Configure Cisco routers to use Active Directory authentication — the Windows side

por | 1 abril, 2009

Takeaway: Did you know that you can leverage the Windows Active Directory username/password database to log in to your Cisco routers and switches? In this two-part series, David Davis walks you through the process. This time, he explains how to install, configure, and troubleshoot Windows’ Internet Authentication Service (IAS).

If your organization uses Windows, you probably use your Active Directory (AD) username and password to log onto your PC every day. So why do you need separate credentials on your routers?

Even if you just need to remember an extra password, it can be annoying — but it doesn’t have to be. In fact, you can leverage the Windows AD username/password database to log in to your Cisco routers and switches.

In this two-part series, I’ll explain how to configure AD authentication on your routers and switches. This week, we’ll start off by discussing how to install, configure, and troubleshoot Windows’ Internet Authentication Service (IAS); next week, we’ll wrap it up by explaining how to configure your routers and switches to use the authentication.

Before we begin, let’s go over this article’s assumptions. For this configuration, we’ll use IAS, the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy, which comes built into Windows 2000 Server and Windows Server 2003.

In addition, we’re assuming that you’ve already connected your router or switch to the LAN, enabled its LAN interface, and have an IP address on that LAN interface. If access to the router or switch is through a routed network, it also needs a default gateway configured.

Install IAS

Start off by installing IAS if you haven’t already done so. For Windows Server 2003, follow these steps:

  1. Log in as an administrator.
  2. Go to Start | Control Panel, and double-click the Add Or Remove Programs applet.
  3. Click Add/Remove Windows Components.
  4. In the Windows Components Wizard, click Networking Services, and click Details.
  5. In the Networking Services dialog box, select Internet Authentication Service, click OK, and click Next.
  6. The system may prompt you to insert your Windows Server 2003 CD, so have it handy.
  7. After IAS is installed, click Finish, and then Close.

To keep track of who can log in to your Cisco network devices, I suggest creating an AD group called ciscoadmin. Then, make your existing Windows account a member of the ciscoadmin group.

Configure IAS

Now that we’ve installed IAS, we need to configure it. Begin by going to Start | Control Panel and double-clicking the Administrative Tools applet. Double-click the Internet Authentication Service applet, as shown in Figure A.

Figure A
To begin configuring IAS, go to Start | Control Panel | Administrative Tools | Internet Authentication Service.

This will open the Internet Authentication Service window, as shown in Figure B.

Figure B
You must open the Internet Authentication Service window to configure IAS.

Now we need to add a RADIUS client. Follow these steps:

  1. In the left pane, right-click RADIUS Clients, and select New RADIUS Client.
  2. In the New RADIUS Client dialog box, as shown in Figure C, enter a display name for the client (i.e., your router or switch). I suggest using the router’s hostname.
  3. Enter the LAN IP address of the client.
Figure C
Enter a friendly name for the new client, and enter the IP address.
  1. Click Next, and select Cisco for the Client-Vendor.
  2. Enter a password (called a key on a router or switch) that the two devices will share for the authentication process. For this example, I used cisco as my test password.
  3. Click Finish.

Figure D shows the Internet Authentication Service window with the newly added client.

Figure D
The Internet Authentication Service window displays the newly added client.

Next, we need to create a remote access policy. Follow these steps:

  1. In the Internet Authentication Service window, click Remote Access Policies in the left pane.
  2. In the right pane, right-click the default policy, and select Delete.
  3. Right-click inside the right pane, and select New Remote Access Policy.
  4. In the Remote Access Policy Wizard, click Next.
  5. Click Set Up A Custom Policy, name it ciscoauth, and click Next.
  6. Click Add, select Windows-Groups, and click Add, as shown in Figure E.
Figure E
Select Windows-Groups, and click the Add button.

Enter ciscoadmin (or whatever group you want to use). In this example, we’re using a local Windows server group. You can also use a Windows AD group — which, of course, is preferable. Figure F shows the Groups dialog group with the ciscoadmin group listed.

Figure F
The Groups dialog box will list the group you add.

Select the new group, and click OK. This takes you to the Policy Conditions screen of the New Remote Access Policy Wizard, as show in Figure G.

Figure G
Select Windows-Groups, and click the Add button.
  1. Click Next, select Grant Remote Access Permission, and click Next.
  2. Click Edit Profile, and select the Authentication tab.
  3. Deselect all check boxes; only select the Unencrypted Authentication (PAP/SPAP) check box, as shown in Figure H, and click OK.
Figure H
Select the Unencrypted Authentication (PAP/SPAP) check box only.
  1. Next, select the Advanced tab.
  2. Select Service-Type, and click Edit.
  3. In the Enumerable Attribute Information dialog box, select Login from the Attribute Value drop-down list, as shown in Figure I, and click OK.
Figure I
Under Attribute Value, change it from Framed to Login.

Back on the Advanced tab, select Framed-Protocol, and click Remove. Figure J displays the resulting dialog box.

Figure J
All that’s left to do is click OK.

All you have to do now is click OK. The system will likely ask if you want to view Help topics, as shown in Figure K.

Figure K
For corresponding Help topics, click Yes.

We’re almost there. Click Next, click Finish, and that’s it!

Troubleshoot IAS

When it comes to troubleshooting IAS, its logs can be very cryptic. For example, Figure L shows a log created while testing this article.

Figure L
IAS logs can be a little hard to interpret.

To help out with reading these logs, I use’s IAS Log Viewer. Figure M shows a screenshot of this tool.

Figure M
IAS Log Viewer helps simplify logs.

Stay tuned: Next time, we’ll wrap up this tutorial by explaining how to configure your routers and switches to use AD authentication.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis’ most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.