How to setup and test AAA with NPS Server (Part 2)


Wireshark

Author: Celal Dogan
Reviewer: Deepak Prasad

After installing NPS and configuring the NAS (router) in Part 1, we will set up NPS for authentication, authorization, and accounting services.

 

Register NPS

Step-1:  Launch Server Manager and navigate to Tools → Network Policy Server

Step-2:  Right click on your server (my server name is "NPS(Local)"), then click on "Register server in Active Directory" to have permission to access user account credentials and dial-in properties in Active Directory.

How to setup and test AAA with NPS Server (Part 2)

 

Create a RADIUS client

Before configuring NPS policies, look at the topology below. NPS will not processes the requests coming from any client (NAS). We need to define a new RADIUS client (NAS) on NPS.

How to setup and test AAA with NPS Server (Part 2)

 

Step-1: Expand "Radius client and Servers" and right click on "RADIUS Clients", then click on "New".

How to setup and test AAA with NPS Server (Part 2)

 

Step-2: Thick "Enable this RADIUS client" and fill "Friendly name and Address (IP or DNS)" fields. You can create the shared secret (key) either Manually or by automatic generation. Ensure that the shared secret key must match at the both side NPS and NAS. I select "Manual" and enter my key on the NAS (router). Click "OK" to finish this step.

How to setup and test AAA with NPS Server (Part 2)

 

Define a connection request policy

Step-1:  We will define a "Connection Request Policy" which allows you to designate whether connection requests are processed locally or forwarded to remote RADIUS servers. Sometimes we may want to forward the request to another RADIUS server. For example, we can forward the request coming from wireless network to a different RADIUS server while processing wired network requests locally. Sharing load or separating roles between multiple RADIUS server prevents enterprise wide system failures.

Navigate to "Policies" and expand it. Right click on "Connection Request Policy" to create a new policy, then click on "New".

How to setup and test AAA with NPS Server (Part 2)

 

Step-2:  Give a name to your policy (for instance, crp_for_cisco_routers) and select "Unspecified" from drop down list, then click "Next".

How to setup and test AAA with NPS Server (Part 2)

 

Step-3:  We need to specify what criteria is needed to be met. Click on the "Add" button to create a condition (filter).

How to setup and test AAA with NPS Server (Part 2)

 

Step-4:  A window offering multiple options appears. You can add any condition you want, as long as it matches. Remember I made the router send "Service-Type: Login", I will use this attribute as a condition. Scroll down and find "Service Type" in the list. Double click on it or just click "Add". Go to "Other" list and enable "Login" option, and then click "OK". You can use multiple condition.

How to setup and test AAA with NPS Server (Part 2)

 

Step-5: "Service-Type" attribute comes from the NAS. I pasted an "Accept-Request" details from Wireshark on the following screenshot so that it should be easier to understand.  In short, "Service-Type" will match the attribute in the "Accept-Request" packet. To proceed, click "Next".

How to setup and test AAA with NPS Server (Part 2)

 

Step-6: In this window, we can select whether the local server process the request or we will forward it to another server. If we want to deliver the request to another RADIUS server, we can define a new server by clicking on the "New" button.  Since I want the connection requests to be processed locally, I click on the "Next" button. The same thing is valid for "Accounting" as well.

How to setup and test AAA with NPS Server (Part 2)

 

Step-7:  Since, we will define the authentication method in the network policy, leave everything to the default and click "Next".

How to setup and test AAA with NPS Server (Part 2)

 

Step-8:  We will send vendor specific attributes (privilege levels for Cisco’s router) in network policy, just click "Next" to proceed.

How to setup and test AAA with NPS Server (Part 2)

 

Step-9: Click "Finish" to complete connection request policy. 

How to setup and test AAA with NPS Server (Part 2)

 

Define a network policy

Defining a network policy is almost the same as defining a connection request policy. The policy will authenticate and authorize the users.

Step-1: Navigate to "Policies" and expand it. Right click on "Network Policies" to create a new policy, then click on "New".

How to setup and test AAA with NPS Server (Part 2)

 

Step-2: Give a name to your policy (for instance, np_for_cisco_routers) and select "Unspecified" from drop down list, then click "Next".

How to setup and test AAA with NPS Server (Part 2)

 

Step-3: Click on the "Add" button to create a condition (filter).

