Configure RADIUS For Windows 2008 NPS Server - WAAS AAA

Available Languages

Updated:September 11, 2017
Document ID:212042

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the procedure of Remote Authentication Dial-In User Service (RADIUS) configuration on Cisco Wide Area Application Services (WAAS) and Windows 2008 R2 Network Policy Server (NPS).

    Default WAAS configuration uses local authentication. Cisco WAAS supports RADIUS and Terminal Access Controller Access-Control System (TACACS+) also for Authentication, Authorization, and Accounting (AAA). This document covers the configuration for one device only. However, this also can be done under device group. All the configuration must be applied via WAAS CM GUI.

    General WAAS AAA configuration is provided in the Cisco Wide Area Application Services Configuration Guide under chapter Configuring Administrative Login Authentication, Authorization, and Accounting.

    Contributed by Hamilan Gnanabaskaran, Cisco TAC Engineer.

    Edited by Sanaz Tayyar, Cisco TAC Engineer.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • WAAS 5.x or 6.x
    • Windows NPS server
    • AAA - RADIUS

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco WAAS - Virtual Central Manager (vCM)
    • WAAS 6.2.3.b
    • Windows 2008 NPS

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a default configuration. If your network is live, ensure that you understand the potential impact of any command.

    Related Products 

    This document can also be applied with these hardware and software versions:

    • vWAAS, ISR-WAAS and all the WAAS appliances
    • WAAS 5.x or WAAS 6.x
    • WAAS as Central Manager, Application Accelerator

    Note: APPNAV-XE doesn't support this configuration. Router AAA pushes the configuration to APPNAV-XE.  

    Configuration Steps

    These configuration need to be applied:

    1. WAAS Central manager 
       1.1 AAA RADIUS configuration
       1.2 AAA Authentication configuration

    2. Windows 2008 R2 - NPS server configuration
       2.1 RADIUS Clients Configuration
       2.2 Network Policy Configuration

    3. WAAS CM configuration for RADIUS User Accounts

    1. WAAS Central Manager

    1.1 In WAAS Central manager creates the RADIUS server under Configure>Security>AAA>RADIUS.

    212042-Configure-RADIUS-For-Windows-2008-NPS-Se-00.png

    1.2 Configure Authentication method to reflect RADIUS under Configure>Security>AAA>Authentication Methods.

    Primary Authentication method is chosen as RADIUS and secondary Authentication method is chosen as local. So, in the event of RADIUS failure customer can log in via local account.

    212042-Configure-RADIUS-For-Windows-2008-NPS-Se-01.png

    2. Windows 2008 R2 -NPS Server Configuration

    2.1 In the Windows 2008 R2 - NPS server, create the WAAS device IP as a RADIUS client.

    212042-Configure-RADIUS-For-Windows-2008-NPS-Se-02.png

    2.2 In the Windows 2008 R2 - NPS server, create a network policy to match the WAAS devices and allow authentication.

    212042-Configure-RADIUS-For-Windows-2008-NPS-Se-03.png

    In the LAB these parameters must be selected under NPS >Policies>Network Policy.

    212042-Configure-RADIUS-For-Windows-2008-NPS-Se-04.png

    Condition can be matched with Radius Client Friendly Name. Other methods can be used such as IP address.

    212042-Configure-RADIUS-For-Windows-2008-NPS-Se-05.png

    Authentication Methods as Unencrypted Authentication (PAP, SPAP).

    212042-Configure-RADIUS-For-Windows-2008-NPS-Se-06.png

    Service-Type as Administrative.

    212042-Configure-RADIUS-For-Windows-2008-NPS-Se-07.png

    Vendor Specific Attribute as Cisco-AV-Pair (Shell:priv-lvl=15).

    212042-Configure-RADIUS-For-Windows-2008-NPS-Se-08.png

    Allow Full Network Access.

    212042-Configure-RADIUS-For-Windows-2008-NPS-Se-09.png

     3. WAAS CM configuration for RADIUS User Accounts

    Configure a user in RADIUS with privilege level 15 or 1, doesn't provide the access to WAAS CM GUI. The CMS database maintains a list of users, roles, and domains separate from the external AAA server.

    After configuration of the external AAA server correctly to authenticate a user, the CM GUI must be configured to give that user the necessary roles and domains to work within the CM GUI.

    If the RADIUS user is not in the CM under user, when log in to GUI with that user Your account does not have privileges to access any of the Central Manager Pages. Please Check with you Administrator about Provisioned roles and domains. This massage is displayed.

    212042-Configure-RADIUS-For-Windows-2008-NPS-Se-10.png

    Configuration of local user name under WAAS CM without password.

    212042-Configure-RADIUS-For-Windows-2008-NPS-Se-11.png

    Username must bind with right roles under Role Management for each user.

    212042-Configure-RADIUS-For-Windows-2008-NPS-Se-12.png

    If the user needs to have read-only access or limited access, this can be configured under roles.

    212042-Configure-RADIUS-For-Windows-2008-NPS-Se-13.png

    Verification

    In the WAAS devices this configuration is pushed.

    radius-server key ****
    radius-server host 10.66.86.125 auth-port 1645
    !
    authentication login local enable secondary
    authentication login radius enable primary
    authentication configuration local enable secondary
    authentication configuration radius enable primary
    authentication fail-over server-unreachable

    The Cisco CLI Analyzer (registered customers only) supports certain show commands. Use the Cisco CLI Analyzer in order to view an analysis of show command output.

    • authentication-  Configure Authentication   

    Troubleshoot

    This section provides information you can use to troubleshoot your configuration.

    • Check the windows domain logs
    • #debug aaa authorization from WAAS CM CLI

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    11-Sep-2017
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Hamilan Gnanabaskaran
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products