cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


199
Views
0
Helpful
0
Replies
Highlighted
Beginner

SG-350 and Windows Server 2016 NPS RADIUS Set-Up

 

Hello!  I was hoping for some help/advice on here so figured I would give this a shot!

I am brand new to RADIUS and Windows Server 2016 NPS.  I have been tasked with setting up RADIUS so devices authenticate against the Active Directory instead of having user-accounts and passwords stored locally on the devices themselves.  I read as many articles/watched videos and did some tests on PacketTracer and followed the guidelines in the link below but was unsuccessful in the real-world:

https://theitbros.com/radius-server-configuration-on-windows/

With that being said I do think I was close as I was not able to login to the my test device with the "backup account" and the failed logins on the device caused my Windows AD account to get locked due to failed attempts so I THINK the switch and AD were communicating.

Does anyone have any tips/tricks for getting this set-up?

One thing that definitely has thrown me off is all of the articles and videos I have watched have device configurations beginning with "aaa new-model" which is not a possible command in the Cisco SG-350 series.

If anyone could help me out with a sample config for this type of device and some tips on making policies in NPS I would greatly appreciate it!

If anyone could help me out with a sample config for this type of device and some tips on making policies in NPS I would greatly appreciate it!

In NPS I have my RADIUS client listed with it's device name; IP address; a shared secret; and specified it as a Cisco device in the Advanced tab.

I have one Network Policy with conditions of "Windows Groups" (I created a Security Group which my AD account is a member of) and "Access Client IPv4 address" (entered in device's IP) with the following settings:

 

Cisco-AV-Pair | shell:priv-lvl=15

Ignore User Dial-In Properties | True

Access Permission | Grant Access

Authentication Method | Unencrypted authentication (PAP, SPAP)

Service-Type | Login

 

Any help would be greatly appreciated, thanks very much!

 

 

0 REPLIES 0