topic Re: Microsoft NPS Radius for Switch Authenticate and Authorization in Network Security

Microsoft NPS Radius for Switch Authenticate and Authorization

BrianChernish — Fri, 19 Dec 2025 16:33:18 GMT

Is the following even possible?

I would like to configure Microsoft NPS to act as a Radius Server to authenticate and allow users who are present in one of two active directory OU's (OU #1 & OU I#2) to ssh into the device and then if the user is in OU #1, allow privilege level 15 access. If the user in OU #2, allow read only access (including the ability to use the "show run" command).

It seems like I can control this by adding 2 network access policies (one for Priv 15 and one for Priv 7) but that where I get stuck

I got it to work and allow a member of OU#1 to log in and have privilege level 15 access BUT only after I added a local user with the same login name to the configuration. Ideally I would like to configure a single local account that could be used if Radius was not available.

Any guidance is appreciated!

Re: Microsoft NPS Radius for Switch Authenticate and Authorization

nspasov — Fri, 19 Dec 2025 18:57:29 GMT

Hi Brian. Which Cisco product and version are you working with for this configuraiton?

Thank you for rating helpful posts!

Re: Microsoft NPS Radius for Switch Authenticate and Authorization

BrianChernish — Fri, 19 Dec 2025 19:16:56 GMT

We are accessing Cisco C9200, C9300 and C1000 switches. Our Domain Controller server is Windows Server 2019.

I have this working (mostly) with the exception that read only users cannot do a "Show Run". Here is my (sanitized) config :

B007-SW21#sh run
Building configuration...

Current configuration : 6493 bytes
!
! Last configuration change at 05:51:31 MST Thu Dec 18 2025 by bchernish
! NVRAM config last updated at 05:51:35 MST Thu Dec 18 2025 by bchernish
!
version 15.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname B007-SW21
!
boot-start-marker
boot-end-marker
!
logging buffered 16384
logging persistent
enable secret 9 $9$31ZkRjyjqQLZ.b$oye6J/DhjIYNv3JDku/50pahip6PaqTLDclfJ2f4eCU
enable password 7 00071F0717485F0301204E420C
!
username bchernish privilege 15 secret 9 $9$zqN3lE5MwYzYE.$BDxxcR7i.xrUSp35Up5o7zBc1vltEyRKiibLhYAqt06
username cgundy privilege 15 secret 9 $9$D22pwqE2VtCIPE$h1VisznxHqw5tFWMjl4bXqXVq6tPva8kd4jzUtYjYGY
username ninja privilege 15 secret 9 $9$fxjEjwSU6NIyzj$TwVk0wVPL.wu/pv0EuJocRCiKXF.1mUSQyZDlrnf/3A
aaa new-model
!
!
aaa group server radius aas-radius
server name svdc2
!
aaa authentication login default group aas-radius local
aaa authorization config-commands
aaa authorization exec default group aas-radius local
!
!
!
!
!
!
aaa session-id common
clock timezone MST -7 0
switch 1 provision c1000-16fp-2g-l
system mtu routing 1500
!
!
ip domain-name class4mro
vtp domain ascentmro
vtp mode transparent
!
!
!
!
!
mls qos srr-queue output cos-map queue 1 threshold 1 4
mls qos srr-queue output cos-map queue 2 threshold 1 2 6 7
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 3 threshold 2 0
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output dscp-map queue 1 threshold 2 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 2 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24 48 49 50 51 52 53 54
mls qos srr-queue output dscp-map queue 2 threshold 2 55 56 57 58 59 60 61 62
mls qos srr-queue output dscp-map queue 2 threshold 2 63
mls qos srr-queue output dscp-map queue 3 threshold 1 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 10 11 12 13 14 15
mls qos
!
crypto pki trustpoint TP-self-signed-3727410048
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3727410048
revocation-check none
rsakeypair TP-self-signed-3727410048
!
!
crypto pki certificate chain TP-self-signed-3727410048
archive
log config
logging enable
logging size 500
hidekeys
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
auto qos srnd4
!
vlan internal allocation policy ascending
!
vlan 2
name Legacy2_Data
!
vlan 4
name Legacy4_Data
!
vlan 111
name 111_Data
!
vlan 114
name 114_Data
!
vlan 115
name 115_Data
!
vlan 116
name mzjbiz_wireless
!
vlan 123
name ManagementNetwork
!
vlan 124
name rfid
!
vlan 211
name 211_Voice
!
vlan 214
name 214_Voice
!
vlan 215
name 215_Voice
!
vlan 999
name black_hole
!
!
class-map match-all AUTOQOS_VOIP_VIDEO_CLASS
match ip dscp af41
class-map match-all AUTOQOS_VOIP_DATA_CLASS
match ip dscp ef
class-map match-all AUTOQOS_DEFAULT_CLASS
match access-group name AUTOQOS-ACL-DEFAULT
class-map match-all AUTOQOS_VOIP_SIGNAL_CLASS
match ip dscp cs3
!
policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
class AUTOQOS_VOIP_DATA_CLASS
set dscp ef
class AUTOQOS_VOIP_VIDEO_CLASS
set dscp af41
class AUTOQOS_VOIP_SIGNAL_CLASS
set dscp cs3
class AUTOQOS_DEFAULT_CLASS
set dscp default
!
!
!
!
!
!
interface GigabitEthernet1/0/1
description Not In Use
switchport mode trunk
!
interface GigabitEthernet1/0/2
switchport access vlan 999
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 999
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 999
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 999
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 999
switchport mode access
shutdown
!
interface GigabitEthernet1/0/7
description PHONE-PC PORT
switchport mode access
switchport voice vlan 1
spanning-tree portfast edge
!
interface GigabitEthernet1/0/8
switchport access vlan 999
switchport mode access
!
interface GigabitEthernet1/0/9
description Composites Ricoh IM4000
switchport access vlan 2
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/10
switchport access vlan 999
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 999
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 999
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 999
switchport mode access
!
interface GigabitEthernet1/0/14
description TECHLIB
switchport access vlan 111
switchport mode access
switchport voice vlan 211
spanning-tree portfast edge
!
interface GigabitEthernet1/0/15
description hangar cam 2
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/16
description TIME CLOCK
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/17
description UPLINK TO B011 (copper)
switchport trunk allowed vlan 1,2,4,111,114-116,123,124,153,211,214,215
switchport mode trunk
!
interface GigabitEthernet1/0/18
description UPLINK TO Core
switchport trunk allowed vlan 1,2,4,111,114-116,123,124,153,211,214,215
switchport mode trunk
ip access-group 107 in
!
interface Vlan1
no ip address
shutdown
!
interface Vlan123
ip address 172.17.123.7 255.255.255.0
!
interface Vlan211
no ip address
!
ip default-gateway 172.17.1.1
no ip http server
ip http banner
no ip http secure-server
ip ssh version 2
ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
ip ssh server algorithm kex diffie-hellman-group14-sha1
!
access-list 107 deny icmp any any timestamp-request
access-list 107 deny icmp any any timestamp-reply
access-list 107 permit ip any any
!
!
snmp-server community ascent RW
snmp-server community cla554ro RO
snmp-server community cla554rw RW
snmp mib flash cache
!
radius-server attribute 6 on-for-login-auth
!
radius server svdc2
address ipv4 172.17.0.169 auth-port 1812 acct-port 1813
key 7 063207285F671A361005210E0F162F3F75
!
!
line con 0
exec-timeout 60 0
stopbits 1
line vty 0 4
exec-timeout 60 0
transport input ssh
line vty 5 15
exec-timeout 60 0
transport input ssh
!
ntp server 172.17.1.1
end

