Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1428
Views
5
Helpful
1
Replies

Microsft NPS for Cisco Device Authentication

Go to solution
matt.hyland
Level 1
Level 1

‎03-15-2018 04:10 AM - edited ‎02-21-2020 10:48 AM

Hi, I have a sititation where I need to use a central Microsoft NPS server to secure Cisco devices across multiple sites. Each site has there own IT team who can access their equipment but shouldn't be able to access another sites equipment. 

 

I have created the policies on NPS with the appropriate AD groups, and then tried to use the condition 'Access Client IPv4 Address' and limit this to the sites IP range e.g. 192.168.5.*.

 

However with this condition in place the authentication fails, when i remove this condition authenticaion works but without the limitiations I need. I have looked through these forums and many others but can't find a solution that seems to work.

 

Has anyone needed to do anything similar, or had a similar issue to this? If so how did you resolve it?

 

Thanks!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-15-2018 08:53 AM

Hi,
Are you trying to restrict based on the source IP address of the client PC? I don't think that will work, the NPS server will only see the source IP address of the switch in the radius request.

You could create multiple authentication rules e.g - "AD group Site 1 IT Admin" + "NAS IPv4 Address = 192.168.5.*" condition, this would permit only those users in that group logging into the IP address you define for Site 1. You could then create additional rules to match for another AD group matching the other sites' subnets.

You could also restrict access to logging into the devices belonging to the site, by applying an ACL to the VTY line of the devices, permitting only the local subnets and denying all else.

HTH

View solution in original post

1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎03-15-2018 08:53 AM

Hi,
Are you trying to restrict based on the source IP address of the client PC? I don't think that will work, the NPS server will only see the source IP address of the switch in the radius request.

You could create multiple authentication rules e.g - "AD group Site 1 IT Admin" + "NAS IPv4 Address = 192.168.5.*" condition, this would permit only those users in that group logging into the IP address you define for Site 1. You could then create additional rules to match for another AD group matching the other sites' subnets.

You could also restrict access to logging into the devices belonging to the site, by applying an ACL to the VTY line of the devices, permitting only the local subnets and denying all else.

HTH
Customers Also Viewed These Support Documents