked
in the IT industry for 12 years and holds several certifications, including
CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of
systems/network administrators for a privately owned retail company and
performs networking/systems consulting on a part-time basis.