how to configure Microsoft Network Policy Server with Cisco router using RADIUS

I couldn’t find anyone who has done this previously on the internet so i decided to write my own guide to hopefully save someone else some time and effort. I did however find a few pages which helped in the process of setting this up which are listed below.

http://www.windowsnetworking.com/articles_tutorials/Understanding-new-Windows-Server-2008-Network-Policy-Server.html

http://www.bunkerhollow.com/blogs/matt/archive/2008/06/04/configuring-server-2008-for-radius-authentication.aspx

Before you begin.

OK so assuming you already have Microsoft Network Policy Server installed on a Win2k8 server and your Cisco device up and running and ready to be configured for AAA (RADIUS authentication) the following steps will guide you though setting up both devices to talk to each other.

I have modified some of public IP addresses in this guide for security reasons

Configuring Cisco Router.

The below is the required configuration on your Cisco device to enable RADIUS authentication. 172.27.109.245 is the IP address of the Network Policy Server. You can set your radius-server key using #radius-server key 0

#aaa authentication login userauthen group radius local

#radius-server host 172.27.109.245 auth-port 1645 acct-port 1646

#radius-server key 7 

#aaa authentication login userauthen group radius localradius-server host 172.27.109.245 auth-port 1645 acct-port 1646radius-server key 7 

Configuring NPS.

To configure Microsoft Network Policy Server open up NPS (Administrative Tools –> NPS)Right Click RADIUS Clients and Select “New”

Enter your Cisco router details. Address is the IP address of your Cisco Router. Shared Secret is the same key used in #radius-server key 0

Keep all the defaults on the Advanced tab.

Create a new  Connection Request Policy (Right click New)

Configure you Policy name and set the type of network access server to “Unspecified”

Set your conditions to be NAS IPv4 Address where the address is the IP of your Cisco Router (this means NPS will only allow connection requests from the values in the conditions)

Keep all settings as default

Create a Network Policy which will permit users in a specific windows group to be allowed to authenticate via RADIUS

Set the Type of network access server to be “Unspecified”

Set your conditions to be a Windows Group where the Windows group is the group of users you wish to permit authentication against RADIUS

Set the Constraints to use only the less secure method of “Unencrypted authentication (PAP,SPAP)”

This authenticated method is definitely less secure than what else is available. You should only allow this kind of authentication to traverse a private network segment. I know some people maybe thinking “I want my authentication requests sent across the wire in a more secure fashion? ~ this was the only way i could get NPS to authenticate RADIUS requests. If this method does not meet your security requirements you may need to look at an alternate method)

Keep all settings to be the defaults

Thats pretty much it! I have also included a grab of a user in Active Directory which has their account setup correctly.

A couple of things to note is on the “Dial-in” tab make sure that the radio button is on “Control access through NPS Network Policy” and you have registered your NPS in active directory (from NPS right click NPS (LOCAL) –> Register server in Active Directory)

Troubleshooting.

Cisco Router

Enable Debugging on your Cisco router and turn logging onto your terminal

#debug aaa authentication

#debug radius

#term mon (#no term mon ~ to turn off)

The below is an output of a successful authentication request to Microsoft NPS

002958: Jul 28 15:48:11.440 AEST: AAA/AUTHEN/LOGIN (00000058): Pick method list 'userauthen'

002959: Jul 28 15:48:11.440 AEST: RADIUS/ENCODE(00000058):Orig. component type = VPN_IPSEC

002960: Jul 28 15:48:11.440 AEST: RADIUS:  AAA Unsupported Attr: interface         [158] 13

002961: Jul 28 15:48:11.440 AEST: RADIUS:   31 36 35 2E 32 32 38 2E 32 30 2E                 [165.228.20.]

002962: Jul 28 15:48:11.444 AEST: RADIUS/ENCODE(00000058): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

002963: Jul 28 15:48:11.444 AEST: RADIUS(00000058): Config NAS IP: 0.0.0.0

002964: Jul 28 15:48:11.444 AEST: RADIUS/ENCODE(00000058): acct_session_id: 84

002965: Jul 28 15:48:11.444 AEST: RADIUS(00000058): sending

002966: Jul 28 15:48:11.444 AEST: RADIUS/ENCODE: Best Local IP-Address 172.27.109.253 for Radius-Server 172.27.109.245

002967: Jul 28 15:48:11.444 AEST: RADIUS(00000058): Send Access-Request to 172.27.109.245:1645 id 1645/63, len 99

