In this guide, we will walk through the process of connecting a Cisco switch to a Microsoft Active Directory (AD) server for centralized authentication, authorization, and accounting (AAA). This setup leverages the RADIUS protocol to communicate between the switch and the AD server.
Prerequisites
- Cisco Switch: Ensure it is running an appropriate version of Cisco IOS.
- Microsoft Active Directory Server: Should be up and running.
- Network Connectivity: Ensure the switch and the AD server can communicate over the network.
- Administrative Access: Required for both the switch and the AD server.
Step-by-Step Configuration
1. Configure the Cisco Switch
Step 1: Enable AAA
First, we need to enable AAA on the Cisco switch. AAA stands for Authentication, Authorization, and Accounting, which is a framework for intelligently controlling access to computer resources.
enable
configure terminal
aaa new-model
Step 2: Configure the RADIUS Server
Next, add the AD server as a RADIUS server on the switch. You’ll need the IP address of the AD server and a shared secret key for secure communication.
radius server AD_RADIUS
address ipv4 <AD_Server_IP> auth-port 1812 acct-port 1813
key <shared_secret>
Replace <AD_Server_IP>
with the IP address of your AD server and <shared_secret>
with a secure shared secret key.
Step 3: Create a RADIUS Group
Create a RADIUS server group and include the AD server in this group.
aaa group server radius AD_GROUP
server name AD_RADIUS
Step 4: Define AAA Authentication and Authorization
Configure the switch to use the RADIUS server for user authentication and authorization.
aaa authentication login default group AD_GROUP local
aaa authorization exec default group AD_GROUP if-authenticated
Step 5: Apply AAA to Console and VTY Lines
Apply the AAA authentication methods to the console and VTY (Virtual Teletype) lines to control access through these lines.
line con 0
login authentication default
line vty 0 15
login authentication default
2. Configure the Microsoft Active Directory Server
Step 1: Install the Network Policy Server (NPS) Role
NPS is a role in Windows Server that acts as a RADIUS server. If it’s not already installed, follow these steps:
- Open Server Manager.
- Click on Add Roles and Features.
- Follow the wizard and select Network Policy and Access Services.
- Complete the installation.
Step 2: Configure NPS
- Open Network Policy Server from the Administrative Tools.
- Right-click on RADIUS Clients and select New.
- Enter a friendly name for the client and the IP address of the Cisco switch.
- Enter the shared secret key (same as used in the switch configuration).
- Click OK to add the RADIUS client.
Step 3: Configure a Network Policy
- In the NPS console, expand Policies and select Network Policies.
- Right-click and choose New.
- Provide a name for the policy and define conditions, such as the user group membership.
- Configure authentication methods, ensuring MS-CHAP v2 is enabled.
- Define access permissions appropriate for your environment.
- Click Finish to create the policy.
3. Testing the Configuration
To ensure everything is set up correctly, test the configuration by attempting to log in to the Cisco switch using a domain user account.
- Successful Login: If the login is successful, the configuration is correct.
- Troubleshooting: If the login fails, verify the following:
- Shared Secret: Ensure the shared secret matches on both the switch and the AD server.
- Network Connectivity: Check that the switch and AD server can communicate over the network.
- NPS Logs: Review the NPS logs on the AD server for any authentication errors.
- User Account: Ensure the test user account is a member of the group defined in the NPS policy.
Troubleshooting Tips
- Shared Secret Mismatch: Double-check that the shared secret key configured on the switch matches the one on the AD server.
- Network Issues: Use tools like
ping
andtraceroute
to verify network connectivity between the switch and the AD server. - NPS Configuration: Ensure the RADIUS client configuration on the NPS matches the IP address of the switch.
- NPS Logs: Check the NPS logs for detailed error messages and adjust configurations accordingly.
By following this comprehensive guide, you should be able to connect your Cisco switch to a Microsoft Active Directory server successfully, enabling centralized authentication and authorization for enhanced security and management.
Feel free to customize this guide based on your specific network environment and requirements.