Authenticating users of Cisco NCS or Cisco Prime Infrastructure against Microsoft NPS (RADIUS)



Similar documents
Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

How To Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication

Setting up Sharp MX-Color Imagers for Inbound Fax Routing to or Network Folder

Microsoft IAS Configuration for RADIUS Authorization

Instructions for Configuring a SAS Metadata Server for Use with JMP Clinical

How to Access Coast Wi-Fi

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

etoken Enterprise For: SSL SSL with etoken

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Team Foundation Server 2012 Installation Guide

Exchange 2010 PKI Configuration Guide

Configure your firewall for administrative access via RADIUS authentication

External Authentication with Windows 2008 Server with Routing and Remote Access Service Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

How to configure MAC authentication on a ProCurve switch

Versions Addressed: Microsoft Office Outlook 2010/2013. Document Updated: Copyright 2014 Smarsh, Inc. All right reserved

Using MailStore to Archive MDaemon

Initial Setup of Microsoft Outlook 2011 with IMAP for OS X Lion

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

UCO_SECURE Wireless Connection Guide: Windows 8

Installing LearningBay Enterprise Part 2

Application Note. Setting up RADIUS authentication on Opengear devices using Windows 2003 Internet Authentication Service

How to connect to the diamonds wireless network with Vista.

Windows Live Mail Setup Guide

Enterprise Apple Xserve Wiki and Blog using Active Directory. Table Of Contents. Prerequisites 1. Introduction 1

Management Authentication using Windows IAS as a Radius Server

Outlook 2010 Setup Guide (POP3)

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

How to set up your Secure in Outlook 2010*

Lab: Data Backup and Recovery in Windows XP

Setup Guide. network support pc repairs web design graphic design Internet services spam filtering hosting sales programming

Set Up Setup with Microsoft Outlook 2007 using POP3

Installing and configuring Microsoft Reporting Services

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

eadvantage Certificate Enrollment Procedures

Configuring Global Protect SSL VPN with a user-defined port

Instructions for Microsoft Outlook 2003

Case Study - Configuration between NXC2500 and LDAP Server

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Configuring WPA-Enterprise/WPA2 with Microsoft RADIUS Authentication

Publish Cisco VXC Manager GUI as Microsoft RDS Remote App

Update Instructions

How to connect to VUWiFi

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

User Guide for eduroam

How to Set Up Your. Account

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Lab - Data Backup and Recovery in Windows XP

Automatic Setup... 1 Manual Setup... 2 Installing the Wireless Certificates... 18

ECA IIS Instructions. January 2005

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

Setting Up Your FTP Server

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

Chapter 2 Editor s Note:

Using Windows 2008 RADIUS Authentication with Tripp Lite SNMPWEBCARD

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

CHARTER BUSINESS custom hosting faqs 2010 INTERNET. Q. How do I access my ? Q. How do I change or reset a password for an account?

How to Configure Web Authentication on a ProCurve Switch

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

AXIS 70U - Using Scan-to-File

Update Instructions

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Active Directory Validation - User Guide

Dwebs IIS Log Archiver Installation and Configuration Guide for Helm 4

IIS, FTP Server and Windows

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Creating a User Profile for Outlook 2013

Using TLS Encryption with Microsoft Outlook 2007

Setting Up Sharp MX-Color Imagers To Scan To

Microsoft Outlook 2010

Virtual Office Remote Installation Guide

Set up Outlook for your new student e mail with IMAP/POP3 settings

SQL Server 2008 R2 Express Installation for Windows 7 Professional, Vista Business Edition and XP Professional.

Install and configure server

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

setup information for most domains hosted with InfoRailway.