Re: Microsoft NPS Radius for Switch Authenticate and Authorization

BrianChernish — Fri, 19 Dec 2025 19:18:28 GMT

Sorry, IOS version is: c1000-universalk9-mz.152-7.E6

Re: Microsoft NPS Radius for Switch Authenticate and Authorization

nspasov — Mon, 22 Dec 2025 00:54:43 GMT

Based on the information you shared, my understanding is that you are assigning privilege-level 7 for the read-only users, correct? If yes, there are additional configurations required:

By default any privilege levels outside of 0,1 & 15 are "blank / empty." As a result, you will need to manually assign commands to privilege level 7
"show run" is a bit tricker as you can make the command available to different privilege levels but it will only output configs for which the current privilege is empowered for. Thus, by default, if show run is the only command assigned to privilege level 7, the output of it will be blank.

TACACS+ makes all of this a lot easier since you can simply give the "read-only" user privilege level 15 while prohibiting all commands except "show run" However, since you are using RADIUS, you will need the following:

privilege exec level 7 show running-config view full
privilege exec level 7 show running-config view
privilege exec level 7 show running-config
privilege exec level 7 show
file privilege 7

The read-only user with privilege-level 7 will need to execute the following command to get the full output of the running-config: show running-config view full

Thank you for rating helpful posts!

Re: Microsoft NPS Radius for Switch Authenticate and Authorization

Cristian Matei — Sun, 28 Dec 2025 15:40:38 GMT

Hi,

First, I would recommend the following changes on your RADIUS and AAA configs (statically define the source interface for RADIUS generated packets to avoid this changing due to potential routing changes; per your current scope you don't need authorization for config-commands enabled, you might need in future, so you can leave this command on or remove it, doesn't matter at this point; I'm assuming you want the same behaviour to apply for console access as it does for VTY / SSH access, for which reason you need "aaa authorization console" enabled; since you don't have TACACS to account for which user performed which commands, "aaa accounting command local" is a way to log these activities in the local buffer, visible via "show logging"; the previous mentioned option for command accounting can work in parallel or be replaced by the archive logging feature, in which case you can see which user performed which CLI commands via "show archive log config all"):

aaa group server radius aas-radius ip radius source-interface Vlanx ! no aaa authorization config-commands aaa authorization console aaa accounting commands local ! archive log config logging enable logging size 1000

Next, when RADIUS server is configured correctly, to assign privilege-level as well, you don't need the same username to also exist in the switch configuration, follow this guide to ensure you have NPS well configured:

https://www.mcgearytech.com/how-to-integrating-cisco-devices-cli-access-with-microsoft-npsradius/

Third, for your remote users getting privilege level 15, there's nothing else to be done, for users getting privilege level 7 with the rights you've mentioned, the following configuration is required (these users will be able to view complete running-configuration only by using command "show running-config view full":

privilege exec level 7 show running-config view full file privilege 7

Thanks,

Cristian.