topic access denied when ssh in window server 2008 after set it as radius server in Network Access Control https://community.cisco.com/t5/network-access-control/access-denied-when-ssh-in-window-server-2008-after-set-it-as/m-p/2659965#M74219 <P>yesterday i succeed to use aaa to login and can see aaa in sh aaa session</P><P>&nbsp;</P><P><A href="https://murison.wordpress.com/2010/11/11/cisco-radius-configuration-with-server-2008-r2/" target="_blank">https://murison.wordpress.com/2010/11/11/cisco-radius-configuration-with-server-2008-r2/</A></P><P>&nbsp;</P><P>today i simulate again, it access denied, do not know where is wrong</P><P>&nbsp;</P><P>a. can it use active directory user account to login cisco switch and router if i add domain user group in network policy?</P><P>&nbsp; &nbsp; if so, why need to set user radiusclient in router with the same password as the same as in radiusclient in window server 2008?</P><P>&nbsp;</P><P>win 192.168.2.12 --- &nbsp;switch 192.168.2.5 --- 192.168.2.1 R1</P><P>R1<BR />conf t<BR />hostname router1<BR />int FastEthernet0/0<BR />ip address 192.168.2.1 255.255.255.0<BR />no shut<BR />end<BR />conf t<BR />ip route 192.168.2.0 255.255.255.0 192.168.2.5<BR />end</P><P>enable<BR />configure terminal<BR />enable secret cisco<BR />end<BR />conf t<BR />aaa new-model<BR />username radiusclient privilege 15 password 0 cisco<BR />crypto key generate rsa<BR />ip ssh time-out 60<BR />ip ssh version 2<BR />line vty 0 4<BR />transport input ssh<BR />exit<BR />line vty 5 15<BR />transport input ssh<BR />exit<BR />ip domain-name radius1.local<BR />radius-server host 192.168.2.12<BR />radius-server key cisco<BR />aaa group server radius NPSSERVER<BR />server 192.168.2.12<BR />exit<BR />aaa authentication login default group NPSSERVER local<BR />aaa authorization exec default group NPSSERVER local<BR />exit</P><P>R2<BR />conf t<BR />vlan 10<BR />int vlan 10<BR />ip address 192.168.2.5 255.255.255.0<BR />end<BR />conf t<BR />hostname router2<BR />int FastEthernet1/0<BR />switchport<BR />switchport access vlan 10<BR />switchport mode access<BR />shutdown<BR />no shut<BR />end<BR />conf t<BR />hostname router2<BR />int FastEthernet1/1<BR />switchport<BR />switchport access vlan 10<BR />switchport mode access<BR />shutdown<BR />no shut<BR />end<BR />conf t<BR />hostname router2<BR />int FastEthernet1/2<BR />switchport<BR />switchport access vlan 10<BR />switchport mode access<BR />shutdown<BR />no shut<BR />end</P><P>R3</P><P>conf t<BR />hostname router3<BR />int FastEthernet0/0<BR />ip address 192.168.2.7 255.255.255.0<BR />no shut<BR />end</P><P>conf t<BR />ip route 192.168.2.0 255.255.255.0 192.168.2.5<BR />end</P> Tue, 26 Mar 2019 00:32:46 GMT martlee2 2019-03-26T00:32:46Z access denied when ssh in window server 2008 after set it as radius server https://community.cisco.com/t5/network-access-control/access-denied-when-ssh-in-window-server-2008-after-set-it-as/m-p/2659965#M74219 <P>yesterday i succeed to use aaa to login and can see aaa in sh aaa session</P><P>&nbsp;</P><P><A href="https://murison.wordpress.com/2010/11/11/cisco-radius-configuration-with-server-2008-r2/" target="_blank">https://murison.wordpress.com/2010/11/11/cisco-radius-configuration-with-server-2008-r2/</A></P><P>&nbsp;</P><P>today i simulate again, it access denied, do not know where is wrong</P><P>&nbsp;</P><P>a. can it use active directory user account to login cisco switch and router if i add domain user group in network policy?</P><P>&nbsp; &nbsp; if so, why need to set user radiusclient in router with the same password as the same as in radiusclient in window server 2008?</P><P>&nbsp;</P><P>win 192.168.2.12 --- &nbsp;switch 192.168.2.5 --- 192.168.2.1 R1</P><P>R1<BR />conf t<BR />hostname router1<BR />int FastEthernet0/0<BR />ip address 192.168.2.1 255.255.255.0<BR />no shut<BR />end<BR />conf t<BR />ip route 192.168.2.0 255.255.255.0 192.168.2.5<BR />end</P><P>enable<BR />configure terminal<BR />enable secret cisco<BR />end<BR />conf t<BR />aaa new-model<BR />username radiusclient privilege 15 password 0 cisco<BR />crypto key generate rsa<BR />ip ssh time-out 60<BR />ip ssh version 2<BR />line vty 0 4<BR />transport input ssh<BR />exit<BR />line vty 5 15<BR />transport input ssh<BR />exit<BR />ip domain-name radius1.local<BR />radius-server host 192.168.2.12<BR />radius-server key cisco<BR />aaa group server radius NPSSERVER<BR />server 192.168.2.12<BR />exit<BR />aaa authentication login default group NPSSERVER local<BR />aaa authorization exec default group NPSSERVER local<BR />exit</P><P>R2<BR />conf t<BR />vlan 10<BR />int vlan 10<BR />ip address 192.168.2.5 255.255.255.0<BR />end<BR />conf t<BR />hostname router2<BR />int FastEthernet1/0<BR />switchport<BR />switchport access vlan 10<BR />switchport mode access<BR />shutdown<BR />no shut<BR />end<BR />conf t<BR />hostname router2<BR />int FastEthernet1/1<BR />switchport<BR />switchport access vlan 10<BR />switchport mode access<BR />shutdown<BR />no shut<BR />end<BR />conf t<BR />hostname router2<BR />int FastEthernet1/2<BR />switchport<BR />switchport access vlan 10<BR />switchport mode access<BR />shutdown<BR />no shut<BR />end</P><P>R3</P><P>conf t<BR />hostname router3<BR />int FastEthernet0/0<BR />ip address 192.168.2.7 255.255.255.0<BR />no shut<BR />end</P><P>conf t<BR />ip route 192.168.2.0 255.255.255.0 192.168.2.5<BR />end</P> Tue, 26 Mar 2019 00:32:46 GMT https://community.cisco.com/t5/network-access-control/access-denied-when-ssh-in-window-server-2008-after-set-it-as/m-p/2659965#M74219 martlee2 2019-03-26T00:32:46Z