This article describes the configuration of a windows 2016 radius server (NPS) to Log on a cisco device
- Setup NPS server on windows 2016
- Configure NPS as a radius server
- Cisco device configuration to use radius login
- Cisco device configuration to fall back on local authentication when the radius server is unreachable
Add a new role on windows 2016: Network policies and access services
Create clients, indicate shared secret PASSTEST.
Create a new network strategy, add conditions user group and friendly name like s? (all devices starting with s).
Use PAP SPAP authentication, in standard parameters add Service-type Login
On your cisco device create an entry for your radius server.
Server name will be LNXSRV with the IP 10.0.0.40.
The shared key is PASSTEST
address ipv4 10.0.0.40 auth-port 1812 acct-port 1813
Define a group server that will contain your radius server.
We define the group: GRPSRV
The radius server is LNXSRV
server name LNXSRV
To get radius authentication:
aaa authorization console
aaa authorization exec default group GRPSRV local if-authenticated
Warning: local authentication will occur only when the radius server is unreachable. To make some tests can stop radius services.