Setting Up IAS For Network Device Authentication

Configurations that are only rarely completed can cause the most headache and frustration even if they are fairly simple.  The setup of a new AAA Radius authentication to Microsoft IAS for administering network gear is something that always seems to take longer than expected because of the little intricacies involved in getting the different pieces to talk together.  Here I will walk through the bare bones basics of getting the AAA authentication to my network gear working.

Lab Inventory Used

  • Authentication Server
    • Windows Server 2003 R2 Enterprise
  • Network Devices
    • Catalyst 3560

Setup the Remote Access Policy in IAS

  1. Open the IAS Console, right-click on “Remote Access Policy” and select “New Remote Access Policy”
  2. The Wizard will start, at the “Policy Configuration Method” screen, choose “Set up a custom policy” and give the policy a descriptive name.
  3. Next is the “Policy Conditions” screen.  Here is where you can provide the checks that will be done to all incoming requests to see if this policy applies.  To start with add a “Windows-Groups” check.  Other checks can be included later to further narrow-down the application of the policy.
  4. Choose the Active Directory group that the authorized network administrators are members of.
  5. On the “Permissions” page, choose to grant permission.
  6. Finish out the wizard.
  7. Cisco switches and routers use PAP as the authentication method for local processing.  By default the new remote access policy prohibits the use of unencrypted authentication methods.  To change this setting, edit the policy you just selected and click “Edit Profile”.
  8. On the Authentication Tab, check the box next to “Unencrypted authentication (PAP, SPAP)”, and click OK.

Add the Network Device as a RADIUS Client

  1. Right click on RADIUS Clients, and choose add new client.
  2. Enter a friendly name for the network device and the host name or ip address.
    Hint: The ip address used must be the address the network device will use to reach the radius server.  If the network device has an ip address on the subnet with the radius server, use that address.  Otherwise you can specify the address used for connecting to the radius server with the command “ip radius source-interface type num
  3. On the Additional Information screen, check the drop-down list for Client-Vendor and locate the matching choice.  The default of “RADIUS Standard” should work for most equipment, Cisco included, but some vendors provide extra details in requests that can be useful.  Also enter the Shared Secret that will be used for communications between the network device and the server.
    Note: The shared secret is used to encrypt passwords in communications between the network device and the Radius server, not the whole packet.

Configuring a Cisco IOS Device to Use the IAS Server for Authentication

Note: The below configuration was taken from a Catalyst 3560 running IOS 12.2.  Other IOS devices will use similar format, but there maybe minor differences in syntax.

! Enable AAA on the device
aaa new-model

! Configure the source interface for radius traffic
ip radius source-interface type num

! Create a local username on the device to be used as a backdoor in case of radius failure
username Local-Admin privilege 15 password password

! Add the radius server
radius-server host ip-address key shared-secret

! Create a AAA Server Group
! The Group-Name will be used when configuring different authentication lists
aaa group server radius Group-Name
server ip-address

! Create an authentication list
! First the Radius Group will be tested, followed by the local aaa user database
aaa authentication login List-Name group Group-Name local

! Configure the vty lines to use the Authentication List
line vty 0 4
login authentication List-Name

Configuring Network Admin in Active Directory

  1. Add the Network Administrator into the Security Group configured during the “Remote Access Policy” configuration in IAS.
  2. Check the “Allow Access” box on the “Dial-in” tab of the user properties.
    Note: This is a requirement left over from the lineage of IAS and Routing and Remote Access configuration.  Having this box checked is a global requirement for any user being authenticated by IAS.

Troubleshooting Suggestions

  1. Refer to the logs on the switch/router as well as the System Event log on the Windows Server.
  2. System Errors such as the below don’t necessarily mean the username/password combination was incorrect.  Because the password is hashed using the shared-secret, a typo there can result in an apparent incorrect password.  Double and triple check the shared secrets match.
    Event Type:    Warning
    Event Source:    IAS
    User labadmin was denied access.
    Fully-Qualified-User-Name = PRES-LAB\labadmin
    Proxy-Policy-Name = Use Windows authentication for all users
    Reason = Authentication was not successful because an unknown user name or incorrect password was used.