نمایش نتایج: از شماره 1 تا 2 از مجموع 2
سپاس ها 1سپاس

موضوع: Configure Cisco routers to use Active Directory authentication

  
  1. #1
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    Configure Cisco routers to use Active Directory authentication

    کد:
    http://articles.techrepublic.com.com/5100-10878_11-6182945.html
    Configure Cisco routers to use Active Directory authentication -- the router side



    In organizations that use Windows, employees use their Active Directory (AD) username and password to access their PCs every day. So why do you need separate credentials on your routers? You don't -- you can use the Windows AD database to log in to your Cisco routers and switches.
    In this two-part series, I'm explaining how to configure AD authentication on your routers and switches. Last time, I told you how to install, configure, and troubleshoot Windows' Internet Authentication Service (IAS). This week, let's wrap things up by explaining how to configure your routers and switches to use the authentication.
    Before we begin, let's go over this article's assumptions. We're assuming that you've already connected your router or switch to the LAN, enabled its LAN interface, and have an IP address on that LAN interface. If access to the router or switch is through a routed network, it also needs a default gateway configured.
    For this article, I used a Cisco 871W router that's running Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(4)XC2, RELEASE SOFTWARE (fc1). Specifically, it has this IOS file: c870-advipservicesk9-mz.124-4.XC2.
    This router has a VLAN1 that four LAN Ethernet ports share by default. This is where I configured my IP address, as shown below:
    interface Vlan1
    ip address 192.168.1.100 255.255.255.0

    interface FastEthernet0
    no shutdown
    Configure the router or switch

    While I'm using a Cisco 871W router, you can also use a Cisco switch, and the configuration should be similar. You can even configure this type of RADIUS authentication on a Cisco PIX firewall or Adaptive Security Appliance (ASA).
    To configure a router or switch to talk to the Windows IAS RADIUS server to authenticate logins for management, start by making sure you have a secret password enabled, as shown below:
    enable secret 5 Secret!Pass1 Next, configure the router for RADIUS authentication. Listing A offers an example.
    In this example, the IP address is the IP address of our Windows IAS RADIUS server, and the key is the key we entered when we configured the RADIUS client on the IAS server. In addition, we've configured the source interface to make sure the IP address of the RADIUS server matches the IP address of the RADIUS client we configured in IAS.
    We also configured an authentication list called TRAuthList. While you can use the default authentication list, I don't recommend it. The default list automatically applies to all login devices, including the console. So failure of the RADIUS authentication could also lock you out of the console.
    I also suggest configuring a local username/password in case the RADIUS server is ever unavailable and you need to access your network device. Because we used the login authentication method radius and then local, the router will fail back to the local authentication server if the RADIUS server ever goes down. Here's how to configure a local user:
    R1-871W(config)# user netadmin pass secretpass1 Next, we need to configure all of our lines with the authentication list we created. For this example, we have the normal five lines (0 to 4), but your device may contain more. Here's an example:
    R1-871W(config)# line vty 0 4
    R1-871W(config-line)#Â login authentication TRAuthList At this point, Windows AD authentication would work if we used Telnet to connect to the router or switch. However, for security's sake, I recommend using SSH instead of Telnet, so now we need to configure SSH.
    Start by making sure we have a hostname on the router. Here's an example:
    Router(config)# hostname R1-871W Then, make sure there's an IP domain name configured. Here's an example:
    R1-871W(config)# ip domain-name TechRepublic.com Next, generate the crypto keys, as shown below, and answer all questions with their defaults:
    R1-871W(config)# crypto key generate rsa Finally, restrict VTY lines to use only SSH -- not Telnet. Here's an example:
    R1-871W(config)# Line vty 0 4
    R1-871W(config-line)# Transport input ssh Test the configuration

    I recommend leaving the console or other existing connection to the router up until you can verify that the new configuration works. In addition, don't save the configuration until you make sure it works. If it doesn't work, you can always remove it or reboot the device to go back to the previous configuration.
    To test the new configuration, I connected to the router using SecureCRT, but you can also use PuTTY, which is free. Figure A displays the Session Options - New dialog box, which shows my connection settings. Note the SSH1 protocol -- not SSH2.
    Figure A

