RADIUS authentication for Cisco switches using w2k8R2 NPS

Published on
27,176 Points
19 Endorsements
Last Modified:
When replacing some switches recently I started playing with the idea of having admins authenticate with their domain accounts instead of having local users on all switches all over the place.

Since I allready had an w2k8R2 NPS running for my access points I thought I'd use that. Though there are plenty of examples to find, none of them worked for my specific setup (I think it is the R2). So what better place there is to put one but here at EE.

Here we go.

First, if you haven't allready done so, install NPS on your server:

-Start server manager, right-click roles and choose 'add role'.
-In the Server Roles screen, tick 'Network Policy and Access Server'
 Select role(Here it's allready installed)

-Now do the 'next', 'install', 'finish' part and presto! NPS is installed.

Now we need to configure the NPS so the switch(es) will be able to authenticate against it:

Radius client

-Start NPS: Start->Admin Tools->Network Policy Server
-On the left side, go to: RADIUS Clients and Servers->RADIUS Clients
-Right click on 'RADIUS Clients' and select 'new'
 New client
-Under the settings tab, choose a friendly name for the client so you can identify it.
-Enter the ip address of the switch.
-Enter or generate a shared secret.
 New client 2
-Go to the Advanced tab and change the vendor name to 'Cisco'
 New client 3
-Click ok and the client is finished.

Connection Request Policy

-On the left side of NPS, go to: Policies->Connection Reuquest Policies
-Right click on 'Connection Reuquest Policies' and select 'new'
-Enter a name for the policy so you can identify it.
-Leave the type setting below to 'Unspecified'
 New policy
-Press next.

Now we need to add a condition. Because (I think) a connection request should always be possible, we'll just add a day and time restriction here and allow always.

-Press add and scroll down to 'day and time restrictions'. Click 'add' again.
-Now click on 'all' and tick 'Permitted'
-Press 'ok', 'next', 'next', 'next', 'next'. The policy should look something like:
 policy finished
Network Policy

-On the left side of NPS, go to: Policies->Network Policies
-Right click on 'Network Policies' and select 'new'
-Enter a name for the policy so you can identify it.
-Leave the type setting below to 'Unspecified'
 Network policy
-Press 'next'

Now we're going to add a condition that specifies who is able to log on to the switches. In my case I chose the 'Domain Administrators' group. But you can always create a Cisco admins group or whatever you would like :)

-Click 'add', select 'Windows Groups' and clieck 'add'
 NWP condition
-Click 'Add Groups' and select the group you want to use
-Click 'ok', 'ok', 'next'
-The next screen (access permission) we leave as is because we want access
-Press 'next'
-In authentication methods, untick all methods except 'Unencrypted authentication (PAP, SPAP)'.
I know, it's not secure and not ideal. But at the moment it's the only supported way.

-So let's click 'next' and just say no to the question if you want to see any help topics
-We don't need to configure any constraints, so press 'next'
-Here at settings we need to make some changes. The attributes shown under: RADIUS attributes->Standard, need to be removed (that's the Framed-Protocol and Service-Type).
-Now we need to add an attribute: click add and find the attribute 'Service-Type'.

-Click 'add', tick 'others' and select 'Login'
-Click 'ok' and 'close'

Now, because I'm lazy, I want to get to priviledged mode automatically when I log in. You don't need to do that but I'll show it anyway.

-Go to: RADIUS Attributes->Vendor Specific and press 'Add'
-Select Cisco as vendor, select Cisco-AV-Pair and click on 'add'
-Click 'add' again and enter the following in the attribute information box: shell:priv-lvl=15
-Click 'ok', 'ok', 'close' and 'next'
-Now you can click 'finish' for the policy

That was the hard part ;) Now to set up the switch to use the RADIUS server for authentication with a fallback to the local user in case the server is unavailable.

Here we go:

conf t
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius if-authenticated
radius-server host auth-port 1812 acct-port 1813 key ********
line vty 0 4
logging synchronous
login authentication default

After that you can use your domain account to log on (as long as you are in the correct group :)

That's all there is to it.
Author:Ernie Beek
  • 4
  • 2
  • 2
  • +4
LVL 35

Author Comment

by:Ernie Beek
500+ views and nobody found this helpfull?


This is killing my self esteem.
Come on guys, if you like it hit that button. It won't hurt :)
LVL 25

Expert Comment

I'm clicking yes for you man.  This was very well done.  I think how-tos like this don't get enough recognition.  Takes quite a while to write them to make sure everything is thorough and correct.  keep it up.
LVL 52

Expert Comment

by:Mark Wills
Agree... Good Article and gets my Yes vote :)
Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

LVL 35

Author Comment

by:Ernie Beek
Cool :) Thanks guys!

I'm not really a writer but this encourages me to perhaps post more articles, as soon as I know what to write about......
LVL 52

Expert Comment

by:Mark Wills
How about "Planning, Preparing, Implementing Disaster Recovery  for your Network" ?
LVL 72

Expert Comment

Hi Ernie,

So you write articles now? Well - well done! I agree to above comments, we need more like this! "Yes" shall be my vote.
LVL 35

Author Comment

by:Ernie Beek
Hi guys!

A bit late (been quite busy IRL) but I still wanted to say thanks.

So thank you all for your positive comments, clicking yes and the EEA. It's nice to know my little acrticle is appreciated and I'll try to bring more things of (my) interest. Though I'm not sure if it will be a "Planning, Preparing, Implementing Disaster Recovery  for your Network" yet :)

Thx again, much appreciated.


Expert Comment

WAY helpful. Thanks!!
LVL 35

Author Comment

by:Ernie Beek

Thx mate :)

Expert Comment

The only thing i still have to bang on, and just didnt get to yet was this.   When radius is working, it works great. Id like the switch to failback to local credentials when radius is not available (server stopped, etc). Do you know if i have to make a local user account, on top of the admin one i used to use, or should original credentials still work?  It didnt work when i stopped radius with either login, and i just dont want to put myself in a place where i could potentially be locked out.  The console login should be untouched so that is my last resort failback however.

Expert Comment

Thanks for the article.  Your instructions worked seamlessly.

Expert Comment

Pardon me as im not really knowledgeable. The switch IP is interface IP that is connected to this R2 server? What if you would like to configure it on another switch probably 4 or 5 hops away? Or do we just put the router ID as the ip address? Or do we put it on the interface ip address that we would like the policy to be applied, where the traffic comes into it? Then again, we are not only talking about authentication but firewall policy that defines authorisation.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Join & Write a Comment

Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month