Authenticating to Cisco IOS via Active Directory

The following configuration will enable you to authenticate login requests to Cisco equipment running IOS against Active Directory. This would, for example, allow you to centralize the authentication of your Cisco-based network infrastructure against Active Directory.

Configuring the Cisco Equipment

The equipment I used in this configuration was a Cisco Catalyst 3560G switch running IOS 12.2(25); please note that the commands listed here may be different in different versions of IOS. The commands should be roughly equivalent, however, across hardware platforms.

First, we must enable the external authentication mechanisms, then we’ll specify the external authentication servers we’re going to use. This is listed below:

  1. First, to enable external authentication on the switch, use the following commands in global configuration mode:
    s1(config)#aaa new-model
    s1(config)#aaa authentication login default group radius local

    This enables the authentication of login requests by RADIUS first, then by a local database (just in case network connectivity is down). We specify “local” as well because this configuration applies to both telnet requests as well as physical console requests.
  2. Next, we specify the external authentication servers that the switch should use:
    s1(config)#radius-server host 10.1.1.254 auth-port 1645
    acct-port 1646 key Password

    (This should all be on one line.) Best practices dictate that you should have at least two RADIUS servers for redundancy. Note that the “auth-port” and “acct-port” parameters are only necessary if you are using nonstandard ports. Since Microsoft’s IAS (Internet Authentication Service, which provides the RADIUS interface to Active Directory) uses both sets of standard ports (1645/1812 and 1646/1813) you won’t need to specify these parameters. The “key” parameter is a shared secret key between the RADIUS client (the switch) and the RADIUS server. Obviously, you’ll want to use something other than “Password”.

Now we’re ready to move to configuring the Windows servers that we’ll use for RADIUS authentication.

Configuring Internet Authentication Service (IAS)

Configuring IAS is rather simple. I’ve discussed the use of IAS before (here in discussing Cisco PIX-AD integration and here regarding WatchGuard Firebox-AD integration), and I’ll refer you back to those articles for some of the basics on setting up and configuring IAS.

Note that these instructions are based on the version of IAS included with Windows Server 2003 R2; different versions may behave slightly differently.

To configure IAS in this instance (once it has been installed and registered with Active Directory), we’ll do the following:

  • Add the Cisco Catalyst switch as a RADIUS client. We’ll need to be sure to specify the same shared secret as used in the switch configuration above. You can specify the Cisco switch either by DNS name (if it is registered in DNS) or by IP address.
  • Create a new remote access policy that grants remote access permission. The conditions on the policy should be “NAS-IP-Address” (set to the IP address of the Cisco equipment) and “Windows-Groups” (set to whatever group should be allowed to authenticate to the switch; I created a group called “Cisco Admins” and used it).
  • Configure the profile to use only PAP authentication and no encryption.

Repeat this process on the second Windows server running IAS (you did configure two for redundancy, didn’t you?).

That’s it! At this point, you should be able to telnet to the Cisco switch (or whatever IOS-based equipment you’ve configured) and log in with your Active Directory username and password. Once logged in, you can use your enable or enable secret password to enter privileged exec mode.

Now, before you go any farther, add a local account to use in case the network connectivity to the RADIUS server is lost:

s1(config)#username localaccount password password123

(Obviously, you’ll want to use a secure password!) This will ensure that if you lose network connectivity to the equipment, you can still get in through the serial console connection. Be warned: without this local account, you can be locked out of the equipment completely if the RADIUS server(s) are inaccessible!

This Cisco document offers some additional information on AAA configurations, so I’ll refer you there for more detailed descriptions of the commands involved. Enjoy!

Tags: , , ,

11 comments

  1. Charles’s avatar

    Would this method also give the command tracking and auditing that TACACS would give you? Or just plain Jane authentication.

  2. slowe’s avatar

    Good question! This approach provides only plain jane authentication–no command tracking or auditing.

  3. will’s avatar

    Scott,

    I was readin about your authorizing to a switch using a RADIUS server. my question is this: is there a way to authenticate to the switch directly to exec privilege using the radius server without being challenged by the switch for a local password?

    thanks,
    Will

  4. slowe’s avatar

    Will,

    It probably can be done, but I don’t know how. Sorry!

  5. Keith’s avatar

    Yes it is possible to authenticate directly to a privileged level via IAS (or NAP if using Windows 2k8).

    In your IAS/NAP Network Policy you need to add the vendor specific RADIUS attribute Cisco-AV-Pair. The syntax should be “shell:priv-lvl=15″. You can also change 15 to any other level from 1 – 15.

    Second you need to add the following command to the swithch/router.

    aaa authorization exec default group radius local

  6. Russell’s avatar

    Thanks Scott and Keith,

    With the help you guys gave here I was able to get all of our equipment using AD for primary authentication.

    This really helped when an employee found out he was being fired and tried to kill all the Cisco devices. We had lowered his privilege via AD while he was in with HR and saved ourselves who know how much. I couldn’t have ever connected to all the switches and routers fast enough to guarantee their security without this little gem.

    THANKS A TON!!

    –Russell

  7. skribbla’s avatar

    umm arent u supposed to then apply the authentication list to a line (console/tty/vty). like go into line config mode and apply the auth list to a line or set of lnes?? because it seems we created the auth method but ddnt apply it anywhere…… or i could be wrong :-)

  8. Eric’s avatar

    If you are using the Enterprise or Data Center versions of IAS, you can use network masks when setting up the Client configs. Way better than adding thousands of individual entries!

    More info here: http://www.pskl.us/wp/?p=312

  9. Ziad’s avatar

    I think its just a local database, its not a radius server……

  10. noone_knows_me’s avatar

    Does it matter where I put the IAS, or any other AAA server, in relation to the switch?

  11. slowe’s avatar

    Hi No One Knows Me,

    As far as I know, as long as the switch has the appropriate connectivity to the authentication source it doesn’t matter where it is placed.

    Good luck!

Comments are now closed.