    Notice that we are using SSH1, not SSH2. Figure B displays the Enter Username dialog box, which I use to log in with my Windows username.
    Figure B

    Log in with your Windows username. With that, I have successfully connected, as shown in Figure C. I used the show users command to show that it's really me.
    Figure C

    Using the show users command displays a successful connection. Troubleshoot the configuration

    When it comes to troubleshooting the Cisco IOS side of this complex configuration, using the debugand testcommands is your best bet. Here's an example:
    Router# debug aaa authentication
    AAA Authentication debugging is on

    Router# debug radius authentication
    Radius protocol debugging is on
    Radius protocol brief debugging is off
    Radius protocol verbose debugging is off
    Radius packet hex dump debugging is off
    Radius packet protocol (authentication) debugging is on
    Radius packet protocol (accounting) debugging is off
    Radius packet retransmission debugging is off
    Radius server fail-over debugging is off
    Router#

    Router# test aaa group radius ddavis MyPass1 port 1645 new-code
    In addition to using the IAS log files, which I discussed in the previous article, this lets you see what's going on in the background on both sides of this configuration (i.e., the router or switch and the RADIUS server). If you run across an error message that you don't recognize, search the Web -- someone else has likely run across it already and figured out the resolution





    موضوعات مشابه:
    th95 سپاسگزاری کرده است.

  2. #2
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://articles.techrepublic.com.com/5100-10878_11-6180954.html?tag=rbxccnbtr1

    Configure Cisco routers to use Active Directory authentication -- the Windows side



    Takeaway: Did you know that you can leverage the Windows Active Directory username/password database to log in to your Cisco routers and switches? In this two-part series, David Davis walks you through the process. This time, he explains how to install, configure, and troubleshoot Windows' Internet Authentication Service (IAS).
    If your organization uses Windows, you probably use your Active Directory (AD) username and password to log onto your PC every day. So why do you need separate credentials on your routers?
    Even if you just need to remember an extra password, it can be annoying -- but it doesn't have to be. In fact, you can leverage the Windows AD username/password database to log in to your Cisco routers and switches.
    In this two-part series, I'll explain how to configure AD authentication on your routers and switches. This week, we'll start off by discussing how to install, configure, and troubleshoot Windows' Internet Authentication Service (IAS); next week, we'll wrap it up by explaining how to configure your routers and switches to use the authentication.
    Before we begin, let's go over this article's assumptions. For this configuration, we'll use IAS, the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy, which comes built into Windows 2000 Server and Windows Server 2003.
    In addition, we're assuming that you've already connected your router or switch to the LAN, enabled its LAN interface, and have an IP address on that LAN interface. If access to the router or switch is through a routed network, it also needs a default gateway configured.
    Install IAS

    Start off by installing IAS if you haven't already done so. For Windows Server 2003, follow these steps:

    1. Log in as an administrator.
    2. Go to Start | Control Panel, and double-click the Add Or Remove Programs applet.
    3. Click Add/Remove Windows Components.
    4. In the Windows Components Wizard, click Networking Services, and click Details.
    5. In the Networking Services dialog box, select Internet Authentication Service, click OK, and click Next.
    6. The system may prompt you to insert your Windows Server 2003 CD, so have it handy.
    7. After IAS is installed, click Finish, and then Close.

    To keep track of who can log in to your Cisco network devices, I suggest creating an AD group called ciscoadmin. Then, make your existing Windows account a member of the ciscoadmin group.
    Configure IAS

    Now that we've installed IAS, we need to configure it. Begin by going to Start | Control Panel and double-clicking the Administrative Tools applet. Double-click the Internet Authentication Service applet, as shown in Figure A.
    Figure A
    To begin configuring IAS, go to Start | Control Panel | Administrative Tools | Internet Authentication Service. This will open the Internet Authentication Service window, as shown in Figure B.
    Figure B
    You must open the Internet Authentication Service window to configure IAS. Now we need to add a RADIUS client. Follow these steps:

    1. In the left pane, right-click RADIUS Clients, and select New RADIUS Client.
    2. In the New RADIUS Client dialog box, as shown in Figure C, enter a display name for the client (i.e., your router or switch). I suggest using the router's hostname.
    3. Enter the LAN IP address of the client.

