The focus of this discussion as the title implies is how to handle authentication and authorization (the latter to a certain degree) on Cisco IOS devices with Active Directory. On an IP Base IOS image we basically have two choices for this task – RADIUS and TACACS (and of course the local database). The latter is capable of connecting to Active Directory, although certainly not easily. Cisco Secure ACS which is a disaster of a Windows application will do it, and I’ve seen it done. I actually attempted Secure ACS before falling back to the RADIUS solution at this particular client. There are situations where a TACACS system is necessary (such as command level authorization). Microsoft includes a RADIUS server in Windows 2003 (and 2000) called Internet Authentication Service (“IAS”). The interface for IAS isn’t the simplest GUI to leave Redmond, so it will take some tinkering to get everything right. The rest of this discusion outlines the steps I took to get IOS logging in to AD.
The first step is to get IAS installed and registered in Active Directory. Microsoft recommends that IAS be loaded on domain controllers (and ideally global catalogs) for performance reasons. In a low load environment this is less important, but, this is the route I took. The referenced link outlines other performance optimization tips for IAS deployments which should be considered depending on the deployment design. Another caveat which is fine print at the bottom of that link is that Windows 2003 Standard Edition only supports fifty RADIUS clients. Enterprise edition is required for more than fifty clients. A general best practice of course is to have at least two IAS servers so that in the event of a failure clients can continue to be authenticated. Cisco devices will of course fallback to a local logon, but this is a less than ideal situation, especially in an organization with a large number of administrators. IAS is listed under Networking Services in Add/Remove Programs>Windows Components. Once IAS is installed, open the IAS console (Start>Programs>Administrative Tools>Internet Authentication Service), and right click the root node of the tree and choose “Register Server in Active Directory”. This will add the computer account to the RAS and IAS Servers group in Active Directory. This group grants the computer the necessary rights to read the dial-in properties of user objects. IAS will also inform us that to authenticate users from other domains we must add the IAS server’s computer account to that domain’s RAS and IAS Servers group manually.
At this point we can define our authorization structure. For the purpose of this discussion, I’m going to define authorization as sufficient access to login to the device. The enable password is still required and stored in the device’s local configuration. I may cover privilege level authorization in a future article, but I’ve haven’t investigated everything that’s required yet. I’m going to use Active Directory Universal Groups to define this authorization structure here. I like to name devices on a network based on their location using a location-device### format, so, we’re going to assume we have two locations, a central office (“CO”) and a branch (“Branch1”). We’ll need two groups in AD, “CO Network Device Access” and “Branch1 Network Device Access” which will be utilized to generate the remote access policies in IAS.
In IAS, we need to create two remote access policies – one for access to CO devices and one for access to Branch1 devices. To do this, create a new RAS Policy, and call it “CO Devices”. Choose “Set up a custom policy” as well. Our policy will key off of the host name of the device and check the group membership of the user. First add a condition for “Client-Friendly-Name”, and specify “CO-*” as the sole parameter. Add a second parameter “Windows-Groups” and search for CO Network device Access.What we’ve accomplished here is created a policy which requires the device’s hostname to start with “CO-” and the user to be a member of “CO Network Device Access”. On the next page choose to “Grant Remote Access Permission”. On the next page choose the edit profile option, and on the authentication tab select the second to last checkbox “Unencrypted authentication (PAP, SPAP)”. Note, fortunately we will be able to provide a shared secret so the password will not be sent in plaintext. Cisco added MS-CHAP v2 support for PPP authentication in a recent 12.4T release, so I’m hopeful this will show up for line authentication sometime soon. Repeat this procedure for Branch1, substituting Branch1 for CO where appropriate. The IAS console should look something like this after this step:
Now that we have policies which define who is authorized to authenticate, we can setup devices in the IAS console. To do this, create a new RADIUS Client. The “Friendly name” should be the same as the hostname of the device (this is actually what our policies are keying off of, so if you have a complex requirement you may want to steer away from this design). The client address is the IP address of the interface on the device sourcing authentication requests. On a device with multiple interfaces, the interface sourcing RADIUS requests can be specified in the configuration of the device. On the next page, select Cisco from the “Client-Vendor” dropdown, and specify a shared secret. I’m using “Ci$ko” for this example. Repeat these steps as necessary for all of your devices.