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Active Directory integration with CloudByte ElastiStor

Configuring Microsoft RADIUS Server and Gx000 Authentication. Configuration Notes. Revision 1.0 February 6, 2003

WHITE PAPER Citrix Secure Gateway Startup Guide

1. Open Thunderbird. If the Import Wizard window opens, select Don t import anything and click Next and go to step 3.

Chapter 3 Authenticating Users

Wavecrest Certificate

USING STUFFIT DELUXE THE STUFFIT START PAGE CREATING ARCHIVES (COMPRESSED FILES)

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

Professional Mailbox Software Setup Guide

Install MS SQL Server 2012 Express Edition

Scan to Quick Setup Guide

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Configuring a Windows 2003 Server for IAS

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Protected Trust Directory Sync Guide

Configuration Guide. Remote Backups How-To Guide. Overview

Connecting to UNOSECURE using Windows 7

Using Windows Active Directory for Account Authentication to PS Series Groups

T his feature is add-on service available to Enterprise accounts.

Windows Vista: Connecting to the wireless network at Hood College

Transcription:

Authenticating users of Cisco NCS or Cisco Prime Infrastructure against Microsoft NPS (RADIUS) Date: January 15, 2013 My hope with this guide is to help others take advantage of a centralized user database with their Cisco gear; in this case, Cisco NCS or Cisco Prime Infrastructure (PI). I will walk you through, stepby-step, on how to configure both sides of the puzzle and get users authenticated against a Microsoft Network Policy Server (NPS) using their Active Directory credentials. Assumptions and Prerequisites: - Cisco NCS or Cisco Prime Infrastructure has already been installed - You know how to install Windows Server 2008 and add a role Contents Adding your RADIUS server to NCS or PI... 2 Gathering the RADIUS Attributes from NCS or PI... 4 Configuring Microsoft NPS adding RADIUS clients... 5 Configuring Microsoft NPS creating network policy... 6

Adding your RADIUS server to NCS or PI Required: - IP address of NPS Server - Ports (only if changed from defaults) - Shared secret* I like to start on the Cisco side of this puzzle first. Why? Mainly because most of the troubleshooting and trial and error I did while making this guide was on the Microsoft side. So it s easier to start with the easy stuff and then start working on the harder parts at the end. Step 1 There are a couple of requirements before you start this section. You will, obviously, need the IP address of your RADIUS / NPS server. If you changed the ports for Authentication, then you will need that as well. * The shared secret is if you already have a password in mind that you want to use. You could generate a shared secret from NPS, but that can be difficult to manage later down the line; although, it could be more secure with being random. Step 2 Once you have this information, proceed to logging into your NCS or PI server using your current login credentials. You will need to navigate to the Administration tab and click on, AAA. See figures 1 and 2. Cisco NCS Cisco Prime Infrastructure Figure 1 Figure 2

The sections on the left are sub-menus of where we need to be working to get authentication working against NPS. There are three sections that we will be working with: - RADIUS Servers - AAA Mode - User Groups We will be working with those and in that order. Figure 3 Step 3 We will add our RADIUS server to NCS or PI. Click on the link to the left of the screen labeled, RADIUS Servers. You will be presented with a screen such as Figure-4. Fill out these fields that you collected previously: - Server Address is your NPS - Authentication Port (if changed from default) - Shared Secret - Authentication type: PAP 1 The Local Interface IP is what you are going to put into the RADIUS server as a RADIUS client. Keep this information for the NPS section. Figure 4 Step 4 Once you finished configuring the RADIUS settings, click on Save and then on the left, click on AAA Mode Your screen should now look like Figure-5 Select the RADIUS radio button. I also like to check the box next to, Enable fallback to Local. And from the drop down, on auth failure or no server response. Figure 5 1 I haven t done extensive testing on CHAP. But from my brief testing of it it didn t work with NPS. I have not gone down the path of using certificates just yet. That will be my next step and guide.

Just in case my NPS server is having issues or someone without AD credentials needs to connect (a consultant, maybe?) Almost done with the Cisco part Gathering the RADIUS Attributes from NCS or PI Step 5 This next part is where we gather some more important information before we head off to the NPS side of things. On the left, click on User Groups. Your screen should look similar to Figure-6 For configuration purposes, I m going to use the group name, Admin The level of access you give staff your staff is up to you. Click on the Task List link that is on the same row as the Admin group name. Figure 6 You should see a similar screen as in Figure 7. ** IMPORTANT ** This is where the differences in NCS or PI come into effect. For NCS, you need to copy every single role and task in the Task List as seen on the left in Figure 7. For the Admin and Root group names, this could be over 100 tasks that you need to import into NPS. You will also need the virtual domain, which I will discuss shortly. Figure 7 However! With Prime Infrastructure, you only need to copy two things: The role, in this example it would be, NCS:role0=Admin And the second would be the virtual domain.

