Cisco login MS radius authentication with local fallback

Publié le Auteur manuLaisser un commentaire

This article describes the configuration of a windows 2016 radius server (NPS) to Log on a cisco device

  • Setup NPS server on windows 2016
  • Configure NPS as a radius server
  • Cisco device configuration to use radius login
  • Cisco device configuration to fall back on local authentication when the radius server is unreachable

Add a new role on windows 2016: Network policies and access services
Create clients, indicate shared secret PASSTEST.
Create a new network strategy, add conditions user group and friendly name like s? (all devices starting with s).
Use PAP SPAP authentication, in standard parameters add Service-type Login


On your cisco device create an entry for your radius server.
Server name will be LNXSRV with the IP 10.0.0.40.
The shared key is PASSTEST

radius server LNXSRV
address ipv4 10.0.0.40 auth-port 1812 acct-port 1813
key PASSTEST

Define a group server that will contain your radius server.
We define the group: GRPSRV
The radius server is LNXSRV

aaa group server radius GRPSRV
server name LNXSRV

To get radius authentication:

aaa authentication login default group GRPSRV local
aaa authorization console
aaa authorization exec default group GRPSRV local if-authenticated

Warning: local authentication will occur only when the radius server is unreachable. To make some tests can stop radius services.

Laisser un commentaire