Network Policy Server and Cisco RADIUS Authentication
Setting up RADIUS authentication between Cisco devices and Network Policy Server (NPS) in Windows Server 2008 is a bit different than in previous versions of Windows.
Here is a technet page with lots of good info on NPS:
For now, I am just going to list the instructions needed to get up and going with NPS to allow your server to act as an authentication point for your Cisco switches/routers. This may work with other devices that can use radius authentication, but I have not tested it. YMMV.
1. Install the Network Policy Server service. It is a component under ‘Network Policy and Access Services’.
2. Open the Network Policy Server console from Administrative Tools.
3. Create a new radius client for the Cisco device. The process for this is very similar to the process in Server 2000/2003. You just need the device IP, choose the “radius standard” type, and make up a shared secret.
4. “Register server in Active Directory” by right-clicking on the “NPS (local)” item in the console. This will allow NPS to query AD when an authentication request comes in.
5. Next, create a “Connection Request Policy”. This is the step that is new to the process, and was not required before Server 2008. Before, this was integrated into the remote access policy, as it was previously called. The connection request policy doesn’t need to be anything complex. The first step is to set the network access server type to “Unspecified”.
Next, add at least one condition to the policy. I usually use the “day and time restrictions”, and then set it to ‘permitted’ 24×7. Obviously, the condition(s) you choose should conform to your company’s security policy, so you may need something different here.
Finally, On the Settings tab, under Authentication, choose the radio button for “Authenticate requests on this server”.
6. Create a Network Policy, formerly known as a remote access policy in previous versions of Windows Server. On the Overview tab, configure the policy to use the network access server type of “Unspecified”. In addition, set the access permission setting to “Grant Access”.
On the Conditions tab, add at least one condition. Typically, this will be the Windows Group that is allowed to log in to the network devices. As I said before, you may need to use different conditions than I show here due to your company security policy.
On the Constraints tab, the only change you should need to make is to enable the authentication method of “Unencrypted authentication (PAP, SPAP)”
Lastly, on the Settings tab, under Encryption, make sure that the “No Encryption” option is enabled.
7. Point your network device(s) at this server for authentication. The method for doing this varies depending on the make and model of your device. With recent IOS images on Cisco switches, the commands will look something like this.
aaa session-id common
aaa authentication login default group radius local
radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 key putyoursecretkeyhere
8. Finally, test it!