topic Re: Change AD servers switch is using to authenticate in Network Security

Change AD servers switch is using to authenticate

bacjac38 — Thu, 23 Jan 2025 16:04:35 GMT

I am not an advanced level SSH tech but can find my way as required but for this I need assistance. I've inherited a switch stack that points to a 2008R2 NPS server to login. Please assist with the commands to change the NPS/RADIUS server it uses to authentication requests. Thank you in advance.

Re: Change AD servers switch is using to authenticate

Rob Ingram — Thu, 23 Jan 2025 16:22:46 GMT

@bacjac38 Without seeing your current configuration we can only guess how your switch is configured.

You can run the commands "show run | sec aaa" and "show run | sec radius" to display your current configuration. You will need to create additional RADIUS servers of the new 2019 NPS server, define a shared secret that matches what is configured on the new NPS and then add this new RADIUS server to the AAA group.

Example if you have configured aaa authentication using a RADIUS group (ignore the ISE names):-

aaa authentication login default group ISE local
!
aaa group server radius ISE
 server name ISE1
 server name ISE2

You would then create a new RADIUS server

radius server ISE3
 address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
 key Cisco1234

Then add the new RADIUS server to the existing group and remove the old servers.

aaa group server radius ISE
 server name ISE3
 no server name ISE1
 no server name ISE2

There are other ways of doing this and you may not be using a AAA group, as per the example above. If so provide your configuration - "show run | sec aaa" and "show run | sec radius"

Re: Change AD servers switch is using to authenticate

bacjac38 — Thu, 23 Jan 2025 17:44:19 GMT

Here is the configuration. The NPS server settings from the old have been imported from the 2 new NPS servers - 143 & 145. I see at the bottom of the sec radius output "key 7 04494D225E34197D5A3A3712064A". Is that specific from the server itself?

NGM1P3750LAN#show run | sec aaa
aaa new-model
aaa group server radius ITNetAdmins
server 10.1.6.141
server 10.1.6.141 auth-port 1812 acct-port 1813
server 10.1.6.142
server 10.1.6.142 auth-port 1812 acct-port 1813
aaa authentication login default group ITNetAdmins local
aaa authentication enable default group ITNetAdmins enable
aaa authentication ppp ITNetAdmins local
aaa authorization console
aaa authorization exec default group ITNetAdmins local
aaa authorization commands 15 ITNetAdmins local
aaa authorization network ITNetAdmins local
aaa session-id common
ip http authentication aaa command-authorization 2 ITNetUsers
NGM1P3750LAN#show run | sec radius
aaa group server radius ITNetAdmins
server 10.1.6.141
server 10.1.6.141 auth-port 1812 acct-port 1813
server 10.1.6.142
server 10.1.6.142 auth-port 1812 acct-port 1813
ip radius source-interface Vlan4
radius-server host 10.1.6.141 auth-port 1812 acct-port 1813 key 7 04494D225E34197D5A3A3712064A
radius-server host 10.1.6.142 auth-port 1812 acct-port 1813 key 7 105C4F3D540247385F27182E3069
radius-server host 10.1.4.220

Re: Change AD servers switch is using to authenticate

Rob Ingram — Thu, 23 Jan 2025 17:57:43 GMT

@bacjac38 The shared secret key you configure on the cisco switch must be the exact same shared secret key you configure on the NPS server in order for authentication to work. The key doesn't need to be the same as the other keys of the other RADIUS servers, it just needs to be the same key as you configure on the NPS server to match the switch.

