Authenticate and Authorize access to Cisco Devices via Microsoft NPS !

Most of the organization would love to implement a secure solution that does not cost

Almost every organization uses Microsoft Active directory and today I am going to demonstrate a solution for Cisco Device which will authenticate the users via AD username and password based on their roles {via NPS (Network Policy Server)}


Organization would like to allow access to Network devices using their AD username and password with privilege level assigned to each user so that they get respective access to the device based on their supporting roles.

Let’s Get Started!!!!!!!

Today we will deploy Microsoft NPS on Windows 2008 R2 and we will integrate with Cisco Devices

It will allow us to authenticate and authorize access to Cisco devices Command Line Interface (CLI) with Active Directory credentials.

In addition to that, privilege level will be determined and enforced based on Active Directory group membership.

We will create the below appropriate groups in Active Directory

  • Aftab_RO_Access – for users which will have privilege 1 access to Cisco devices
  • Aftab_RW_ACCESS – for users which will have privilege 7 access to Cisco devices
  • Aftab_FullAccess_Network – for users which will have privilege 15 access to Cisco devices

We will also:

  • Configuring Microsoft NPS Role on Windows Server 2008 R2
  • Configuring Network Policies on NPS/RADIUS
  • Adding Cisco router/Switches to NPS/RADIUS as client
  • Configuring Cisco Devices for Radius Authentication

Below table display the User and its group configured on AD and the policy name created on NPS.



Policy Name










First we will create 3 Users in Active Directory Users & Computers:

This Creates the User Aftab. Repeat the same procedure for other Users i.e. User – Support and User View

Now we will create Groups in Active Directory Users & Computers.

Adding Users to the Respective Groups

The below figure should be self-explanatory 🙂

Similarly add the other users to their respective groups as shown below.



Policy Name










Microsoft NPS Server Role Installation

On Server Manager perform a right-clik on Roles and choose Add Roles from context menu

Under Roles, list locate Network Policy and Access Services, make sure that checkbox on the left side of that role is checked and click Next to proceed to next installation screen.

Once all components for new role are installed in the system you will see Installation Results screen where you can find indication if whole process went well or some errors occurred.

Once done click close.

Now you can go to Start / Administrative Tools and find Network Policy Server icon which has been added to system as the effect of new role installation. Click that to start NPS management console.

Once you will start NPS management console you can see that one of the components of NPS is RADIUS.

This service is what we are looking for. We will need to provide authentication and authorization to Cisco devices based on Active Directory credentials and group membership.

Register NPS on Active Directory

First we will need to register Network Policy Server in Active Directory to allow authentication based on user accounts which we have created in our domain.

To authorize NPS in AD:

Logon to server with NPS using account with domain admin credentials.

Go to Start / Administrative Tools and then click Network Policy Server.

Right-click on NPS (Local) and from context menu click Register server in Active Directory.

Confirm that you want to authorize this computer (server with NPS) to access users’ dial-in properties by clicking OK in Network Policy Server dialog window. Make sure that authorization will happen in correct domain as per indication in message from system.

Add Cisco router as RADIUS client

To add router as RADIUS client:

• Logon to server with NPS using account with admin credentials.

• Go to Start / Administrative Tools and then click Network Policy Server.

• Expand RADIUS Client and Servers.

• Right-click on RADIUS Clients and click new from context menu.

  • In New RADIUS Client window Settings tab enter:

    • Friendly name of the router – It’s a name to recognize the device, usually same as hostname.
    • Address (IP and DNS) – IP address of the router or hostname – if hostname used proper hostname needs to be registered in DNS prior to RADIUS configuration.
    • Shared secret – passphrase which was configured on router which will allow to identify router when requesting AAA from RADIUS. ( as per our Lab its Cisco@123)

  • Once confirmed with OK we will see that router has been added to RADIUS configuration as client.

Adding NPS Policy :

Finally it’s the time to create Network Policies, which will allow users to access certain devices and enforce particular privilege level on Cisco device.

To add Network Policy:

Logon to server with NPS using account with admin credentials.

  • Go to Start / Administrative Tools and then click Network Policy Server.

Expand Policies.

  • Right-click on network Policies and click New from context menu.


Client Friendly Name – specify name of device(s) from which operator will have access (in that example router has hostname Aftab-R1,

You can also use a Wild card for example Aftab-R? Which means all devices which have name starting with Aftab-R question mark in client name means any string of characters)

Following the above procedure please create another policy for



Configuration on Cisco IOS

Now we will configure the Cisco Router or Switch such that when users attempts to access device via telnet or ssh, it should be authenticated and authorized in local database and if username or password doesn’t match then go to RADIUS.

Configuration !!


Configure terminal

aaa new-model

aaa group server radius IAS

server auth-port 1812 acct-port 1813

aaa authentication login userAuthentication local group IAS

aaa authorization exec userAuthorization local group IAS if-authenticated

aaa authorization network userAuthorization local group IAS

aaa accounting exec default start-stop group IAS

aaa accounting system default start-stop group IAS

aaa session-id common

radius-server host auth-port 1645 acct-port 1646 key Cisco@123

radius-server host auth-port 1812 acct-port 1813 key Cisco@123

It’s now time for Testing!!!!!!!!!!!!!!!

As User Aftab is part of group Aftab_FullAccess_Network , he is able to successfully get into priv mode as it is configured for priv level 15.

For Read Only Access !!

As User View is part of group Aftab_RO_Access, he is able to successfully get into user mode as it is configured for priv level 1.

Now I am unable to authenticate the User Support? I am able to log in with my other User’s but User Support has issues.

On troubleshooting I realized that it failed as I forgot to add this user to the group i.e Aftab_RW_ACCESS

I have added the user to the group. Please see below.

I can now successfully authenticate the User.

There are 16 privilege levels. User mode is level one. The highest is 15, sometimes referred to as privileged mode. There’s also a level 0, which has even fewer options that usermode.

To get into level 15, where you can view configurations and modify them, type enable in usermode. Provided that you have the password, your prompt will change from > to #. You can then enter commands such as show running-config, show startup-config, debug, and configure terminal.

The other levels (2-14) are used for custom access. For instance, if I have a junior admin that I want to be able to have access to the command show run, but not config t, I can configure these specific rules to be associated with a particular level. Whatever level you are, you get access to everything in your level, plus all of the commands found with the lower levels.