Cisco AAA with RADIUS against Active Directory through the NPS role in Windows Server 2012 R2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Oh in this video I'm going to be walking through setting up Active Directory authentication for a Cisco router this will be using a triple a radius through the network policy server role in Windows Server 2012 r2 let's get started so the first thing we're going to want to do is install the role so we're going too far up server manager going to add roles and features click Next Next again next again we're going to find the network policy and access services I like that just want to have the features Next again next again next again yes it's the network policy server that we would like next again and install and pause the video while that's installing so just a bit of brief background regarding our network topology that we're working with here so we're actually using gns3 as the platform for this and so essentially we have our domain controller here we have our NPS server here we have our Rooter here so essentially the triple-eight services will be configured here and it will use the NPS server for radius authentication which will then in turn query the domain controller so while the NPS role is installing over on NPS one just going to hop over to our domain controller here we're just going to create a quick group which is essentially going to have all of the users that are going to be able to authenticate to our Rooter so I'm going to fire up server manager and going to go into users and computers and under our staff oh you here we're going to create a quick group and going to call it network admins click okay I was going to go back into that group just give it a quick description so admin level access 15 go to the members here we go perfect let's go and look how the MPS role is getting on okay so back on our MPs one server here and the role has completed so I'm just going to close the the end of the wizard there and here we can see the network access policy server is online I'm going to right click on that and go to network policy server and here we have our network policy server console so the first thing we're going to want to do here is register this server within Active Directory so we're going to right click on the MPS local there and register server in Active Directory and click OK click OK again so that server is now registered within Active Directory so the next task we're going to want to perform is to essentially add our start adding our radius clients in it's that specific route that we want to add in so we're going to click on radius clients right click and then click new and we want to enable this radius client I'm going to give it a friendly native call a which is our Rooter name we're going to specify its IP address excellent I'm going to specify shared secret just going to keep this very simple for the lab just Cisco the Advanced tab there we're going to drop down the vendor name and select Cisco and click ok so that's our radius client added there next we're going to have a look at the policies so we're going to expand the policies out and the first we're going to have a look at these the connection request policies so that's essentially saying who can actually make a request to this radius server ok so let's select new I'm going to call this core a and we're going to select next and we're going to specify a condition and here we're going to specify a client friendly name and as as the description says there so the client friendly name conditions specifies the name of the radius client that forwarded the connection request at 10 PS so we're going to click Add and in here we're going to type core a as that is the friendly name of our router that's making the request to the MPS server select ok select next and yes we want to forward 14 connection requests authentication requests on to this that's fine click Next Next again Next again and click finish next we're going to have a look at the network policies so we're going to select network policies and right click select new and for this policy name we're going to call it Cisco admin level 15 so the idea here being that we can essentially pass through the privilege level 15 through to the router and later on in this policy we're essentially going to tie our Active Directory group that we created earlier through to this policy so anybody that's with in that group that matches this specific policy privilege level 15 will get passed through to the router so you can almost imagine there we can almost have another policy with with a different privilege level associated to it tied to another group in Active Directory okay so moving on then select next we're going to specify a condition here and this is where we're going to add our group in Active Directory select users groups click Add add groups we're going to select our network admins I select ok next access granted and we're going to leave that defaults and select next next again and here we for the radius attributes for standard we're going to remove the framed protocol and for the service type we're going to edit that and select login ok that and then under the vendor specific we're going to add a new attribute and we can drop that down select Cisco and we're going to add add a new value and this is where we're passing through essentially privilege level 15 so we're going to essentially say shell colon Prive - lvl equal to 50 click OK ok that close that select next and here we can verify our settings and then click finish now that our radius configuration is complete on our network policy server we're going to move over into gns3 and have a look at our Cisco IOS configuration we're going to pull up gns3 and we're going to pull up our terminal window for our Rooter so I'm going to log in ok so the first thing we're going to want to do here is create a username and password under the local database for this router so essentially the idea being here is once we've configured our radiused configuration and we've specified our radius servers if also a reason we can't communicate with our radius server we'll add in a local fallback to use the local database essentially which is why we're going to create our user okay so I'm going to move into global configuration mode and we're going to specify username admin privilege level 15 and secret Cisco 1 2 3 4 5 and we're just using a real simple config with a username and password there just for our love so the next thing we're going to do is enable triple a so we're going to do triple a new model we're going to specify that we're going to be using a radius group so that's triple a group server radius and we're going to call it rad underscore servers ok and now we're going to specify the server so server private one 92168 0.2 we're going to specify the earth portal v' and the accounting port which is 1813 and our key which we specified earlier in the video is a Cisco again just for simplicity in our lab okay so we're going to exit that so the next thing we're going to want to do is essentially enable our triple a for authentication and authorization and we're going to specify to use our radius group rad servers and then as we said earlier fallback to the local database for that login if the radius servers can't be contacted okay so for that we're going to do triple a authentication login default group rad service and then that will import a local and the same for authorization so we're going to do triple a authorization exec default group rad underscore servers and again that all-important local and if authenticated okay and the last command we're going to drop in there is triple a authorization console okay so the last thing we're going to want to do here essentially and just for us own sanity released it and Advil for troubleshooting purposes is essentially enable some debug options so we're going to come out of global configuration mode and we're going to switch on debug for triple-a authentication so debug triple-a authentication and also debug triple-a authorization and the last one there debug radius okay all that's left to do is test our login so let's test our login okay perfect and we've successfully authenticated there so probably just worth pointing out a couple of things really that we can see from those debug options that we enabled so the first thing is just to verify that our radius server is actually correct so we've got 192 168 0.2 so we can just validate that great that's all correct the next thing is our username there excellent that's correct and the other thing to verify is the privilege level 15 that's been passed through and we can see there so there's the shell : prove - lvl equals 15 so if we had multiple policies set up in our MPs server weekend and we're specifying different privilege levels we can actually just check there to make sure that those privilege levels are being password correctly thanks for watching you

Info

Channel: Blue Team Security

Views: 61,988

Rating: 4.9572191 out of 5

Keywords: Security, IT Security, Windows Server Hardening, GPO, Cisco AAA Active Directory, Cisco AAA Active Directory Authentication Radius, Network Policy Server, Radius, NPS

Id: BSPYk9o7mWE

Channel Id: undefined

Length: 14min 16sec (856 seconds)

Published: Fri Jul 01 2016