We want to authenticate and authorize the user on Cisco devices using the Microsoft Active Directory. In this tutorial, we want to create two Active Directory groups, Network Admin and Network Tech. Network Admin have full access to Cisco devices (privilege level 15) while Network Tech have custom access (like show commands including show running and interface configurations) only.
arbab belong to the Network Admin group
ali belong to the Network Tech group
Network Policy and Access Services:
Before starting this tutorial, I assume that you have installed the Active Directory and it is up and running. Let’s start the tutorial by adding the NPS Role:
Start -> Administrative Tools -> Server Manager
Click on Roles and then select the Add Roles:
Click Next:
Select Network Policy and Access Services and click Next:
Click Next:
Select Network Policy Server and click Next:
Click Install:
Click Close:
Configure Cisco Router as RADIUS Client in NPS:
Right Click on RADIUS Client and Select New:
Fill the information according to your environment:
Router/Switch Friendly Name, IP address and Shared secret:
Create an Active Directory User Group:
Next, we need to create an Active Directory User Group, which will use to access the routers/switches.
Start -> Administrative Tools -> Active Directory Users and Computers
Right click on User, and select Group from the New menu:
Name your Group, select the Group scope and type:
Right Click on the newly created Group and select Properties:
Move to the Members tab and click on Add:
Select the desired member that you want to add to this group and click OK:
After adding all the desired members, Finally click OK:
Create a Network Policy:
Right Click on Network Policy and select New:
Give any meaningful name and select Next:
Click on Add:
Select Windows Groups and click Add:
A popup window will be opened, click Add Groups on it:
Select the Group that we have created above (may be you want to use your existing group) and click OK:
Again Click OK:
After Adding the Group, Click Next:
Select Access granted and click Next:
Uncheck the default options and check Unencrypted authentication (PAP, SPAP) and select Next:
Select No on the popup window:
Skip the Constraints values by clicking Next (else you can configure it according to your requirement):
Remove the default attributes by selecting each attribute and click remove:
After that click on Add:
Select Service-Type from Attributes and click on OK:
Select Login from Attribute Information:
It will return you to the previous page, from there select Close:
Select Vendor Specific under RADIUS Attributes and click Add:
From the Vendor, Select Cisco and Cisco-AV-Pair from Attributes and Click Add:
It will open popup window, select Add on this window:
Enter shell:priv-lvl=15 for the Privilege level 15 user’s group (aka Network Admin with full access on the routers/switches) and click OK:
After returning to the RADIUS Attributes window, click Next:
Click Finish:
Move this Network Policy on the top:
Cisco Router Configuration:
Check the ip address and ping the Domain Controller to verify the connectivity:
show ip interface brief
Configure AAA security services,radius group and private key:
conf t aaa new-model aaa group server radius ADAAA server-private 192.168.179.250 key password
Note: ADAAA is just my group name and 192.168.179.250 is the ip address of Domain controller, so change them according to your environment.
To enable the Authentication & Authorization, use the following commands:
aaa authentication login default group ADAAA aaa authorization exec default group ADAAA
Now, configure the authentication to the vty line(s):
line vty 0 4 transport input telnet ssh login authentication default
Telnet/SSH to the Router from Client Machine:
Now, try to login to the router from the client machine using the Active Directory username and password:
Enter the username and password:
Success
Create new Network Policy with Privilege level 3:
Member of this group can only check the configuration using show commands and can only configure the interface(s).
Create a new Active Directory Group (same as we created above), assign the users to this group and also create the new network policy using the exact same steps that we follow above with the changes at the following steps:
shell:priv-lvl=3
Move this Network Policy on the top:
Test from Client Machine:
User Ali belong to the privilege level 3 group that can only run show command and even cannot check the running config:
Allow user Ali, to view the running config, configure the router using level 15 account or using the console:
privilege exec all level 3 show running-config
Now, check that Ali can view the running config:
show running-config view full
User Ali, even cannot run the configure terminal command:
Allow user Ali, to run the configure terminal command as well as the interface related commands:
privilege exec level 3 configure terminal privilege configure all level 3 interface
Now, run configure terminal and interface commands again as user Ali:
Hope this will help you!