Friday 22 November 2013

Centralized Authentication for network devices with AAA server (Radius) and IAS

Why should i have Centralized Authentication? or Why should I integrate Active Directory with AAA router?

Of course, Managment is very easy. It is not an integration of AD and AAA, What do we do here is using the Active directory user database for routers' and switches' access. Also every time you need not to login into all the routers and switches just to change password. In order to have a centralized authentication for all the network devices we configured Internet Authentication Service in our Domain Controller to act as a Radius server. Using IAS service we can build a centralized authentication server for all the network devices in both Backbone and Master setup.
AAA client also should be configured in all the network devices in order to communicate with IAS Server. 

What If my Radius Server Fails ?

In this blog, I will be covering the backup authentication method also. In case if your Radius servers fails, still your routers and switches can use their local database to authenticate users. A picture would give you a better idea, refer the snap below.

Installation of IAS Service and configuration in Win2k3

Follow the steps to install Internet Authentication Service in your Windows Server 2003 server. 
  1. Log in as an administrator.
  2. Go to Start | Control Panel, and double-click the Add or Remove Programs applet.
  3. Click Add/Remove Windows Components.
  4. In the Windows Components Wizard, click Networking Services, and click Details.
  5. In the Networking Services dialog box, select Internet Authentication Service, click OK, and click Next.
  6. The system may prompt you to insert your Windows Server 2003 CD, so have it handy.
  7. After IAS is installed, click Finish, and then Close.
  8. Then open IAS from Administrative Tools.

How to add a Radius Client in IAS ?

Now we need to add a RADIUS client. Follow these steps:

  1. In the left pane, right-click RADIUS Clients, and select New RADIUS Client.
  2. In the New RADIUS Client dialog box, as shown in the below figure, enter a display name for the client (i.e., your router or switch). I suggest using the router's hostname.
  3. Enter the LAN IP address of the client.
  4. Click Next, and select Cisco for the Client-Vendor.
  5. Enter a password (called a key on a router or switch) that the two devices will share for the authentication process. For this example, I used XX as my test password.
  6. Click Finish. 

Create Remote Access Policy in IAS

Next, we need to create a remote access policy. Follow these steps:
  1. In the Internet Authentication Service window, click Remote Access Policies in the left pane.
  2. In the right pane, right-click the default policy, and select Delete.
  3. Right-click inside the right pane, and select New Remote Access Policy.
  4. In the Remote Access Policy Wizard, click Next.
  5. Click Set Up A Custom Policy, name it IMSA (for example), and click Next.
  6. Click Add, select Windows-Groups, and click Add, as shown in the below image.

Enter whatever groupname you want to use. In this example, we're using a local Windows server group. You can also use a Windows AD group -- which, of course, is preferable. The below image shows the Groups dialog group with the Senthil_Test group listed.

Select the new group, and click OK. This takes you to the Policy Conditions screen of the New Remote Access Policy Wizard, as show in below image.

Click Next, select Grant Remote Access Permission, and click Next.
Click Edit Profile, and select the Authentication tab.
Deselect all check boxes; only select the Unencrypted Authentication (PAP/SPAP) check box, as shown in below image, and click OK.

Next, select the Advanced tab.
Select Service-Type, and click Edit.
In the Enumerable Attribute Information dialog box, select Login from the Attribute Value drop-down list, as shown in following image, and click OK.

Back on the Advanced tab, select Framed-Protocol, and click Remove. Below image displays the resulting dialog box.

All you have to do now is click OK. The system will likely ask if you want to view Help topics, as shown in the following image.

We're almost there. Click Next, click Finish, and that's it!

How to configure AAA in Cisco Router?

Enable AAA

Login into router with privilege 15 user.
(config)# aaa new-model
The above command will enable aaa in network device.

Configure Radius server details
(config)# radius-server host auth-port 1645 acct-port 1646 key KEY1
In the above command you have to specify radius server IP, authentication port details and shared key.
(config)# ip radius source-interface Vlan1
In ip radius command we need to mention the source which we are using as source interface to communicate with radius server.

Configure AAA fallback to local datavase of Router
(config)# aaa authentication login LIST1 group radius local
In the above command you have to specify authentication list (In our case LIST1) and user database to which fallback should happen.

Creating local user
I suggest configuring a local username/password in case the RADIUS server is ever unavailable and you need to access your network device. Because we used the login authentication method radius and then local, the router will fail back to the local authentication server if the RADIUS server ever goes down. Here's how to configure a local user:
(config)# user ops priv 15 secret secretpass1
(config)# ip domain-name
We also have to specify the domain server with ip domain-name command. This also acts as name server.

Configure line connections to use AAA
Get into line configuration mode by using the below command.
(config)# line vty 0 4
Now use the below command to advise the router to use AAA authentication for telnet and ssh connections.
(config-line)# login authentication LIST1
That’s all. Now all you have to do is verify the settings by testing the below items.

Testing AD User Login

Try to take telnet to any of the AAA client.

Once it’s prompting for Username, Enter your domain controller credentials (blogg) and press Enter.

You will be in Privileged execution mode of the router.

Testing Fallback Support of AAA in Cisco Router

There are cases where you might lose connectivity to your IAS server from your network device. In that case you should also have a fallback so that you can login with local database user and start configuring your device.

I stopped IAS Service to test this fallback by going to Services.msc in IAS server.

Later I tried to login into one of the AAA client. The below image shows this. 

Now local user ops is able to login even the IAS service is stopped. Thanks for visiting, Please post your doubts in comment box.


1 comment:

  1. Hi,
    Thanks a lot!... This was the information I was looking for and I'm so glad I could get it!. It was really helpful! Thanks! :) :))

    Apostille Certificate