Domain Authentication against AD for Cisco and Juniper network devices
On the AD side:
- Install NPS on your AD DC.
- Create a key (http://dice.neko-san.net/2012/08/linking-junos-authentication-to-active-directory-using-radius/ has screenshots, if you need that sort of thing.)
- add clients (your switches/firewalls)
See also http://blog.arwin.me/os/cisco/how-to-setup-cisco-ios-to-authenticate-via-active-directory/
On a Cisco ASA:
aaa-server RADIUS protocol radius
aaa-server RADIUS host [IP address of your RADIUS box / AD machine running NPS] key [key]
radius-common-pw [key]
aaa authentication telnet console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication https console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
On a Cisco switch:
This example shows local authentication, which lets you Telnet into the router with username “cisco” and password “cisco.”
aaa new-model
username cisco password 0 cisco
line vty 0 4
transport input telnet
In order to test authentication with SSH, you have to add to the previous statements in order to enable SSH.
ip domain-name host.domain.tld
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
If you want to prevent non-SSH connections, add the transport input ssh command under the lines to limit the router to SSH connections only.
line vty 0 4
transport input ssh
cry key gen rsa
ip ssh time-out 30
ip ssh version 2
line vty 0 4
transport input ssh
On a Juniper switch or firewall running JunOS:
set system authentication-order [radius password]
set system radius-server [IP Address of DC running NPS] secret [key]
set system radius-server [IP Address of DC running NPS] source-address [IP Address of interface that will communicate to DC]
set system radius-options password-protocol mschap-v2
set system login user [username] full-name "[Full User Name]" uid 9999 class super-user
# NOTE this erases your local password, so that ONLY the Domain password is allowed. This is more secure but more of a PITA if your NPS box craps out.
delete system login user [username] authentication encrypted-password