The RADIUS group called "ITNetAdmins" is used for authentication, so define the shared secret and then add the new RADIUS server to that group.

radius-server host 10.1.4.220 auth-port 1812 acct-port 1813 key <shared secret>
!
aaa group server radius ITNetAdmins
 server 10.1.4.220

Re: Change AD servers switch is using to authenticate

bacjac38 — Thu, 23 Jan 2025 18:57:23 GMT

Thank you. I would still need to add 2 new servers as stated above entered separately:

radius server ISE3 address ipv4 10.1.6.143 auth-port 1812 acct-port 1813 key xxxx radius server ISE4 address ipv4 10.1.6.145 auth-port 1812 acct-port 1813 key xxxx

Then add the group to the 2 new servers:

aaa group server ITNetAdmins server name ISE3 server name ISE4 no server name ISE1 no server name ISE2

Re: Change AD servers switch is using to authenticate

Rob Ingram — Thu, 23 Jan 2025 18:59:14 GMT

@bacjac38 yes, define the RADIUS server(s) and then add to the AAA group "ITNetAdmins" AND configure the new NPS server with the IP address and shared secret key (as configured on the switch).

Re: Change AD servers switch is using to authenticate

MHM Cisco World — Thu, 23 Jan 2025 19:08:42 GMT

You add server under server-group and as standalone'

Under server-group you dont use key ?

And you use server-group for authc login

So I dont think SW ever send any requests to server-group' it use local database.

MHM

Re: Change AD servers switch is using to authenticate

bacjac38 — Thu, 23 Jan 2025 19:47:29 GMT

OK thank you. Then I create a new key on the NPS server and add it to the new servers in the config. I'm assuming the key shown in the config is encrypted, correct?

Re: Change AD servers switch is using to authenticate

Rob Ingram — Thu, 23 Jan 2025 19:52:36 GMT

@bacjac38 your key above is a type 7 key and hidden, FYI this is easily decryptable - there are websites on the internet to do that. I would suggest you don't use the same keys above.

Enter the key in plaintext on the switch and ensure it's the exact same key on the NPS server.

Re: Change AD servers switch is using to authenticate

bacjac38 — Fri, 24 Jan 2025 16:35:59 GMT

Made these changes - and cannot log in. 10.1.6.143 is showing the login attempts but I get locked out

radius server ISE3 address ipv4 10.1.6.143 auth-port 1812 acct-port 1813 key <new shared secret on NPS> radius server ISE4 address ipv4 10.1.6.145 auth-port 1812 acct-port 1813 key <new shared secret on NPS> aaa group server ITNetAdmins server name ISE3 server name ISE4 no server name ISE1 no server name ISE2 write memory copy running-config startup-config exit

Re: Change AD servers switch is using to authenticate

Rob Ingram — Fri, 24 Jan 2025 17:35:42 GMT

@bacjac38 what do the NPS logs say?

Provide the output of "show AAA server"

Re: Change AD servers switch is using to authenticate

bacjac38 — Fri, 24 Jan 2025 17:51:38 GMT

NPS login attempt below. Can't log into switch to get the "show AAA server"

<Event><Timestamp data_type="4">01/24/2025 10:43:00.777</Timestamp><Computer-Name data_type="1">NPS_Server</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.1.6.143 01/24/2025 15:36:34 1</Class><Authentication-Type data_type="0">1</Authentication-Type><Fully-Qualifed-User-Name data_type="1">DOMAIN\bacjac38</Fully-Qualifed-User-Name><SAM-Account-Name data_type="1">DOMAIN\bacjac38</SAM-Account-Name><Client-IP-Address data_type="3">10.1.4.220</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">NGM1P3750D</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">36</Reason-Code></Event>

Looking for a console cable to telnet into the stack now

Re: Change AD servers switch is using to authenticate

Rob Ingram — Fri, 24 Jan 2025 17:54:23 GMT

@bacjac38 have you modified the new NPS server to add the switch IP and shared secret? Does the connection match the correct policy? Any errors?

Re: Change AD servers switch is using to authenticate

bacjac38 — Fri, 24 Jan 2025 18:00:09 GMT

Everything matches - IP, policy, shared secret in the event log... I made the changes as shown when stating I got locked out. The event shown is from the new NPS server

Re: Change AD servers switch is using to authenticate

Rob Ingram — Fri, 24 Jan 2025 18:56:55 GMT

@bacjac38 that event output is not clear, please provide a screenshot of the event (success or failure) and a screenshot of your NPS policies.

