This is a quick how-to guide on how to have Microsoft Active Directory user accounts in a security group authenticate to Cisco gear. Afterwards you’ll be able to login with AD credentials on the Cisco router/switch for easier login control and management.
This guide assumes:
- You have a full AD environment in place
- You have a basic understanding of Cisco CLI commands
- You have an AD security group in place for Cisco access
Windows Active Directory Side:
First, install the RADIUS (network policy server) role onto your AD box.
We only need the network policy server role service.
After the role finishes installing, we want to right-click on the NPS role and register it in AD.
Next, lets add our first switch as a radius client, right-click -> new on ‘radius clients’.
Give it an easily identifiable name (we won’t ever actually need the name), ip address of the cisco device (you can also do entire subnets here), and a secret password
Once that’s done, right-click on ‘network policies’ and select ‘new’
Again, give your policy an easy to figure out name, leave server as ‘unspecified’ and click next.
Under conditions click ‘add’ then select the first option ‘windows groups’ and click ‘add’ again.
Add your already created Windows AD security group and ok out of the prompts.
Leave access permission at defaults and continue.
Set the authentication methods to what is shown below
If you see a warning prompt, click ‘no’ to continue.
Now we get into the tricky bits for Cisco equipment… Remove the ‘framed-protocol’ attribute.
On the left select ‘vendor specific’ and then click ‘add’
In the vendor dropdown select ‘Cisco’ and then click ‘Cisco-AV-Pair and then ‘add’.
click ‘add’ and enter the below value exactly as seen: shell:priv-lvl=15
Next until you see the completion screen, verify the settings at the bottom match what is seen here.
Don’t forget to scroll through them all!
Lastly, go back into ‘properties’ on your new policy and check the ‘ignore user account dial-in properties’ box, and click ‘ok’
And that’s it for the Windows side! You now have an AD tied RADIUS server ready to serve Cisco devices. Best practices recommends repeating this process on a second server for redundancy.
Cisco Switch/Router Side:
On the Cisco device, in config mode, make sure we have a proper aaa model….
Then create the new radius server group, you can add as many ‘server-private’ aka windows radius servers here as you like. Remember the key is the ‘secret’ that we set earlier in the Windows section. source-interface is recommended but not required.
aaa group server radius radius-server1 server-private <your-windows-radius-server-ip> key <your-preset-radius-key> ip radius source-interface <the vlan or interface you want radius to send FROM on the cisco switch>
Now we tell the Cisco device to try to authenticate via radius first, then if that fails fall back to local user accounts.
aaa authentication login default group radius-server1 local aaa authentication login console group radius-server1 local aaa authorization console aaa authorization exec default group radius-server1 local
Finally, and optionally, you can set the device to not require the trailing @yourdomain.com at the end of your username when logging in via RADIUS. First set your AD domain name (ex. contoso.com), and then set the IP address of at least one domain controller (you can add more). Next tell radius to directly request our AD domain DCs, which will mean we can login with just AD usernames going forward, not fully qualified names.
ip host <your-AD-domain> <your DC ip address> radius-server directed-request
And now your all set! Remember to save the config and test logging in as an active directory user on a new ssh session BEFORE closing your current session. If you fail to authenticate for any reason, you can continue to run commands/change the config on the currently open ssh session.