Configure External Authentication on Catalyst Center using Windows Server

Available Languages

Download Options

  • PDF     (2.2 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.5 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.0 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 11, 2024
Document ID:221872

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure External Authentication in Cisco DNA Center using Network Policy Server (NPS) in Windows Server as RADIUS.

    Prerequisites

    Requirements

    Basic Knowledge on:

    • Cisco DNA Center Users & Roles
    • Windows Server Network Policy Server, RADIUS and Active Directory

    Components Used

    • Cisco DNA Center 2.3.5.x
    • Microsoft Windows Server Version 2019 acting as Domain Controller, DNS Server, NPS and Active Directory

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    note-icon

    Note: The Cisco Technical Assistance Center (TAC) does not provide technical support to the Microsoft Windows Server. If you experience issues with the Microsoft Windows Server configuration, please contact Microsoft Support for technical assistance.

    Configure

    Admin Role Policy

    1. Click in the Windows Start menu and search for NPS. Then select Network Policy Server:
      Windows Start MenuWindows Start Menu
    2. From the navigation panel in the left side, perform a Right-click in the NPS (Local) option and select Register server in Active Directory:
      Windows Network Policy ServiceWindows Network Policy Service

    3. Click on OK twice.

    4. Expand RADIUS Clients and Servers, right-click RADIUS Clients, and select New:
      Add RADIUS ClientAdd RADIUS Client

    5. Enter the Friendly name, the Cisco DNA Center management IP address, and a shared secret (This can be used later):
      Radius Client ConfigurationRadius Client Configuration
    6. Click OK to save it.

    7. Expand Policies, right-click Network Policies and select New:
      Add New Network PolicyAdd New Network Policy

    8. Enter a policy name for the rule and click Next:
      Policy NamePolicy Name

    9. To allow a specific domain group, add these two conditions and click Next:
      • User Group – Add your domain group that can have an Admin Role on Cisco DNA Center (For this example Sup_Ad_NPS group is used).
      • ClientIPv4Address – Add your Cisco DNA Center management IP address.
        Policy ConditionsPolicy Conditions

    10. Select Access Granted and click Next:
      Use Access GrantedUse Access Granted

    11. Only select Unencrypted authentication (PAP, SPAP):
      Select Unencrypted authenticationSelect Unencrypted authentication

    12. Select Next since default values are used:
      Configure Constraint WindowConfigure Constraint Window

    13. Remove Standard attributes:
      Define Attributes to useDefine Attributes to use

    14. On RADIUS Attributes select Vendor Specific, then Click Add, select Cisco as a Vendor, and click Add:
      Add Cisco AV-PairAdd Cisco AV-Pair

    15. Click Add, write Role=SUPER-ADMIN-ROLE and click OK twice:
      Cisco AV-Pair Attribute addedCisco AV-Pair Attribute added

    16. Select Close, then select Next
    17. Review your policy settings and Select Finish to save it.

    Policy SummaryPolicy Summary

    Observer Role Policy.

    1. Click in the Windows Start menu and search for NPS. Then select Network Policy Server.
    2. From the navigation panel in the left side, perform a Right-click in the NPS (Local) option and select Register server in Active Directory.
    3. Click on OK twice.
    4. Expand RADIUS Clients and Servers, right-click RADIUS Clients, and select New.
    5. Enter a Friendly name, the Cisco DNA Center management IP address, and a shared secret (This can be used later).
    6. Click OK to save it.
    7. Expand Policies, right-click Network Policies, and select New.
    8. Enter a policy name for the rule and click Next.
    9. To allow a specific domain group, you need to add these two conditions and select Next.
      • User Group – Add your domain group in order to assign an Observer Role on Cisco DNA Center (For this example Observer_NPS group is used).
      • ClientIPv4Address – Add your Cisco DNA Center management IP.
    10. Select Access Granted and then select Next.
    11. Only select Unencrypted authentication (PAP, SPAP).
    12. Select Next since default values are used.
    13. Remove Standard attributes.
    14. On RADIUS Attributes select Vendor Specific, then Click Add, select Cisco as a Vendor, and click Add.
    15. Select Add, write ROLE=OBSERVER-ROLE, and OK twice.
    16. Select Close, then Next.
    17. Review your policy settings and select Finish to save it.

    Enable External Authentication

    1. Open the Cisco DNA Center Graphical User Interface (GUI) in a web browser and Log in using an admin privileged account:

      Cisco DNA Center Login PageCisco DNA Center Login Page

    2. Navigate to Menu > System > Setting > Authentication and Policy Servers and select Add > AAA:
      Add Windows ServerAdd Windows Server

    3. Type your Windows Server IP address and the Shared Secret used in the previous steps and Click Save:
      Windows Server ValuesWindows Server Values

    4. Validate that your Windows Server status is Active:
      Windows Server SummaryWindows Server Summary
    5. Navigate to Menu > System > Users & Roles > External Authentication and select your AAA server:
      Windows Server as AAA ServerWindows Server as AAA Server

    6. Type Cisco-AVPair as the AAA attribute and click Update:
      AV-Pair on External UserAV-Pair on External User

    7. Click in the check-box Enable External User to enable External Authentication:
      Enable Exte


    Verify

    You can open the Cisco DNA Center Graphical User Interface (GUI) in a web browser and Log in with an external user configured in the Windows Server to validate that you can Log in successfully using External Authentication. 

    Cisco DNA Center Login PageCisco DNA Center Login Page

    Revision History

    Revision Publish Date Comments
    2.0
    11-Apr-2024
    Chacne title syntax
    1.0
    10-Apr-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Manuel Humberto Marquez Gutierrez
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products