Skip to main content

Centralized Authentication for network devices with AAA server (Radius) and IAS

By

Why should i have Centralized Authentication? or Why should I integrate Active Directory with AAA router?

Of course, Managment is very easy. It is not an integration of AD and AAA, What do we do here is using the Active directory user database for routers' and switches' access. Also every time you need not to login into all the routers and switches just to change password. In order to have a centralized authentication for all the network devices we configured Internet Authentication Service in our Domain Controller to act as a Radius server. Using IAS service we can build a centralized authentication server for all the network devices in both Backbone and Master setup. AAA client also should be configured in all the network devices in order to communicate with IAS Server. 

What If my Radius Server Fails ?

In this blog, I will be covering the backup authentication method also. In case if your Radius servers fails, still your routers and switches can use their local database to authenticate users. A picture would give you a better idea, refer the snap below.



Installation of IAS Service and configuration in Win2k3

Follow the steps to install Internet Authentication Service in your Windows Server 2003 server. 
  1. Log in as an administrator.
  2. Go to Start | Control Panel, and double-click the Add or Remove Programs applet.
  3. Click Add/Remove Windows Components.
  4. In the Windows Components Wizard, click Networking Services, and click Details.
  5. In the Networking Services dialog box, select Internet Authentication Service, click OK, and click Next.
  6. The system may prompt you to insert your Windows Server 2003 CD, so have it handy.
  7. After IAS is installed, click Finish, and then Close.
  8. Then open IAS from Administrative Tools.

How to add a Radius Client in IAS ?




Now we need to add a RADIUS client. Follow these steps:

  1. In the left pane, right-click RADIUS Clients, and select New RADIUS Client.
  2. In the New RADIUS Client dialog box, as shown in the below figure, enter a display name for the client (i.e., your router or switch). I suggest using the router's hostname.
  3. Enter the LAN IP address of the client.
  4. Click Next, and select Cisco for the Client-Vendor.
  5. Enter a password (called a key on a router or switch) that the two devices will share for the authentication process. For this example, I used XX as my test password.
  6. Click Finish. 


Create Remote Access Policy in IAS

Next, we need to create a remote access policy. Follow these steps:
  1. In the Internet Authentication Service window, click Remote Access Policies in the left pane.
  2. In the right pane, right-click the default policy, and select Delete.
  3. Right-click inside the right pane, and select New Remote Access Policy.
  4. In the Remote Access Policy Wizard, click Next.
  5. Click Set Up A Custom Policy, name it IMSA (for example), and click Next.
  6. Click Add, select Windows-Groups, and click Add, as shown in the below image.


    Enter whatever groupname you want to use. In this example, we're using a local Windows server group. You can also use a Windows AD group -- which, of course, is preferable. The below image shows the Groups dialog group with the Senthil_Test group listed.



    Select the new group, and click OK. This takes you to the Policy Conditions screen of the New Remote Access Policy Wizard, as show in below image.



    Click Next, select Grant Remote Access Permission, and click Next.
    Click Edit Profile, and select the Authentication tab.
    Deselect all check boxes; only select the Unencrypted Authentication (PAP/SPAP) check box, as shown in below image, and click OK.


    Next, select the Advanced tab.
    Select Service-Type, and click Edit.
    In the Enumerable Attribute Information dialog box, select Login from the Attribute Value drop-down list, as shown in following image, and click OK.

      Back on the Advanced tab, select Framed-Protocol, and click Remove. Below image displays the resulting dialog box.


      All you have to do now is click OK. The system will likely ask if you want to view Help topics, as shown in the following image.


      We're almost there. Click Next, click Finish, and that's it!

      How to configure AAA in Cisco Router?

      Enable AAA

      Login into router with privilege 15 user.
      (config)# aaa new-model
      The above command will enable aaa in network device.

      Configure Radius server details
      (config)# radius-server host 10.56.245.32 auth-port 1645 acct-port 1646 key KEY1
      In the above command you have to specify radius server IP, authentication port details and shared key.
      (config)# ip radius source-interface Vlan1
      In ip radius command we need to mention the source which we are using as source interface to communicate with radius server.

      Configure AAA fallback to local datavase of Router
      (config)# aaa authentication login LIST1 group radius local
      In the above command you have to specify authentication list (In our case LIST1) and user database to which fallback should happen.

