Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2209
Views
0
Helpful
3
Replies

AAA integration with Microsoft NPS RADIUS Active Directory

Go to solution
Dennis Topo Jr
Level 1
Level 1

‎12-30-2014 11:17 AM - edited ‎03-10-2019 10:18 PM

Hello all.... 

 

   We are looking to centralize administrative authentication to our switches and routers using AD domain groups. The oldest switches being 3560s. There are many great guides online on how to do this using MS NPS, but they all seems to require NPS to use of PAP and SPAP for authentication methods between the RADIUS clients (switches) and NPS- clear text protocols. Is this the only option to make this work? Of course the main concern would be the high level AD user account passwords being transmitted across the wire. Am I correct in thinking that AD passwords are indeed involved in the process, and NOT just the checking of the Shared Secret between the RADIUS clients and NPS.......and then the AD group membership?  Also, what would be a secure alternative where AD passwords would not be sent in clear text. Any clarification would be great...... 

 

Thanks....Dennis

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-30-2014 05:15 PM

Hello Dennis-

The password would not be sent in clear text. Instead, it is encrypted by the NAD (In your case the switch) before it is forwarded to the Radius server. The "shared secret" is used in the encryption process which is why the secret is not send across the network. In addition, this is why the shared secret should be a complex one. For more info, check out the links below:

http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/12433-32.html

http://technet.microsoft.com/en-us/library/cc771660%28v=ws.10%29.aspx

I hope this helps!

 

Thank you for rating helpful posts!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-30-2014 05:15 PM

Hello Dennis-

The password would not be sent in clear text. Instead, it is encrypted by the NAD (In your case the switch) before it is forwarded to the Radius server. The "shared secret" is used in the encryption process which is why the secret is not send across the network. In addition, this is why the shared secret should be a complex one. For more info, check out the links below:

http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/12433-32.html

http://technet.microsoft.com/en-us/library/cc771660%28v=ws.10%29.aspx

I hope this helps!

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
Dennis Topo Jr
Level 1
Level 1
In response to nspasov

‎01-22-2015 01:28 PM

Neno-- sorry for the delayed response- I very much appreciate your clarity on this. I will go the NPS route then.......      Thanks.....!

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Dennis Topo Jr

‎01-22-2015 01:44 PM

No problem! Glad I could help!

0 Helpful
Customers Also Viewed These Support Documents