At this point if you have multiple IAS servers (which you should), netsh can be used to export the IAS configuration and import it on the other IAS server(s). IAS does not store its’ data in Active Directory or any other replicated database. To export the configuration to a file run this command: “netsh aaaa show config >iasconfig.txt”. To import the configuration on another server, run “netsh exec iasconfig.txt”.
The IOS side of the configuration is quite easy. The commands can be entered sequentially either as a paste in from a text file or as part of some automated procedure (e.g. SecureCRT scripts, an Expect shell script, etc). The sample config below assumes two IAS servers with IP addresses 192.168.1.10 and 192.168.1.11. The sample also sources all requests from interface Loopback0:
conf t
aaa new-model
radius-server host 192.168.1.10 auth-port 1812 acct-port 1813 key Cis$ko
radius-server host 192.168.1.11 auth-port 1812 acct-port 1813 key Cis$ko
ip radius source-interface Loopback0
aaa group server radius RadiusServers
server 192.168.1.10 auth-port 1812 acct-port 1813
server 192.168.1.11 auth-port 1812 acct-port 1813
exit
aaa authentication login default group RadiusServers local
exit
Assuming the password-encryption service is started on the device the shared secrets will be encrypted after they’re entered. It is also highly recommended that a local login exist in case there is a failure to communicate with the RADIUS servers for any reason (the authentication order in the configlet specifies falling back to the local database after the RadiusServers group). Ports 1812 and 1813 are specified in this configuration, so the necessary holes will need to be punched through firewalls and access-lists to allow this to work. To change the ports utilized by IAS, pull up the properties of the root node in the console and choose the ports tab.
This is all the configuration which is required to set this up. IAS logs to the System event log on the server hosting IAS and is fairly chatty. All successful and failed logons will be logged as information and warning events, respectively. On the IOS side, “debug aaa authentication” and “debug radius authentication” are both very useful troubleshooting tools. Ethereal is of course an invaluable tool for troubleshooting this process – it includes a PAP protocol module.
I’ve outlined a simple configuration for connecting IOS devices to Active Directory by way of Windows 2003 Internet Authentication Service using the RADIUS protocol. There are several opportunities for enhancement here including more in depth authorization, and accounting. Setting up wireless access points to integrate with Active Directory using machine and/or user accounts is another use of this setup. PIXen can also be setup for ssh and vpn login in this manner without too much trouble.
Comments, Trackbacks, & Pingbacks
#1 re: How to authenticate against Active Directory from Cisco IOS
Saturday, October 21 2006 5:09 AM by JC#2 re: How to authenticate against Active Directory from Cisco IOS
Monday, November 20 2006 6:16 AM by afraaplease if anyone can help in IAS configuration for Nortel Switch
please contact me on m y e-mail address:
engineerafraa@gmail.com
as fast as possible, and i will be so
thankful.
#3 re: How to authenticate against Active Directory from Cisco IOS
Monday, November 20 2006 6:19 AM by afraaif anyone knoes anything about configuring IAS with nortel
contact : engineerafraa@gmail.com
i have configured everything but IAS can't read the policy
so NY SUGGESTION
#4 re: How to authenticate against Active Directory from Cisco IOS
Monday, March 05 2007 9:48 AM by JTWe have a Cisco 3600 setup for dial-in. The 3600 was setup to Authenticate to a windows 2003 server running IAS and RAS. After our server crashed I started over with a fresh install of Windows 2003.
Now I can get the IAS server to grant access but the 3600 never recieves the message that the user has been authenticated. I can not even telnet into the 3600 becuase there is no local user and password that I am aware of. Though the 3600 was working before the server crash, one odd thing I have noticed is that the 3600 returns the NAS-IP as 230.xx but it correctly returns the Radius Client IP as 152.xx. (230.xx was the old IP of the 3600)
So if someone dials-in the 3600 forwards the reguest to the IAS server, which grants access but the Cisco does not reconize that the user has been Authenticated Here is the event log from the windows server. The person dialing- in recieves (Not a valid name or password for this domain)
(The doamian is named win2k and I have marked out specific IP numbers)
013fUser jeff was granted access.