      Creating local user
      I suggest configuring a local username/password in case the RADIUS server is ever unavailable and you need to access your network device. Because we used the login authentication method radius and then local, the router will fail back to the local authentication server if the RADIUS server ever goes down. Here's how to configure a local user:
      (config)# user ops priv 15 secret secretpass1
      (config)# ip domain-name blogg.com
      We also have to specify the domain server with ip domain-name command. This also acts as name server.

      Configure line connections to use AAA
      Get into line configuration mode by using the below command.
      (config)# line vty 0 4
      Now use the below command to advise the router to use AAA authentication for telnet and ssh connections.
      (config-line)# login authentication LIST1
      That’s all. Now all you have to do is verify the settings by testing the below items.

      Testing AD User Login

      Try to take telnet to any of the AAA client.

      Once it’s prompting for Username, Enter your domain controller credentials (blogg) and press Enter.

      You will be in Privileged execution mode of the router.


      Testing Fallback Support of AAA in Cisco Router

      There are cases where you might lose connectivity to your IAS server from your network device. In that case you should also have a fallback so that you can login with local database user and start configuring your device.

      I stopped IAS Service to test this fallback by going to Services.msc in IAS server.

      Later I tried to login into one of the AAA client. The below image shows this. 


      Now local user ops is able to login even the IAS service is stopped. Thanks for visiting, Please post your doubts in comment box.


      Labels:

      Comments

      Post a Comment

      Popular posts from this blog

      How to install CUCM 8.0.2 on Vmware | Call Manager Installation Guide

      By
      CUCM is a software-based call-processing component which serves as the main engine for Cisco VOIP infrastructure. This article can be used as a reference for your CUCM installation, This article can be used for any version of CUCM like 8.0, 8.6, 9.1 or 10.5. Let's jump to the installation directly. Make sure you have.. Before we begin, I want to make sure that you have the below softwares installed in your machine. Vmware Workstation Bootable Cisco Unified Call Manager ISO File GNS3 (Optional) - To Configure NTP Server A minimum of 2GB RAM and 80 GB HDD for Virtual Machine At this stage I assume that you have both Vmware Workstation and GNS3 installed. During installation you will be prompted to enter NTP server details. Follow the below steps to make a router to act as a NTP server in GNS3. Open ncpa.cpl from Run window. Find a Vmware network adapter. Double click the adapter and configure a private range IP, for example 120.0.0.1. Next open GNS3, Put a router and take console. Pa...
      Post a Comment
      Read more

      6 Url Shorteners Yang Menghasilkan Uang Selain AdF.ly

      By
      Salam sobat GBX nah di pertemuan kita kali ini ane akan membahas 6 Url Shorteners Yang Menghasilkan Uang Selain AdF.ly seperti yang anda tau adf.ly adalah url shortener terbaik yang membayar kita karena telah menggunakan jasannya, tapi selain adf.ly ternyata masih banyak lagi Url Shorteners Yang Menghasilkan Uang, sekarang kita lihat saja ulasan di bawah.  6 Url Shorteners Yang Menghasilkan Uang Selain AdF.ly 1. Adfly adf.ly Yup yang ini memang patut diletakkan di peringkat satu ya, Adfly sudah ada dan terpercaya sejak bertahu-tahun lalu dan sudah menjadi pemendek link / url terbaik selama ini.  Selain menyediakan fasilitas penyingkat url, adfly juga merupakan situs penghasil dollar yang sudah sangat terkenal (melalui Pay Per Click dan Referal). Banyak juga teman-teman di internet yang sudah sukses mendapatkan dollar lho. (adfly ini sudah terpercaya dan ya semoga terus aman begitu dech). Komisi yang telah anda dapatkan dari adfly ini bisa langsung di transfer ke pay...
      Post a Comment
      Read more

      Ethical Hacking - Cisco HSRP with Kali linux - Example Demonstration and Security precautions

      By
      The Hot Swappable Router Protocol (HSRP) is a way to build redundancy into your network by allowing two or more routers to continuously test each other for connectivity, and take over if a router fails.As multiple routers can participate in the HSRP group, there has to be an election to determine who's the primary router. This HSRP election is based on a priority value (0 to 255) that is configured on each router in the group. By default, the priority is 100. The router with the highest priority value (255 is highest) becomes the active router for the group. If all router priorities are equal or set to the default value, the router with the highest IP address on the HSRP interface becomes the active router. In this post, we are going to make our Kali machine a HSRP participant and to become the active router by setting the highest priority to it. Yersinia tool (in built in Kali) helps us to perform this test with ease. For more information on HSRP, please refer  RFC 2281 Yersinia Y...
      Post a Comment
      Read more