    Figure C
    Enter a friendly name for the new client, and enter the IP address.
    1. Click Next, and select Cisco for the Client-Vendor.
    2. Enter a password (called a key on a router or switch) that the two devices will share for the authentication process. For this example, I used cisco as my test password.
    3. Click Finish.

    Figure D shows the Internet Authentication Service window with the newly added client.
    Figure D
    The Internet Authentication Service window displays the newly added client. Next, we need to create a remote access policy. Follow these steps:

    1. In the Internet Authentication Service window, click Remote Access Policies in the left pane.
    2. In the right pane, right-click the default policy, and select Delete.
    3. Right-click inside the right pane, and select New Remote Access Policy.
    4. In the Remote Access Policy Wizard, click Next.
    5. Click Set Up A Custom Policy, name it ciscoauth, and click Next.
    6. Click Add, select Windows-Groups, and click Add, as shown in Figure E.

    Figure E
    Select Windows-Groups, and click the Add button. Enter ciscoadmin (or whatever group you want to use). In this example, we're using a local Windows server group. You can also use a Windows AD group -- which, of course, is preferable. Figure F shows the Groups dialog group with the ciscoadmin group listed.
    Figure F
    The Groups dialog box will list the group you add. Select the new group, and click OK. This takes you to the Policy Conditions screen of the New Remote Access Policy Wizard, as show in Figure G.
    Figure G
    Select Windows-Groups, and click the Add button.
    1. Click Next, select Grant Remote Access Permission, and click Next.
    2. Click Edit Profile, and select the Authentication tab.
    3. Deselect all check boxes; only select the Unencrypted Authentication (PAP/SPAP) check box, as shown in Figure H, and click OK.

    Figure H
    Select the Unencrypted Authentication (PAP/SPAP) check box only.
    1. Next, select the Advanced tab.
    2. Select Service-Type, and click Edit.
    3. In the Enumerable Attribute Information dialog box, select Login from the Attribute Value drop-down list, as shown in Figure I, and click OK.

    Figure I
    Under Attribute Value, change it from Framed to Login. Back on the Advanced tab, select Framed-Protocol, and click Remove. Figure J displays the resulting dialog box.
    Figure J
    All that's left to do is click OK. All you have to do now is click OK. The system will likely ask if you want to view Help topics, as shown in Figure K.
    Figure K
    For corresponding Help topics, click Yes. We're almost there. Click Next, click Finish, and that's it!
    Troubleshoot IAS

    When it comes to troubleshooting IAS, its logs can be very cryptic. For example, Figure L shows a log created while testing this article.
    Figure L
    IAS logs can be a little hard to interpret. To help out with reading these logs, I use DeepSoftware.com's IAS Log Viewer. Figure M shows a screenshot of this tool.
    Figure M
    IAS Log Viewer helps simplify logs. Stay tuned: Next time, we'll wrap up this tutorial by explaining how to configure your routers and switches to use AD authentication.
    Miss a column?

    Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns




کلمات کلیدی در جستجوها:

config router

1

line vty 0 4 telnet switch with AD authentication2موضوع:active directory protocolcisco authentication active directoryhow to configure a cisco 871 router to authenticate with adcisco 871 change internethow to configure cisco router to use Active Directory5configure cisco 870 router techrepublicشبکهConfigure Cisco routers to use Active Directory authentication -- the router sideconfiguring Cisco Router to use Active Directory for Loginasa 5100 change console passwordhow to authenticate on a cisco 871 proxyConfigure Cisco routers to use Active Directory authentication without RADIUSasa 5100 active directoryhttp://forum.persiannetworks.com/f63/t33428.htmlConfigure Cisco routers to use Active Directoryconnect to router using active directory3authenticate Cisco routers to Active Directory server via RadiusAuthenticate Cisco routers via Active Directoryconsole SecureCRT cisco

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •