Upload File

3750-for-nps

prev
next
out of 6
Download 3750-for-NPS

Upload: pilacuan

Post on 14-Apr-2018

214 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • 7/30/2019 3750-for-NPS

    1/6

    MCM Infrastructure Solutions Ltd Page 1

    Tech Art: TA0001-Windows 2008 RADIUS for CISCO Device

    Authentication by John McManus

    Network Device Authentication

    It is not uncommon to discover infrastructures with authentication policies in place for Windows AdminAccess using Active Directory accounts, only to find the network devices are being accessed using acommon user name and password. It would be ideal if the Active Directory accounts that are used toadminister the Windows environment could be used to administer the network devices too. (This article isspecific to Cisco Network Devices)

    One solution is to purchase a Cisco Secure Access Control Server, this can use accounts in the ActiveDirectory. The product is quite extensive and has many more feature than just logon authentication.

    Device administration: Authenticates administrators, authorizes commands, and provides an audittrail

    Remote Access: Works with VPN and other remote network access devices to enforce accesspolicies

    Wireless: Authenticates and authorizes wireless users and hosts and enforces wireless-specificpolicies

    Network admission control: Communicates with posture and audit servers to enforce admissioncontrol policies

    An alternative would be to use the Network Policy Access Server from Windows 2008, this was previouslyknown as the Internet Authentication Service (IAS) from Windows 2003. Here is a list of features:

    Device administration: Authenticates administrators, authorizes commands levels Remote Access: Works with VPN and other remote network access devices to enforce access

    policies

    Wireless: Authenticates and authorizes wireless users and hosts and enforces wireless-specificpolicies

    Network access protection: client health policy creation, enforcement, and remediationtechnology

    Actually the previous IAS version could achieve the first three functions, so what we are doing here withWindows 2008 NPS we can also do with Windows 2003 IAS. The Cisco ACS does have much deeperfeatures when using TACACS+ for authorising specific command, detailed audit trails and access lists,but the Microsoft Solution still has enough features that make the Microsoft solution ideal for smallerbusinesses.

    I would also predict that Network Policy Server(NPS) will see more adoption in infrastructures to takeadvantage of Network Access Protection (NAP) which although in its early days, has a lot of potential,and will definitely be the subject of Future Tech Arts.

    One frustrating part of the previous IAS and now with NAP is that there is NO built in feature to replicatethe policy to another NPS server. So if we define multiple RADIUS Servers in our network deviceconfigurations we need to ensure that the same policy is presented on each NPS. This could be achievedby manually creating identical policies on each server or performing an export/import process to copy theconfiguration from one NPS to another; this will ensure policy consistency across NPSs. Therefore whendesigning and placing NPS servers it is a good idea to logically highlight one as being the Master whereyou do all the administration.

  • 7/30/2019 3750-for-NPS

    2/6

    MCM Infrastructure Solutions Ltd Page 2

    Command to export the configuration

    Netsh nps export filename=backup.xml exportPSK=YES

    Command to import the configuration

    Netsh nps import filename=backup.xml

    One solution I have implemented in the past is to run a scheduled task that exports the policy from themaster server and copies the output to each of the slave servers, the slave server then has ascheduled task which imports the policy.

    TIP : For Work ing wi th mul t ip le NPS servers wi th commo n pol ic ies

    Logical ly ident i fy a Master NPS server and make al l pol icy update s here.Rat ionale

    By making changes in the same place these change can be knowingly exported from the Master server and imported to other NPS server ensuring

    consis tent pol ic ies across NPS server.

    That enough background lets configure NPS for Cisco Device authentication.

    Overview

    The RADIUS server can be installed on an Active Directory Domain controller or on a Windows Server inthe domain. Windows 2003 Enterprise Edition was required to support more that 50 radius clients, I havebeen unable to find if there are any such limitations with the Windows 2008 SKUs.

    Each device must be configured as a RADIUS client in the NPS, the RADIUS Key must match the keyspecified on the remote access device. In NPS you have the option of automatically generating the key.To transfer the key to the Cisco device I recommend copying it into notepad, then when you are doing theCisco part; copy and paste into the configuration, using this method you can create multiple clients inNPS and paste all their keys into notepad without having to jump between NPS and the Cisco TerminalSession. Always destroy the notepad file once the Cisco configuration has been completed.

    A remote access policy should then be created to allow specified users

    TIP: To prov ide added securi ty b etween the Cisco devices and the RADIUS server:

    The shared secret key should be at least 22 characters long and consis t o f a random sequence of upper and lower case let ters , numbers, and

    punctuat ion. This wi l l ensure maximum protect ion of the key. Luckly now the NPS wi l l generate a secret key longer than 22 characters.

    Each cl ient should be conf igu red wi th a di f ferent key.

    Note: The authentication mechanism is limited to PAP for Cisco device which is unencrypted; howeverRADIUS will encrypt the password over the network to the RADIUS server. This is why a strong key isrequired.

    Steps RequiredSo what needs to be done to get the NPS to provide logon authentication and access control for CiscoDevices.

  • 7/30/2019 3750-for-NPS

    3/6

    MCM Infrastructure Solutions Ltd Page 3

    The basic steps Install the Network Policy and Access ServiceRole

    Register in Active Directory

    Configure the RADIUS Client Settings Configure the Access policy

    Configure the Cisco Device

    Install the Network Policy and Access Service Role

    From the Initial Configuration Task Windows ->Click Add a Role

    Select the Network Policy and Access Server Role

    Select the Role Service Network Policy Server This is all that is require to provide RADIUSauthentication for our Cisco devices

    Register in Active Directory Once the Role has been configured then we

    can continue with the NPS configuration.You can find the NPS console underadministrative tools

    Right Click NPS (local) and Select Registerin Active Directory

    Configure the RADIUS Client Settings

    In the RADIUS Client and Server FolderRight Click RADIUS Client and Select NewRADIUS Client

    Enter Friendly Name and IP address of theCisco Device

    Select Cisco as the RADIUS Vendor

    Click Generate to make a unique RADIUSkey (make sure you copy this somewhereyou can access it later to paste into the

    Cisco Device)

    Note:There is no message authenticator available on Cisco Routers at the time of writing.The Cisco network devices are not NAP Capable at the time of writing.

    TIP: Using a standard name format for the device wi l l al low you to use wi ldcard mat ching in the pol icy to ident i fy the device.

  • 7/30/2019 3750-for-NPS

    4/6

    MCM Infrastructure Solutions Ltd Page 4

    Configure the Access policy

    Right Click the Network policy and Select

    New Enter a Policy Name (Leave as unspecified)

    Enter a Windows Group Condition Enterthe name of the group from AD who shouldhave access

    Enter a Client Friendly Name as aCondition Enter the name of the RADIUSClient (we can use wild cards here soCISCOR? would match multiple RADUISClients

    Enter a NAS-Port-Type as a condition Select Virtual (VPN)

    Specify Access Granted in Specify Access

    Permissions Configure Authentication Method as PAP

    You can select No when asked if you want to lookup the help file.

    There are no setting necessary in the ConfigureConstraint

    TIP-To see which pol icy has been match you can ch eck out the log f i le , located in c: \w indows\system32\ log. Informat ion is also logged in Securi ty Event Log:

    Source=Microsof t Securi ty Aud i t ing, Task Category=Network Pol icy Server

    Configure Settings Here is where we setup the access level

    Remove Frame-Protocol PPP

    Remove Service-Type Framed Select Vendor Specific

  • 7/30/2019 3750-for-NPS

    5/6

    MCM Infrastructure Solutions Ltd Page 5

    Now Add Cisco Vendor Attribute AV=Pair

    Add Attribute Shell:priv-lvl=15

    You should now end up with something like this

    Tip Which commands can be accessedYou could create another group and grant them access to level1 show command, so you have read-only type access to devices. This is achieved by changing

    shell:priv-lvl=?? To the appropriate level.

    Configure the Cisco Device

    The device in the following example is a Cisco router, and only the key lines are shown

    01:aaa new-model

    02:aaa group server radius RADIUS_AUTH

    03:server x.x.x.x auth-port 1812 acct-port 1813

  • 7/30/2019 3750-for-NPS

    6/6

    MCM Infrastructure Solutions Ltd Page 6

    04:server x.x.x.x auth-port 1812 acct-port 1813

    05:aaa authentication login networkaccess group RADIUS_AUTH enable

    06:aaa authorization exec default group RADIUS_AUTH if-authenticated

    07:ip radius source-interface FastEthernet 0/1

    08:radius-server host x.x.x.x auth-port 1812 acct-port 1813 key min22charkey

    09:radius-server host x.x.x.x auth-port 1812 acct-port 1813 key min22charkey

    10:line vty 0 15

    11:exec-timeout 0 0

    12:login authentication networkaccess

    01: Switch to Access Authentication, Authorisation and Accounting new command set02: configure a radius group RADIUS_AUTH to logical group RADIUS Servers03: specify primary RADIUS server as part of RADIUS_AUTH04: specify backup RADIUS server as part of RADIUS_AUTH05: define networkaccess as a logical name to apply logon and enable access to06: allow RADIUS_AUTH users access to exec mode07:specifies the interface RADIUS uses as the source.08: specify secret key for primary RADIUS server09: specify secret key for backup RADIUS server10: modify the telnet access11: set the time out for the login session12:assign networkaccess from 05: for Login access

    Now we can logon to the Cisco Device via telnet using your Active Directory account name.

