Do you password protect your network devices? If so, are you using the same generic password? Wouldn’t it be awesome to leverage your Active Directory logon to sign into your switches?
In this guide, we are going to enable AD authentication on network switches and routers. The workhorse will be the Network Policy Server role in Server 2012/R2. After our server configuration, we will then configure our switches to point to our NPS (RADIUS) device and change their authentication method.
Install and Configure Network Policy Server
As a best practice, use a dedicated server to handle device authentication. In the past, I made the mistake of adding the role to a Domain Controller – this complicated by environment later.
Start the Add Roles and Features Wizard and proceed to the Server Roles screen. Expand Network Policy and Access Services and check the Network Policy Server box. Continue through the Wizard.
From the tools menu, launch the Network Policy Server MMC. For this particular use of NPS, we are going to deal with three specific sections.
The first section, RADIUS Clients, will contain a list of the devices needing to authenticate against Active Directory. The second section, Connection Request Policies, determines what devices can authenticate. The final section, Network Polices, determines who can authenticated and how it is done.
Right click on RADIUS Clients and select New. Start your Friendly Name with a prefix (ex: “SW:” for switches); then finish the name of the network device. Enter the IP address of the device. Finally, enter a shared secret (password). I prefer to use a randomly generated secret that has been cut down to 12-16 characters. Copy this secret down – you will need to configure it on your network devices.
Create a single RADIUS client (preferably within the same subnet as your NPS server as this makes testing a bit easier). Head to the Connection Request Policies section. Right click on the default rule (Use Windows Authentication for All Users) and select Disable.
Create a new policy and name it something like Network Switches with AAA. Select next and add a new condition. Scroll down to RADIUS Client Properites and select Client Friendly Name. Enter SW:? for the name. SW: is the prefix that you used earlier. ? is a wildcard. This condition will apply to any RADIUS client that has a Friendly Name starting with this prefix. Continue through the wizard by accepting the default settings.
Right click on Network Policies and select New. Give your policy a descriptive name (ex: Network Switch Authentication for Domain Admins). Select next and add a new Windows Groups condition. Members of this group will be able to login to your network switches. Add a second condition and scroll down to Authentication Type. Check PAP and press OK.
Continue until you reach the Configure Authentication Methods window. Uncheck every item but PAP and press No to the prompt. Continue until you reach the Settings window. Change Service-Type to Administrative. Finish the wizard.
One last item to configure. Right click on your new policy and move it up until it’s processing order is 1. Here is a screenshot showing the finished result:
Configuring Your Switch to Support AAA for Active Directory Authentication
Launch a telnet session to one of your switches and paste in the following configuration changes. Be sure to change the RADIUS secret to match your RADIUS client. It is listed twice in the config. You will also need to change the IP to your authenticating server.
aaa authentication console enable radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication login privilege-mode
radius-server key INSERT-YOUR-SECRET-HERE
radius-server host 192.168.0.2 INSERT-YOUR-SECRET-HERE auth-port 1645 acct-port 1646
radius-server host 192.168.0.2 auth-port 1645
radius-server host 192.168.0.2 acct-port 1646
This configuration should work on all HP Procurve switches. I would believe Cisco switches work just fine as well. If you use this on any other type and it works, leave a comment to let me know. The last three lines are included because some HP switches didn’t like the auth-port and acct-port parameters in the same line. Do not close this telnet window yet!
After pasting the config, launch a second telnet session to your switch. You should notice a new logon screen that prompts for a login name/login as. Login as yourself and ensure that it is successful. If so, write the config to memory and close both telnet sessions.
If you have problems, check the following:
- Do your secrets match up? If you are unsure, set both secrets (on the switch and in NPS) to test
- Is the IP correct in the config? Can you ping that IP from the switch?
- Do you have a firewall blocking ports 1645 and 1646?