002968: Jul 28 15:48:11.444 AEST: RADIUS:  authenticator 70 A4 A4 25 56 F0 3A 08 - E8 29 C9 07 9F 4A ED F6

002969: Jul 28 15:48:11.444 AEST: RADIUS:  User-Name           [1]   12  "admin"

002970: Jul 28 15:48:11.444 AEST: RADIUS:  User-Password       [2]   18  *

002971: Jul 28 15:48:11.444 AEST: RADIUS:  Calling-Station-Id  [31]  16  "CISCO VPN CLIENT PUBLIC IP ADDRESS"

002972: Jul 28 15:48:11.444 AEST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

002973: Jul 28 15:48:11.444 AEST: RADIUS:  NAS-Port            [5]   6   0

002974: Jul 28 15:48:11.444 AEST: RADIUS:  NAS-Port-Id         [87]  15  "PUBLIC IP ADDRESS OF CISCO ROUTER"

002975: Jul 28 15:48:11.444 AEST: RADIUS:  NAS-IP-Address      [4]   6   172.27.109.253

002976: Jul 28 15:48:11.452 AEST: RADIUS: Received from id 1645/63 172.27.109.245:1645, Access-Accept, len 102

002977: Jul 28 15:48:11.452 AEST: RADIUS:  authenticator 6B F9 1F 36 C1 C8 8A B8 - EA 53 75 3B 40 C9 6F B2

002978: Jul 28 15:48:11.452 AEST: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]

002979: Jul 28 15:48:11.452 AEST: RADIUS:  Service-Type        [6]   6   Framed                    [2]

002980: Jul 28 15:48:11.452 AEST: RADIUS:  Class               [25]  46

002981: Jul 28 15:48:11.452 AEST: RADIUS:   D5 70 0A C8 00 00 01 37 00 01 02 00 AC 1B 6D F5  [?p?????7??????m?]

002982: Jul 28 15:48:11.452 AEST: RADIUS:   00 00 00 00 C8 EE 6F C3 4D B6 14 82 01 CB 2E 14  [??????o?M?????.?]

002983: Jul 28 15:48:11.452 AEST: RADIUS:   A5 E3 53 E2 00 00 00 00 00 00 00 17              [??S?????????]

002984: Jul 28 15:48:11.452 AEST: RADIUS:  Vendor, Microsoft   [26]  12

002985: Jul 28 15:48:11.452 AEST: RADIUS:   MS-Link-Util-Thresh[14]  6

002986: Jul 28 15:48:11.452 AEST: RADIUS:   00 00 00 32                                      [???2]

002987: Jul 28 15:48:11.452 AEST: RADIUS:  Vendor, Microsoft   [26]  12

002988: Jul 28 15:48:11.452 AEST: RADIUS:   MS-Link-Drop-Time-L[15]  6

002989: Jul 28 15:48:11.452 AEST: RADIUS:   00 00 00 78                                      [???x]

002990: Jul 28 15:48:11.456 AEST: RADIUS(00000058): Received from id 1645/63

002991: Jul 28 15:48:11.456 AEST: RADIUS: Constructed " ppp negotiate"

Microsoft NPS

I had issues reading the original IAS formatted logs as per the below

C:\Windows\System32\LogFiles\iaslog.log (not sure if this is the original path to the log)

172.27.109.253,admin,07/28/2010,15:53:03,IAS,BADC02,31,1.1.1.1,61,5,5,0,87,1.1.1.2,4,172.27.109.253,4108,172.27.109.253,4116,0,4128,Cisco Router,4154,NAS IP,4155,1,4129,BA\admin,4127,1,4149,default,25,311 1 172.27.109.245 07/28/2010 05:20:52 24,8136,1,8153,0,8111,0,4130,ba/Users/admin,4136,1,4142,0

172.27.109.253,admin,07/28/2010,15:53:03,IAS,BADC02,25,311 1 172.27.109.245 07/28/2010 05:20:52 24,8153,0,8111,0,4130,ba/Users/admin,4294967209,120,4294967210,50,4108,172.27.109.253,4116,0,4128,Cisco Router,4154,NAS IP,4155,1,4129,BA\admin,4127,1,4149,default,8136,1,7,1,6,2,4136,2,4142,0

So i installed the below tool which made it easier to read! IAS LOG VIEWER v2.67 by Deepsoftware (http://www.deepsoftware.ru/iasviewer/)