This next attribute setting is optional but often configured to allow users to automatically have their privileges elevated to privileged (15) EXEC mode when they login to the Cisco router. Under RADIUS Attributes select Vendor Specific. Click Add.
With Vendor set to “All”, select Vendor-Specific for the attribute and click Add.
Click Add.
For the attribute information select “Select from list” and choose Cisco from the menu. Then select “Yes. It conforms” and click Configure Attribute.
For the Vendor-assigned attribute number enter 1, for Attribute format choose String, and in Attribute value type:
shell:priv-lvl=15
Then click OK.
Click OK.
Click Close.
Click Next.
Finally click Finish.
Now we need to specify the Cisco router as a RADIUS client to the Windows NPS server. Back at the Network Policy Server console in the left open up RADIUS Clients and Servers, then right click RADIUS Clients and choose New from the menu.
In the New RADIUS Client dialog type the friendly name that you specified earlier in the network policy for this router. Enter the IP address for the device, use the IP of the router interface closest to the Windows server or use the IP of the interface that you specified if you used the “ip radius” command when configuring the Cisco device. Finally enter the shared secret RADIUS key that you specified over on the router. Now click OK.
Now the NPS service needs to be activated in Active Directory. Right click the NPS tree root on the left pane, and choose “Register server in Active Directory”.
Click OK.
Click OK again.
Finally I have noticed that NPS doesn’t seem to work after all this configuration until I’ve restarted the service. So once again on the NPS tree root right click it and select “Stop NPS Service”. It seems to take a few moments for the service to actually stop so wait 10-15 seconds then right click NPS again and choose “Start NPS Service”. Switch over to your router and make an attempt to login.
One thing to keep in mind with these Network Policies in NPS is that some of their settings can be overridden by Connection Request Policies. Daryl Hunter noted this in his blog on the subject, so keep this in mind of you have any difficulties. Hope all goes well!
No comments:
Post a Comment