Re: Change AD servers switch is using to authenticate

MHM Cisco World — Fri, 24 Jan 2025 19:01:39 GMT

You use local in end of your authc login'

This make SW try use local username/password

To force SW to use local remove SW from NPS (as NAD)

Then try access use local

MHM

Re: Change AD servers switch is using to authenticate

bacjac38 — Fri, 24 Jan 2025 20:29:23 GMT

Interesting. To gather screen shot and events, I tried to log back in again and noticed that the new NPS server logs (.143) was not registering the attempt, but I did get locked out. I then checked the original server NPS logs (.141) and there it was.

Then I decrypted the original key (at your suggestion THANKS) which saved the day. I entered it back to the shared secret on the original NPS server and successfully logged in.

Here's the latest config which looks like I've made several errors:

NGM1P3750LAN#show run | sec aaa aaa new-model aaa group server radius ITNetAdmins server 10.1.6.141 server 10.1.6.141 auth-port 1812 acct-port 1813 server 10.1.6.142 server 10.1.6.142 auth-port 1812 acct-port 1813 server name ISE3 server name ISE4 aaa authentication login default group ITNetAdmins local aaa authentication enable default group ITNetAdmins enable aaa authentication ppp ITNetAdmins local aaa authorization console aaa authorization exec default group ITNetAdmins local aaa authorization commands 15 ITNetAdmins local aaa authorization network ITNetAdmins local aaa session-id common ip http authentication aaa command-authorization 2 ITNetUsers NGM1P3750LAN#show run | sec radius aaa group server radius ITNetAdmins server 10.1.6.141 server 10.1.6.141 auth-port 1812 acct-port 1813 server 10.1.6.142 server 10.1.6.142 auth-port 1812 acct-port 1813 server name ISE3 server name ISE4 ip radius source-interface Vlan4 radius-server host 10.1.6.141 auth-port 1812 acct-port 1813 key 7 04494D225E3419 7D5A3A3712064A radius-server host 10.1.6.142 auth-port 1812 acct-port 1813 key 7 105C4F3D540247 385F27182E3069 radius-server host 10.1.4.220 radius server ISE3 address ipv4 10.1.6.143 auth-port 1812 acct-port 1813 key 7 10195C493644311909307E05141B7730300502044D530409 radius server ISE4 address ipv4 10.1.6.145 auth-port 1812 acct-port 1813 key 7 055C535F121F6D1B1C31433C3B3F402F39322D217B704157

Re: Change AD servers switch is using to authenticate

Rob Ingram — Fri, 24 Jan 2025 20:40:07 GMT

@bacjac38 as you've still got the original RADIUS servers defined in the AAA group, the connection request would be sent to the first RADIUS server, which is why you aren't seeing the connection request on the new NPS server (.143). Authentications would only be sent to the .143 and .145 servers if the .141 and .142 are unavailable.

Perhaps use the "test aaa group radius server....." command to test authentications to the new RADIUS server work before you remove the old NPS servers from the AAA group.

Re: Change AD servers switch is using to authenticate

bacjac38 — Fri, 24 Jan 2025 21:58:10 GMT

@MHM Cisco World - are you referring to:

aaa authorization commands 15 ITNetAdmins local

My apologies - don't know what this means:

This make SW try use local username/password
To force SW to use local remove SW from NPS (as NAD)

Re: Change AD servers switch is using to authenticate

bacjac38 — Fri, 24 Jan 2025 22:24:16 GMT

The config now is a mess and have to figure out how to clean it up before I add testing statements. The new NPS does have logs when I attempted to connect earlier today. After several hours when coming back it, it reverted back. (?) Log from the new server is attached.