Summary: This post describes the installation and configuration how to authenticate on Cisco devices with the use of Microsofts Active Directory.
Date: Around 2010
Refactor: 21 February 2025: Checked links and formatting.

The Active Directory will be running on a Windows Server 2008 SP2, standard edition (64 bits). The steps coming towards this configuration are these:

• Installation Network Policy Server (NPS)
  • NPS is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008
• Configuration of a 'Remote Access Policy'
• Configuration of a 'Radius Client'
• Configuring of Cisco Devices for authentication through radius

Create A and PTR records for the switches you want authentication on:

switch04.company.local 10.10.10.133

Create a CNAME for the server who is going to provide the RADIUS service:

radius.company.local ad.company.local

• Open Server Manager by clicking Start → 'Server Manager'
• Click on 'Roles' from the left panel in Server Manager
• Click on 'Add Roles'
• If you start in the 'Before You Begin' page click 'Next', if not go to the next step
• Check the 'Network Policy and Access Services'
• Click 'Next' twice
• Select these roles:
  • Network Policy Server
  • Routing & Remote Access Services
    • Remote Access Service
    • Routing
• Click 'Next' and then 'Install', and after a while 'Close'

The 'Network Policy and Access Services' role is now installed. You can use a wizard in the NPS console to configure Network Access Protection (NAP). To open the NPS console after installation, go to Server Manager or click Start, Administrative Tools, Network Policy Server.

To make sure you have all the tools required to administrate NPS also install the feature 'Network Policy and Access Services Tools'

• Open Server Manager by clicking Start → 'Server Manager'
• Click on 'Features' from the left panel in Server Manager
• Click on 'Add features'
• Expand the 'Remote Server Administration Tools' feature
• Expand the 'Role Administration Tools' feature
• Check the 'Network Policy and Access Services Tools'
• Click 'Next' and then 'Install', and after a while 'Close'

The Network Policy and Access Services Tools are now installed.

To grant network administrators access you should create a group, and the group will be granted access and the network administrators will be assigned member of the group.

Create a global security group called 'NetworkAdministrators' and make the network administrators member.

• Go to Start → All Programs → Administrative Tools → Network Policy Server
• Expand 'Policies', rightclick 'Network Policies' and click 'New'
• Follow the wizard specifying these details:
• Policy name: Cisco
• Type of network access server: Unspecified
• Add a condition based on the 'Windows Group' you just created: 'NetworkAdministrators':
  

• Specify Access Permission: Access Granted
• Authentication Methods: Select Unencrypted authentication (PAP, SPAP), which is required for the Cisco IOS:
  

• Constraints: Set Idle Timeout to 30 minutes and leave all other constraints unconfigured
• Settings - RADIUS Attributes - Standard:
• Change 'Service-Type' from 'Framed' to 'Login'
• Remove the 'Framed-Protocol' (which is set to PPP)
• Settings - RADIUS Attributes - Vendor Specific:
• Click on 'Add' and:
• Set Vendor to 'All' and set the attribute to 'Vendor-Specific':

• Add an attribute value and:
• Set 'Select from list' to Cisco
• Set that the attribute conforms to the RADIUS RFC
• And configure the attribute:
  

• Click 'OK' three times and finish with 'Close' so you can continue with the network policy.

The network policy only needs to be checked now, so when you're done click Finish and you're done.

• Go to Start → All Programs → Administrative Tools → Network Policy Server
• Expand 'RADIUS Clients and Servers', rightclick 'Radius Clients' and click 'New RADIUS Client'

Fill in the required field and remember the shared secret you enter here:

• Click OK when you're done and you're finished with the RADIUS configuration.

• logon to switch

conf t
hostname switch04
ip domain-name company.local
ip name-server 10.10.10.53

All these commands should be issued after logging in to the server and issuing conf t.

• Configure AAA security services (authentication, authorization, and accounting) on the switch to support the RADIUS security protocol

aaa new-model

• Configure the radius server

radius-server host radius.company.local timeout 3 retransmit 2 key <shared-secret>

Note:

default timeout = 5
default retransmit = 3

* Force RADIUS to use the IP address of the management interface (Vlan1)for all outgoing RADIUS packets:

ip radius source-interface Vlan1

• Configure the authentication methods

aaa authentication login default group radius local
aaa authorization exec default group radius local

• Configure the authentication method for all virtual terminal sessions (vty):

line vty 0 15
(config-line)# login authentication default
end

Now check the configuration, and only write the configuration to the cisco device if you can login successfully. To do so:

write
exit

• Network Policy Server (NPS)
• Install Windows 2008 R2 NPS for RADIUS Authentication for Cisco Router Logins