Fully-Qualified-User-Name = win2k.xxx.xxx/Users/Jeff
NAS-IP-Address = 130.18.230.xx
NAS-Identifier = <not present>
Client-Friendly-Name = Cisco
Client-IP-Address = 130.18.152.xx
Calling-Station-Identifier = xxx3252235
NAS-Port-Type = Async
NAS-Port = 52
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Dial in
Authentication-Type = PAP
EAP-Type = <undetermined>
I believe the Cisco 3600 is setup correctly, becuase it was working. I just can't figure out why once the IAS server grants access the message in not relayed to the Cisco 3600.
jeffndepth@yahoo.com
#5 re: How to authenticate against Active Directory from Cisco IOS
Tuesday, April 03 2007 11:53 AM by GeoDI have been working on something similar to this, what I found is that the "Connection Request policies" and the " Remote Access Policies" were not correct. Within the policies, click the Edit Profiles tab, click the Advanced tab. This is where the problem lies I believe.
Click Add, "Cisco-AV-Pair
Attribute name= Cisco-AV-Pair
Attribute number = 5000
Attribute format = String
Attribute value = shell:priv-lvl=15
You have to add this to BOTH the Remote Access policy and the Connection Request poliy.
Hope this helps.
Geo
#6 re: How to authenticate against Active Directory from Cisco IOS
Monday, June 11 2007 10:08 AM by jonolanThank you; this was the sort of information that I needed.
#7 re: How to authenticate against Active Directory from Cisco IOS
Wednesday, July 25 2007 4:10 AM by Jason TomasiThank you! I have my Cisco VPN Server authenticating to Microsoft IAS, thanks to your tutorial :-)
#8 re: How to authenticate against Active Directory from Cisco IOS
Sunday, October 14 2007 11:39 PM by Deaths HeadYou have to add this to BOTH the Remote Access policy and the Connection Request poliy.
For the connection request I added vendor specific connection and chose RADIUS STANDARD.
#9 re: How to authenticate against Active Directory from Cisco IOS
Wednesday, November 21 2007 5:23 AM by Teddy Brask-AndersenHi Thanks for a super article.
Try - for free - my new software that adds security to your RADIUS setup by using sms from a mobile phone.
10minutes to setup. Zero useradministration afterwards.
And the standard .msi file fits 100% to your setup guides above.
Best Ret.
Teddy, Denmark, SmsToken.eu
#10 re: How to authenticate against Active Directory from Cisco IOS
Wednesday, December 05 2007 8:00 PM by saubsineehey.. nice post man..
#11 re: How to authenticate against Active Directory from Cisco IOS
Monday, October 06 2008 4:17 PM by DustinAny chance of getting an updated posting for Windows 2008? Microsoft dun gone and moved everything around....
#12 re: How to authenticate against Active Directory from Cisco IOS
Thursday, April 16 2009 5:16 AM by JohanHi!
Is this blog alive?
I was wondering if you have any idee how to solve my problem.
I try to set up one Radius with two differnet polices, one for login authentication (to the cisco device) and one for VPN authentication, both request come from the same Cisco device.
How do i specify wich policy to respond to the right request?
Regards
Johan
#13 re: How to authenticate against Active Directory from Cisco IOS
Thursday, May 14 2009 12:49 PM by Dave BJohan, not sure if you've sorted this but in short IAS processes from the top down and exits at the first correct authentication. Effectively put your login authentication (assume you mean for device management) first in the list then the vpn next. The vpn clients will fail the first and move on to the second policy in the list.
#14 re: How to authenticate against Active Directory from Cisco IOS
October 27, 2006 5:24 PM by Brian Desmond's BlogA few months ago I posted an article with steps to configure Windows IAS and Cisco IOS for authentication
#15 re: How to authenticate against Active Directory from Cisco IOS
June 3, 2008 4:30 PM by cisco pix active directory#16 re: How to authenticate against Active Directory from Cisco IOS
August 18, 2009 8:57 AM by Authentication by Radius on a Cisco device. « Kpjungle’s WeblogPingback from Authentication by Radius on a Cisco device. « Kpjungle’s Weblog
Hi Brian,
I followed your steps, double-checked my configs on both IAS and Cisco router (1721), but impossible to get through! This is what the Event Log on IAS shows:
--------
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 10/21/2006
Time: 5:03:03 PM
User: N/A
Computer: BKKCA
Description:
User localcisco was denied access.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 203.151.90.207
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 172.22.9.20
Client-Friendly-Name = LabRouter
Client-IP-Address = 203.151.90.207
NAS-Port-Type = Virtual
NAS-Port = 6
Proxy-Policy-Name = <none>
Authentication-Provider = <undetermined>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
Reason-Code = 49
Reason = The connection attempt did not match any connection request policy.
--------
Any clue what is wrong?
Thanks!
Cheers,
JC