Authentication by Radius on a Cisco device.

• August 18, 2009
• Technology  
• Authentication  
• CCIE  
• Radius  
• Tips  

Intro:

Authentication is a critical part of administrating your network devices. For the longest time, i know for a fact that alot of companies use a simple authentication mechanism. Namely a either a line password, or at best local user database authentication. The inherent problem of these is that they are static entries, and on top of that, you have to manually do it on all the devices in your network. If a change need to occur, it requires logging in to all of the devices and changing the password (and or username).

So for the fun of it, i decided to take a look at authenticating through a radius server. Most companies run Microsoft’s Active Directory service, which handles users and rights in a consistent manner across network boundaries. It would be a no-brainer not to use this service for authenticating against. That’s exactly what i am going to describe here.

Please note that alot of this information comes from here. I have included some of the information in the comments as well, because that seems to be nessecary to get it working in some scenarios. I cannot explain why some more configuration is needed in some cases, and not in others. Must be a Microsoft thing.

Lets take a look at the things we need to do in order to create a successful radius authentication.

1. We need to install the radius server.
2. We need to setup  a list of clients (routers) that can authenticate against the server.
3. We need to setup a list of criteria that must be met to authenticate.
4. We need to setup a new group in Active Directory.
5. We need to assign this group to an administrative user.
6. We need to create the necessary Cisco configuration commands to tell the router to authenticate against the radius server.

This is the topology we are working with:

As can be seen, an administrator at the laptop in the bottom wants to log into the Managed Device. We want to be able to authenticate with the login/password of the administrator as he appears in the Active Directory.

Theory and Overview:

Before i go into the configuration itself, i want to provide a visual overview of whats going to happen as we complete the login procedure.

Lets run through the steps that the authentication process goes through in order to let the administrator into the managed device:

1. The administrator telnet’s to the managed device. Upon which he is presented with a prompt, at this prompt he will enter his login information.

2. The administrator enters his credentials and these goes to the radius server. A note about sending the login/password here, is that radius only encrypts (optional) the password, not the entire packet. This is a debug of what the Managed Device sends to the radius server:

As can be seen, i entered in the username “imanadmin”, and entered in a bogus password. You can see the last line indicates a failure in the authentication process. This means that the user is not allowed in, and he will be able to try again with the new prompt that appears. Below you can see a successful attempt:

Awesome, we got access 🙂

1. The login information received by the radius server is then sent to the active directory service (AD), which can exists locally on the same server running the radius server, or it can be on a completely different server running the AD service. The login information is only sent to the AD if certain policies regarding the request has been obeyed. Among these are which device is sending the request (managed device). At this point you also provide some criteria to send along to the AD to verify. In our example we will create a group in AD which the user must be a member of to authenticate.

2. Now with authentication, all we want is a yes or no answer to our request to get access, so the AD only needs to say permit or deny. No matter what, it sends back one of these two answers to the radius server.

3. The radius server relays this information (permit or deny) back to the managed device.

4. The managed device will either permit or deny the user.

Configuration Part:

So lets get down to the details of the configuration itself.

First of, you need to install the radius server on the server you chosen for the task. This can be done by using the “Add Programs” part of the “Control Panel”. You need to go into “Add/Remove Windows Components”, in the list that appears you choose “Networking Services”. At this point you add “Internet Authentication Service”:

Once that is done you will have a new option in the “Administrative Tools” menu, which is accessible from the “Start Menu”. This option is called “Internet Authentication Service”. Once you start up “Internet Authentication Service” you will see something like this:

As mentioned before, we need to do a couple of things. One of these is to create an AD group. This group will include members that are allowed to access this device, IF they are authenticated with their login and password. So lets do that. You start up the “Active Directory Users and Computers”. For non-microsoft folks, this is where you manage your users and resources. Here you add a group:

Now we add the administrative user to this group:

The last part of the AD section is to toogle a certain parameter. This parameter is what I mentioned before. Sometimes it works without, and sometimes it needs to be there. Lets just set it no matter what. You need to toogle “Allow access” under the “Remote Access Permission” section. Here it is:

Now we are at the point where we have done all the AD work that we need to do. According to our steps outlined in the beginning, what we need to do is to configure the radius server itself along with configuring the Managed Device. Lets begin with the radius server setup.

Take a look at the main menu of the “Internet Authentication Service” first:

Go into the RADIUS Clients section, and right-click and select “New Radius Client”.:

In the “Friendly name”, you enter in the hostname of the device that requests radius authentication. In our case the Managed Device (which actually has a hostname of R1). In the “Client address (IP or DNS):” you type in the ip address of the interface that source the request. After you have completed this, click Next.

In this next section, in the “Client-Vendor:” field, you have to select “Cisco”, and in the “Shared secret:” field, you enter the password you will use for communication between the radius server and the managed device. Remember this for later on 🙂  After you are  done with this step, click Finish.

Go into the “Remote Access Policies” in the Internet Authentication Service, create a new policy. First, click next. Choose to create a Custom policy. Give it a name, this name does not matter for operation. Click next. In the next section you will setup the criterias we went through earlier. The first one is to create a criteria that states what hostnames you would like to use this authentication policy. Click Add.  Select the Client-Friendly-Name from the list.

Here I have typed “R*”. What this means is that as long as the hostname begins with R, this criteria is met. Click OK. Do another Add, select “Windows Groups”, click Add, Here you select the group you previously defined in the AD:

Click Ok and Ok. Then click Next. The final step in the Internet Authentication Service Policy part is to tweak some things.

After you click next, you will have the option to Edit the profile, do that. Then goto the authentication tab:

This is how it appears before any changes, what you will do is set a mark in “Unencrypted authentication (PAP, SPAP). After this you click Ok and Finish.

The very last step (I promise), is to set a Cisco variable in all Windows Authentication. In your main Internet Authentication Service window, Click “Connection Request Policies”, on the right hand side pane, right click on the “Use Windows authentication for all users”, it will present you with the options for all requests requiring windows authentication. Click “Edit Profile”, in the new window that appears choose the Advanced tab and then click Add. This will give you a number of options to carry along in your radius request. Choose the “Cisco-Av-Pair”, then add the value “shell:priv-lvl=15” so it will look like this:

Click Ok to all of it until you are at the Internet Authentication Service main window again.

We are now done with all the windows stuff (phew). The Cisco step is ALOT easier 🙂

Log into your managed device and enter configuration mode:

Enable AAA (Authentication, Authorization, Accounting):

R1(config)#aaa new-model

Specify the radius servers ip:

R1(config)#radius-server host 192.168.1.1

Specify the key we want to use to communicate with the radius server (the one i told you to remember):

R1(config)#radius-server key Pass1234

Last, specify that you want to use radius for all login attempts:

R1(config)#aaa authentication login default group radius

Thats all there is to it folks. Its the windows part that really takes the majority of time to configure.

Now, when the administrator telnets to the device, the device will query the radius server with login information. The radius server will ask the AD if this user is really allowed into the device. In this case, the action is to permit, so the AD responds to the radius server. The radius server relays this information back to the managed device, which lets the user in.

Be aware, that if your radius server is on a routed network with firewalls, you will need to open up UDP port 1812 and/or UDP port 1645 depending on what radius server you are using and what version. The RFC changed this port some time ago. Now the official port is 1812.

I hope i sparked at least some interest in this functionality. At least it will make your life easier if you have quite a few different devices and want some sort of reasonable control over them.

Take care!