You can find the link to what Virtual Domains you have on your NCS or PI installation by scrolling or looking at the bottom of your task lists screen. Find the link at the bottom. Click on the link and you will see the RADIUS attributes for the virtual domain. Figure 8 Figure 9 Gather all these RADIUS attributes up and put them in notepad for the next section of configuring Microsoft NPS. Configuring Microsoft NPS adding RADIUS clients I m not going to go through the steps of adding a role to your windows server. You should already know how to do this. However, after the NPS role has been added, some people forget to do this step. You need to register your NPS server with Active Directory. Open up your NPS console and then right-click on the NPS logo, see figure 10. Figure 10 Once you do that we can now add your RADIUS clients. That is, the devices on your network at will be contacting the NPS server for authentication. Expand the folder, RADIUS Clients and Servers. Then right-click on, RADIUS Clients and select new. Figure 11

You will then see a screen like the one in figure 12. Give your client a friendly name, something that is easy to remember or that conforms to your companies nomenclature. Enter in the IP address. This was gathered back in Step 3 and was the Local Interface IP of your NCS or PI server. See Figure 4. Then enter in the shared secret that you created. ** Please double check to make sure the shared secret is accurate. I leave the advanced tab at their defaults. Figure 12 Configuring Microsoft NPS creating network policy Now comes the fun part! </sarcasm> If you are using Cisco NCS, then it isn t that fun. In your NPS console, expand Policies and right-click on the Network Policies folder and select, New Figure 13 Give your new network policy a name. Click Next Figure 14

On the Specify Conditions page, click on Add. I use Active Directory groups for easier management of users who can access our network equipment. Double click on Windows Groups - Click on Add groups button o Find and add your Active Directory groups to the list. - Select, OK. - Select, OK - Next Figure 12 13 14 15 On the next screen. Make sure the Access granted radio button is selected and select Next On this screen, Configure Authentication Methods I enable, Encrypted authentication (CHAP) and also, Unencrypted authentication (PAP, SPAP) ** Note I have not configured SSL certificates with NCS or PI. I will try that later and update this guide. If you have installed an SSL certified for your NCS or PI server. You will probably need to do two additional steps. Figure 16 1) That is create a certificate template in your Microsoft CA server and auto-enroll your NPS servers 2) Instead of selecting CHAP or PAP in this section, you will hit the Add button and select PEAP a. This option is only available when you do step one of adding the certificate to your NPS server. 3) Enable PEAP in your NCS or PI server. See Step 3 from above or Figure 4 from above Once you select the correct methods, hit Next You can skip the section, Configure Constraints if you want. This is where you configure timeouts for idle or sessions. Hit, Next

Now here comes the hard part for you NCS customers. This is where we configure all those task lists that we gathered from NCS or PI. The first step is under the section, RADIUS Attributes and select standard. You will need to remove the two Attributes already configured: Framed-Protocol and Service-Type Then select Vendor Specific on the left-side of the menu. Figure 17 Figure 18 1) Select Vendor Specific from the left-side menu. a. Then hit the Add button 2) From the Vendor drop-down menu, select Cisco a. Double click on Cisco-AV Pair 3) On the Attribute Information page, select Add 4) Another window will pop up. This is where you are going to add all your Task list items from NCS and the roles and virtual domains.

Here is a screenshot of all the NCS roles added for the group, Admin : Cisco NCS Cisco Prime Infrastructure Figure 19 Figure 20 Once all the tasks have been entered. Press OK a few times to exit back out to the main Configure Settings screen. In Figure 18, it is labeled #1 Click, Next The last screen is an overview of the settings you have configured. Click, Finish If all goes well, you should be able to authenticate using your Active Directory user credentials.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information