Change AD servers switch is using to authenticate

bacjac38 · ‎01-23-2025

I am not an advanced level SSH tech but can find my way as required but for this I need assistance. I've inherited a switch stack that points to a 2008R2 NPS server to login. Please assist with the commands to change the NPS/RADIUS server it uses to authentication requests. Thank you in advance.

Rob Ingram · ‎01-23-2025

@bacjac38 Without seeing your current configuration we can only guess how your switch is configured.

You can run the commands "show run | sec aaa" and "show run | sec radius" to display your current configuration. You will need to create additional RADIUS servers of the new 2019 NPS server, define a shared secret that matches what is configured on the new NPS and then add this new RADIUS server to the AAA group.

Example if you have configured aaa authentication using a RADIUS group (ignore the ISE names):-

aaa authentication login default group ISE local
!
aaa group server radius ISE
 server name ISE1
 server name ISE2

You would then create a new RADIUS server

radius server ISE3
 address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
 key Cisco1234

Then add the new RADIUS server to the existing group and remove the old servers.

aaa group server radius ISE
 server name ISE3
 no server name ISE1
 no server name ISE2

There are other ways of doing this and you may not be using a AAA group, as per the example above. If so provide your configuration - "show run | sec aaa" and "show run | sec radius"

bacjac38 · ‎01-23-2025

Here is the configuration. The NPS server settings from the old have been imported from the 2 new NPS servers - 143 & 145. I see at the bottom of the sec radius output "key 7 04494D225E34197D5A3A3712064A". Is that specific from the server itself?

NGM1P3750LAN#show run | sec aaa
aaa new-model
aaa group server radius ITNetAdmins
server 10.1.6.141
server 10.1.6.141 auth-port 1812 acct-port 1813
server 10.1.6.142
server 10.1.6.142 auth-port 1812 acct-port 1813
aaa authentication login default group ITNetAdmins local
aaa authentication enable default group ITNetAdmins enable
aaa authentication ppp ITNetAdmins local
aaa authorization console
aaa authorization exec default group ITNetAdmins local
aaa authorization commands 15 ITNetAdmins local
aaa authorization network ITNetAdmins local
aaa session-id common
ip http authentication aaa command-authorization 2 ITNetUsers
NGM1P3750LAN#show run | sec radius
aaa group server radius ITNetAdmins
server 10.1.6.141
server 10.1.6.141 auth-port 1812 acct-port 1813
server 10.1.6.142
server 10.1.6.142 auth-port 1812 acct-port 1813
ip radius source-interface Vlan4
radius-server host 10.1.6.141 auth-port 1812 acct-port 1813 key 7 04494D225E34197D5A3A3712064A
radius-server host 10.1.6.142 auth-port 1812 acct-port 1813 key 7 105C4F3D540247385F27182E3069
radius-server host 10.1.4.220

Rob Ingram · ‎01-23-2025

@bacjac38 The shared secret key you configure on the cisco switch must be the exact same shared secret key you configure on the NPS server in order for authentication to work. The key doesn't need to be the same as the other keys of the other RADIUS servers, it just needs to be the same key as you configure on the NPS server to match the switch.

The RADIUS group called "ITNetAdmins" is used for authentication, so define the shared secret and then add the new RADIUS server to that group.

radius-server host 10.1.4.220 auth-port 1812 acct-port 1813 key <shared secret>
!
aaa group server radius ITNetAdmins
 server 10.1.4.220

MHM Cisco World · ‎01-23-2025

You add server under server-group and as standalone'

Under server-group you dont use key ?

And you use server-group for authc login

So I dont think SW ever send any requests to server-group' it use local database.

MHM

bacjac38 · ‎01-23-2025

Thank you. I would still need to add 2 new servers as stated above entered separately:

radius server ISE3
 address ipv4 10.1.6.143 auth-port 1812 acct-port 1813
 key xxxx

radius server ISE4
address ipv4 10.1.6.145 auth-port 1812 acct-port 1813
key xxxx

Then add the group to the 2 new servers:

aaa group server ITNetAdmins
 server name ISE3
 server name ISE4
 no server name ISE1
 no server name ISE2

Rob Ingram · ‎01-23-2025

@bacjac38 yes, define the RADIUS server(s) and then add to the AAA group "ITNetAdmins" AND configure the new NPS server with the IP address and shared secret key (as configured on the switch).

bacjac38 · ‎01-23-2025

OK thank you. Then I create a new key on the NPS server and add it to the new servers in the config. I'm assuming the key shown in the config is encrypted, correct?

Rob Ingram · ‎01-23-2025

@bacjac38 your key above is a type 7 key and hidden, FYI this is easily decryptable - there are websites on the internet to do that. I would suggest you don't use the same keys above.

Enter the key in plaintext on the switch and ensure it's the exact same key on the NPS server.

bacjac38 · ‎01-24-2025

Made these changes - and cannot log in. 10.1.6.143 is showing the login attempts but I get locked out

radius server ISE3
 address ipv4 10.1.6.143 auth-port 1812 acct-port 1813
 key <new shared secret on NPS>

radius server ISE4
address ipv4 10.1.6.145 auth-port 1812 acct-port 1813
key <new shared secret on NPS>

aaa group server ITNetAdmins
 server name ISE3
 server name ISE4
 no server name ISE1
 no server name ISE2

write memory
copy running-config startup-config

exit

Rob Ingram · ‎01-24-2025

@bacjac38 what do the NPS logs say?

Provide the output of "show AAA server"

bacjac38 · ‎01-24-2025

NPS login attempt below. Can't log into switch to get the "show AAA server"

<Event><Timestamp data_type="4">01/24/2025 10:43:00.777</Timestamp><Computer-Name data_type="1">NPS_Server</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.1.6.143 01/24/2025 15:36:34 1</Class><Authentication-Type data_type="0">1</Authentication-Type><Fully-Qualifed-User-Name data_type="1">DOMAIN\bacjac38</Fully-Qualifed-User-Name><SAM-Account-Name data_type="1">DOMAIN\bacjac38</SAM-Account-Name><Client-IP-Address data_type="3">10.1.4.220</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">NGM1P3750D</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">36</Reason-Code></Event>

Looking for a console cable to telnet into the stack now

Rob Ingram · ‎01-24-2025

@bacjac38 have you modified the new NPS server to add the switch IP and shared secret? Does the connection match the correct policy? Any errors?

bacjac38 · ‎01-24-2025

Everything matches - IP, policy, shared secret in the event log... I made the changes as shown when stating I got locked out. The event shown is from the new NPS server

Rob Ingram · ‎01-24-2025

@bacjac38 that event output is not clear, please provide a screenshot of the event (success or failure) and a screenshot of your NPS policies.