Setting Up IAS For Network Device Authentication

Configurations that are only rarely completed can cause the most headache and frustration even if they are fairly simple.  The setup of a new AAA Radius authentication to Microsoft IAS for administering network gear is something that always seems to take longer than expected because of the little intricacies involved in getting the different pieces to talk together.  Here I will walk through the bare bones basics of getting the AAA authentication to my network gear working.

Lab Inventory Used

  • Authentication Server
    • Windows Server 2003 R2 Enterprise
  • Network Devices
    • Catalyst 3560

Setup the Remote Access Policy in IAS

  1. Open the IAS Console, right-click on “Remote Access Policy” and select “New Remote Access Policy”
  2. The Wizard will start, at the “Policy Configuration Method” screen, choose “Set up a custom policy” and give the policy a descriptive name.
  3. Next is the “Policy Conditions” screen.  Here is where you can provide the checks that will be done to all incoming requests to see if this policy applies.  To start with add a “Windows-Groups” check.  Other checks can be included later to further narrow-down the application of the policy.
  4. Choose the Active Directory group that the authorized network administrators are members of.
  5. On the “Permissions” page, choose to grant permission.
  6. Finish out the wizard.
  7. Cisco switches and routers use PAP as the authentication method for local processing.  By default the new remote access policy prohibits the use of unencrypted authentication methods.  To change this setting, edit the policy you just selected and click “Edit Profile”.
  8. On the Authentication Tab, check the box next to “Unencrypted authentication (PAP, SPAP)”, and click OK.

Add the Network Device as a RADIUS Client

  1. Right click on RADIUS Clients, and choose add new client.
  2. Enter a friendly name for the network device and the host name or ip address.
    Hint: The ip address used must be the address the network device will use to reach the radius server.  If the network device has an ip address on the subnet with the radius server, use that address.  Otherwise you can specify the address used for connecting to the radius server with the command “ip radius source-interface type num
  3. On the Additional Information screen, check the drop-down list for Client-Vendor and locate the matching choice.  The default of “RADIUS Standard” should work for most equipment, Cisco included, but some vendors provide extra details in requests that can be useful.  Also enter the Shared Secret that will be used for communications between the network device and the server.
    Note: The shared secret is used to encrypt passwords in communications between the network device and the Radius server, not the whole packet.

Configuring a Cisco IOS Device to Use the IAS Server for Authentication

Note: The below configuration was taken from a Catalyst 3560 running IOS 12.2.  Other IOS devices will use similar format, but there maybe minor differences in syntax.

! Enable AAA on the device
aaa new-model

! Configure the source interface for radius traffic
ip radius source-interface type num

! Create a local username on the device to be used as a backdoor in case of radius failure
username Local-Admin privilege 15 password password

! Add the radius server
radius-server host ip-address key shared-secret

! Create a AAA Server Group
! The Group-Name will be used when configuring different authentication lists
aaa group server radius Group-Name
server ip-address

! Create an authentication list
! First the Radius Group will be tested, followed by the local aaa user database
aaa authentication login List-Name group Group-Name local

! Configure the vty lines to use the Authentication List
line vty 0 4
login authentication List-Name

Configuring Network Admin in Active Directory

  1. Add the Network Administrator into the Security Group configured during the “Remote Access Policy” configuration in IAS.
  2. Check the “Allow Access” box on the “Dial-in” tab of the user properties.
    Note: This is a requirement left over from the lineage of IAS and Routing and Remote Access configuration.  Having this box checked is a global requirement for any user being authenticated by IAS.

Troubleshooting Suggestions

  1. Refer to the logs on the switch/router as well as the System Event log on the Windows Server.
  2. System Errors such as the below don’t necessarily mean the username/password combination was incorrect.  Because the password is hashed using the shared-secret, a typo there can result in an apparent incorrect password.  Double and triple check the shared secrets match.
    Event Type:    Warning
    Event Source:    IAS
    User labadmin was denied access.
    Fully-Qualified-User-Name = PRES-LAB\labadmin
    Proxy-Policy-Name = Use Windows authentication for all users
    Reason = Authentication was not successful because an unknown user name or incorrect password was used.

New Year, New Networking Lab

I’ve decided to start off the new year by wiping the slate clean on my lab configuration and putting together a new configuration that will allow me to work on and test out some of the technologies that are relevant to me currently.  I’ve had many lab configurations over the years, and most of them have been pretty small and focused on working out a particular problem, or for prepping for the exam of the month.

This iteration of my lab will be a little different, in that I am aiming to mock-up, as close as I can with the resources at hand, an enterprise network complete with the traditional network layers, a data center, a dmz, WAN connections to remote offices, DMVPN over the Internet, remote access VPN, etc.  The end-goal is quite large, and it will take some time to completely get it up and running, but it will provide me a testbed for working with many aspects of enterprise networking.

As I work through the setup, I’ll be posting entries on progress, and specific configurations and tests I’ve completed.  Please leave any comments or suggestions for things to try or test out.

Goals for the Lab

Here is a short sampling of things I’m looking forward to setting up in the lab.

  • Cisco AnyConnect 3.0
  • Dynamic Access Policies
  • Secure Mobile Device Access – iPad, Laptop, Android, etc
  • 802.1x
  • MACSec
  • CiscoWorks LMS 4.0, Cisco Security Manager
  • DMVPN WAN Backup
  • Latest IOS Versions (ASA 8.3/8.4, IOS 15.x)
  • Cisco Office Extend Access Point (OEAP)
  • Cisco CleanAir
  • Anything else I can get my hands on

Lab Diagram – Draft

Here is the network diagram I put together for what I’m looking to create in the lab.  It isn’t complete, or fully detailed, but it does provide a good representation of what I’m working on.  I’ll also be using it as a working draft and will update it as the lab comes together.