cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2211
Views
0
Helpful
3
Replies

AAA integration with Microsoft NPS RADIUS Active Directory

Dennis Topo Jr
Level 1
Level 1

Hello all.... 

 

   We are looking to centralize administrative authentication to our switches and routers using AD domain groups. The oldest switches being 3560s. There are many great guides online on how to do this using MS NPS, but they all seems to require NPS to use of PAP and SPAP for authentication methods between the RADIUS clients (switches) and NPS- clear text protocols. Is this the only option to make this work? Of course the main concern would be the high level AD user account passwords being transmitted across the wire. Am I correct in thinking that AD passwords are indeed involved in the process, and NOT just the checking of the Shared Secret between the RADIUS clients and NPS.......and then the AD group membership?  Also, what would be a secure alternative where AD passwords would not be sent in clear text. Any clarification would be great...... 

 

Thanks....Dennis

1 Accepted Solution

Accepted Solutions

nspasov
Cisco Employee
Cisco Employee

Hello Dennis-

The password would not be sent in clear text. Instead, it is encrypted by the NAD (In your case the switch) before it is forwarded to the Radius server. The "shared secret" is used in the encryption process which is why the secret is not send across the network. In addition, this is why the shared secret should be a complex one. For more info, check out the links below:

http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/12433-32.html

http://technet.microsoft.com/en-us/library/cc771660%28v=ws.10%29.aspx

I hope this helps!

 

Thank you for rating helpful posts!

View solution in original post

3 Replies 3

nspasov
Cisco Employee
Cisco Employee

Hello Dennis-

The password would not be sent in clear text. Instead, it is encrypted by the NAD (In your case the switch) before it is forwarded to the Radius server. The "shared secret" is used in the encryption process which is why the secret is not send across the network. In addition, this is why the shared secret should be a complex one. For more info, check out the links below:

http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/12433-32.html

http://technet.microsoft.com/en-us/library/cc771660%28v=ws.10%29.aspx

I hope this helps!

 

Thank you for rating helpful posts!

Neno-- sorry for the delayed response- I very much appreciate your clarity on this. I will go the NPS route then.......      Thanks.....!

No problem! Glad I could help!