In this guide, we will walk through the process of connecting a Cisco switch to a Microsoft Active Directory (AD) server for centralized authentication, authorization, and accounting (AAA). This setup leverages the RADIUS protocol to communicate between the switch and the AD server.


  • Cisco Switch: Ensure it is running an appropriate version of Cisco IOS.
  • Microsoft Active Directory Server: Should be up and running.
  • Network Connectivity: Ensure the switch and the AD server can communicate over the network.
  • Administrative Access: Required for both the switch and the AD server.

Step-by-Step Configuration

1. Configure the Cisco Switch

Step 1: Enable AAA

First, we need to enable AAA on the Cisco switch. AAA stands for Authentication, Authorization, and Accounting, which is a framework for intelligently controlling access to computer resources.

configure terminal
aaa new-model
Step 2: Configure the RADIUS Server

Next, add the AD server as a RADIUS server on the switch. You’ll need the IP address of the AD server and a shared secret key for secure communication.

radius server AD_RADIUS
 address ipv4 <AD_Server_IP> auth-port 1812 acct-port 1813
 key <shared_secret>

Replace <AD_Server_IP> with the IP address of your AD server and <shared_secret> with a secure shared secret key.

Step 3: Create a RADIUS Group

Create a RADIUS server group and include the AD server in this group.

aaa group server radius AD_GROUP
 server name AD_RADIUS
Step 4: Define AAA Authentication and Authorization

Configure the switch to use the RADIUS server for user authentication and authorization.

aaa authentication login default group AD_GROUP local
aaa authorization exec default group AD_GROUP if-authenticated
Step 5: Apply AAA to Console and VTY Lines

Apply the AAA authentication methods to the console and VTY (Virtual Teletype) lines to control access through these lines.

line con 0
 login authentication default
line vty 0 15
 login authentication default

2. Configure the Microsoft Active Directory Server

Step 1: Install the Network Policy Server (NPS) Role

NPS is a role in Windows Server that acts as a RADIUS server. If it’s not already installed, follow these steps:

  1. Open Server Manager.
  2. Click on Add Roles and Features.
  3. Follow the wizard and select Network Policy and Access Services.
  4. Complete the installation.
Step 2: Configure NPS
  1. Open Network Policy Server from the Administrative Tools.
  2. Right-click on RADIUS Clients and select New.
  3. Enter a friendly name for the client and the IP address of the Cisco switch.
  4. Enter the shared secret key (same as used in the switch configuration).
  5. Click OK to add the RADIUS client.
Step 3: Configure a Network Policy
  1. In the NPS console, expand Policies and select Network Policies.
  2. Right-click and choose New.
  3. Provide a name for the policy and define conditions, such as the user group membership.
  4. Configure authentication methods, ensuring MS-CHAP v2 is enabled.
  5. Define access permissions appropriate for your environment.
  6. Click Finish to create the policy.

3. Testing the Configuration

To ensure everything is set up correctly, test the configuration by attempting to log in to the Cisco switch using a domain user account.

  • Successful Login: If the login is successful, the configuration is correct.
  • Troubleshooting: If the login fails, verify the following:
  • Shared Secret: Ensure the shared secret matches on both the switch and the AD server.
  • Network Connectivity: Check that the switch and AD server can communicate over the network.
  • NPS Logs: Review the NPS logs on the AD server for any authentication errors.
  • User Account: Ensure the test user account is a member of the group defined in the NPS policy.

Troubleshooting Tips

  • Shared Secret Mismatch: Double-check that the shared secret key configured on the switch matches the one on the AD server.
  • Network Issues: Use tools like ping and traceroute to verify network connectivity between the switch and the AD server.
  • NPS Configuration: Ensure the RADIUS client configuration on the NPS matches the IP address of the switch.
  • NPS Logs: Check the NPS logs for detailed error messages and adjust configurations accordingly.

By following this comprehensive guide, you should be able to connect your Cisco switch to a Microsoft Active Directory server successfully, enabling centralized authentication and authorization for enhanced security and management.

Feel free to customize this guide based on your specific network environment and requirements.


An amateur radio operator, Royal Signals veteran, jack of all trades and master of none.

Leave a Reply

Your email address will not be published. Required fields are marked *