How to setup and test AAA with NPS Server (Part 2)

 

Step-4: In this window, we will set the condition needed to be matched.  When the "Access-Request" packet is received, the server will check if the user is a member of "Network Admin" group or not. If the user’s credential is valid, the server will authenticate and authorize the user with a privilege level. Select "User Groups" and click "Add". From that window, click "Add Groups.." then select "Network Admin" group and click "OK", then "OK" again.

How to setup and test AAA with NPS Server (Part 2)

 

How to setup and test AAA with NPS Server (Part 2)

 

Step-5: Select "Access granted" which means the user has passed the authentication successfully. Click "Next"

How to setup and test AAA with NPS Server (Part 2)

 

Step-6: This is the one of the most important steps. Cisco routers uses Password Authentication Protocol (PAP). Thus, I will select PAP and click on "Next". You can select multiple authentication method from the list to support.

How to setup and test AAA with NPS Server (Part 2)

 

Step-7: In this window, you can pick days and times, allowing access only on these days and these times. For example, you can let your users to connect to your network resources only at the weekend. For simplicity, I will not set any constrains. Click on "Next" to proceed.

How to setup and test AAA with NPS Server (Part 2)

 

Step-8: We will set authorization attributes from this window. At the left pane, under "RADIUS Attributes" click "Standard". You will see a couple of standard RADIUS attributes in the list. We do not need them which come default. Remove them from the list. At the left pane, under "RADIUS Attributes" click "Vendor Specific", and then "Add". Select Cisco from "Vendor" list and click "Add" to set the authorization information (shell:priv-lvl=15 attribute). Do not worry, if you use a vendor other than Cisco. You can add a "custom" vendor from the list.

Follow the steps below to send Cisco "Privilege Level" through an attribute.

How to setup and test AAA with NPS Server (Part 2)

 

How to setup and test AAA with NPS Server (Part 2)

 

How to setup and test AAA with NPS Server (Part 2)

 

How to setup and test AAA with NPS Server (Part 2)

Configuration on NPS server has finished.

 

Step-9: Click on "Finish" to complete the policy.

How to setup and test AAA with NPS Server (Part 2)

 

Step-10: Follow the same steps and create a new network policy for "Network Operator" group. The only difference is that you should authorize that group with lower privileges like "shell:priv-lvl=7". I noticed that I had named my network policy "np_for_cisco_routers". I will change it to "np_for_Network_Admin" for relevant naming. Following shows the final policies.

How to setup and test AAA with NPS Server (Part 2)

 

Testing authentication, authorization and accounting

I will login to the router with jane credentials while capturing packets with Wireshark.

Step-1: The RADIUS client creates an "Access-Request" packet with number of attributes, asking the server to authenticate jane.

How to setup and test AAA with NPS Server (Part 2)

 

Step-2: The RADIUS server authenticates and authorizes jane with "priv-lvl=15" by "Access-Accept" packet.

How to setup and test AAA with NPS Server (Part 2)

 

Step-3: The RADIUS client informs the server that the client started to use the service with "Accounting-Request" packet.

How to setup and test AAA with NPS Server (Part 2)

 

Step-4: The RADIUS server acknowledges the client with "Accounting Response" packet.

How to setup and test AAA with NPS Server (Part 2)

 

Step-5: The RADIUS client informs the server that the client disconnected and remained connected for 27 seconds with "Accounting-Request" packet.

How to setup and test AAA with NPS Server (Part 2)

 

Step-6: The RADIUS server acknowledges the client with "Accounting Response" packet.

How to setup and test AAA with NPS Server (Part 2)

 

Login to the NAS (router) to check the authorization level

I will login to the router with "jane" and "john" who are member of different groups.

Step-1: Make an SSH connection to the NAS with jane’s credential and run "show privilege". My output is below.

login as: jane
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
RB_GW# show privilege
Current privilege level is 15
RB_GW#

 

Step-2: Make an SSH connection to the NAS with john’s credential and run "show privilege". My output is below.

login as: john
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
RB_GW# show  privilege
Current privilege level is 7
RB_GW#

 

Final thoughts

NPS is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. It is very easy to configure it for authentication, authorization and accounting.

 

Celal Dogan

Celal Dogan

He is proficient in System Administration, Python, Computer Network, Network Engineering, PHP, Web Testing, Penetration Testing, Wireshark, RADIUS, Cisco Router, TCP/IP, Kali Linux, OSPF, NPS, and Multiprotocol BGP. You can connect with him on his LinkedIn Profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

1 thought on “How to setup and test AAA with NPS Server (Part 2)”

Leave a Comment