    Summary

    Configuring RADIUS authentication for Cisco Devices against Active Directory does not require a largeinvestment in new infrastructure. There are some very simple steps that can be performed to allow ActiveDirectory accounts to be used for accessing the network infrastructure components.The article alsoprovides a first look at the Windows 2008 NPS which no doubt has some interesting potential for thefuture with Windows 2008.

    There are additional video clips showing how to configure NPS for RADIUS authentication with CiscoDevices MCM Infrastructure Solutions Technical Articles -http://www.mcmis.co.uk/TechArt/Technical%20Articles.htm


Vostro 3750 Manual

Scanned Document - Naval Air Training Command€¦ · (1) OPNAVINST 3100 .6J, CH-2 CNATRÄINST 5720.20G OPNAVINST 3750 .6R CNETINST 3750. IF NAVAIRINST 00-80T-116 CNATRAINST 3750

3750 Final

Catalyst 3750 Switch Hardware Installation · PDF fileCatalyst 3750 Switch Hardware Installation Guide ... Catalyst 3750-24FS and 3750V2-24FS Switch Front Panel 3 ... Catalyst 3750

Vostro 3750 Owner's Manual€¦ · Dell Vostro 3750 Owner's Manual Regulatory Model P13E Regulatory Type P13E001

Stream Stability Assessment Guidelines for NPS Grant ... · Stream Stability Assessment Guidelines for NPS Grant Applicants All applications for 319 NPS grants or addressing stream

Switch Cisco Catalyst 3750

Configuring QoS on 3750 Sw

Instruction Manual for: VeriFone Omni 3350 Omni 3740 … · The Equipment Page 3 of 33 Instructions for VeriFone Omni 3350, 3740 og 3750 terminals Omni 3740/3750 Omni 3740/3750 terminal

Dell 3750 Manual Service

Upgrade to Catalyst 3750 & 3750-E - Cisco€¦ · Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 Overview Why Upgrade to Catalyst 3750 and 3750-E

3750 Multi-Slide System - KeyCDN

Catalyst 3750 Switch Boot Loader Commands · Catalyst 3750 Switch Command Reference OL-8552-02 Appendix A Catalyst 3750 Switch Boot Loader Commands dir Related Commands 1644045 Size

Cisco 3750 Datasheet

Cisco Catalyst 3750-X and 3560-X Series · PDF fileCisco Catalyst 3750-X and 3560-X Series Switches ... Cisco Catalyst 3750-X and 3560-X Series ... The Cisco Catalyst 3750-X Series

3750-3752 Product Info.pdf

User's Guide - ET-3750 · 2017. 10. 24. · ET-3750 User's Guide Welcome to the ET-3750 User's Guide. For a printable PDF copy of this guide, click here. 12 Product Basics See these

3750+Numeracy sample paper

No. 13-3750

[CANCERRESEARCH58.3743-3750,August15.1998 ... · [CANCERRESEARCH58.3743-3750,August15.1998] RemodelingofCollagenMatrixbyHumanTumorCellsRequiresActivationand CellSurfaceAssociationofMatrixMetalloproteinase-21

FINDING AID FOR - NPS

Catalyst 3750 Switch Command Reference

Catalyst 3750 E

Cisco 3750 Software Configuration Guide

Data Sheet SWCisco 3750|3560

Cisco 3750 Switch Command Reference

Catalyst 3750 Switch Software

3750 Series

3750 Switch Hsrp

MAGNUM - MONDOLFO FERRO · 2018. 12. 18. · MAGNUM 10 T - L = 5800 5800 MIN 210 MAX 1900 3750 MIN 210 MAX 1900 20 T - L = 7500 3750 20 T - L = 10000 3750 MIN 210 MAX 1900 2500 3750

Upgrade to Catalyst 3750 & 3750-E - Cisco · Upgrade to Catalyst 3750 & 3750-E ... Security threats are continuing to grow ... PoE No No 3524-XL-PWR C2900 C3500 XL C3750-E XL

The Civil War and Reconstruction - history.usu.edu 3750.pdf · 5 HIST 3750: Civil War & Reconstruction Name _____ Learning Outcomes Rubric for essay

Cisco Catalyst 3750 Series Switches - dich.com.t · Cisco Catalyst 3750 Series Switches Product Overview The new Cisco Catalyst® 3750 Series switches are an innovative product line

Cisco Catalyst 3750-E StackWisePlus

Stream Stability Assessment Guidelines for NPS …...Stream Stability Assessment Guidelines for NPS Grant Applicants All applications for 319 NPS grants or addressing stream engineering