The two main chassis I used are from Hewlett Packard which are;
|HP Procurve 5406 – J9823A||HP Procurve 5412 – J9532A|
- Build RADIUS server
- Configure RADIUS server
- Add a RADIUS Client
- Create Connection Request Policy
- Create Network Policy
- Configure switch.
1. – BUILD RADIUS SERVER
For the server we use Windows 2008 R2
Go to Administrative Tools –> Server Manager, make sure the Roles is selected to the left and click on Add Roles from the far right.
Select the Network Policy and Access Services role and click Next
Select the Network Policy Server role, the other role services are not required
Click next through the option boxes to complete the install.
2. – CONFIGURE RADIUS SERVER
2.1 – Add a RADIUS client
Open Network Policy Server from the administrative tools and expand RADIUS Clients and Servers and right click on RADIUS Clients –> New
When you create the key, you need to make a note of it as this will be needed for the switch configuration later.
Be aware that if using an IP range for the RADIUS client, you must use bitmask – how many BITS in the network address. In this case 24, which would be equivalent to a subnet mask of 255.255.255.0
2.2 – Create Connection Request Policy
Expand Policies and right click on Connection Request Policy then click ‘New’.
Configure the Connection Request Policy (CRP) as;
- NAS IPv4 Address = Switch management address range, eg 192.168.3.*
- Authentication Provider = Local Computer
- Override Authentication = Disabled
Just to confuse people, the NAS IPv4 address should use a wildcard for a range of IPs and not a bitmask as you did when you created the RADIUS client.
2.3 – Create Network Policy
Network Policy (NP) as;
- Authentication Type = PAP
- User Groups = The domain user group, eg CIFT\IT
- Extended State = <blank>
- Access Permission = Grant Access
- Authentication Method = Unencrypted Authentication (PAP, SPAP)
- NAP Enforcement = Allow full network access
- Framed-Protocol = PPP
- Service-Type = Administrative
3. – Switch Configuration
Add the radius server and key
radius-server host <NPS ServerIP> key <SecretKey>
Disable telnet and Web access
Once authenticated, go straight to privilege/enable mode
aaa authentication login privilege-mode
Set the console and SSH authentication order to Radius then Local
aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
Set a local manager password to use when Radius server is unavailable
password manager user admin plaintext
Be aware that LOCAL authentication will only be used if the radius server does not respond and it will take several failed attempts to contact the server before you get a local authentication prompt.
4 – Debugging
To see all the authentication attempts from the RADIUS clients on the NPS server, open Event viewer and go to Custom Views –> Server Roles –> Network Policy and Access Server
Clicking on one of the events will display information similar to the following;
This is split up into sections;
- User – The username used to authentication with the NPS server
- Client Machine – The hardware address of the device the user was using, not used as you’re authenticating directly from the RADIUS client and not from a PC that forwards to the client, that forwards it to the NPS server
- NAS – The device the authentication request is coming from, in this example, the 5406 switch
- Radius Client – The configured RADIUS client being used
- Authentication Details – Which Connection Request & Network policies being used
A failed authentication would display no Network Policy Name – As long as you’ve disabled the default policies after installing the NPS role.
From my example configuration you can see how it matches the event output;
The RADIUS client is called NET-DEVICES (using IP range 192.168.3.0/24), but the event will show the IP of the device, not the configured client range…far more useful.
The Authentication Details show the CRP & NP being used, (to keep it simple I’ve called them the same NET-DEVICES) authentication server (useful if you forward events to another server) and authentication type.