Cisco Catalyst switches running Cisco IOS software releases, maintain the VLAN information in a special file named as, vlan. This documents discusses on the. CCNA Practice Exam 1 jiijoe Learn with flashcards, games, and more for free. Cisco IOS fu 7 Cisco RADIUS Windows Server 2. NPS Daryl Hunter. One of my latest projects has been to change all the login enable passwords for our various Cisco routers and switches. Weve had some turnover, and frankly, they havent been changed in many many years. So, I had one of three options simply change the login passwords and enable passwords. AAA RADIUS authentication based on Windows 2. UVjDB39m78Y/hqdefault.jpg' alt='Cisco 2950 Ios Update' title='Cisco 2950 Ios Update' />NPS. I chose the third option. Why I like a challenge. No, not really. I chose that because it will make it easier to adjustchange access to the devices whenever we have staffing changes, or whatever. Using Windows 2. 00. NPS will utilize an Active Directory group just like all of the other RADIUS stuff we do. Its something were familiar with. Lets get going. First of all giant shout to hezetation for this. Hez I are friends and we worked together at a previous employer AND hes a very sharp Cisco Apple guy what Cisco Apple at the same time. As I got going, and then eventually stuck more on that later Hez was a great resource. Two thumbs up. Thanks dude Cisco Config. So lets get going on the config changes needed for the Cisco gear. The below is the example from my home router a Cisco 8. W that gives me internet access and also VPN acces back to the home office in Oklahoma. First of all, we need a local username so we can still get to the devices incase RADIUS goes downusername lt username privilege 1. B0. 72. C5. A2. 60. B2. 47. 54. 11. C3. A1. 81. 92. 21. 83. A6. A6. 71. F1. A1. BNext we need to add the actual AAA Radius stuff. Next well adjust the radius access itselfip radius source interface bvi. B0. 72. C5. A2. 60. B2. 47. 54. 11. C3. A1. 81. 92. 21. 83. A6. A6. 71. F1. A1. BFinally well change the config for the con vty portsline con 0authorization exec lt group name login authentication lt group name line vty 0 4authorization exec lt group name login authentication lt group name Thats it. Seriously. Youre done on the Cisco side. Windows Server 2. NPS Config. This was the trickier part. In our environment, were already using Windows Server 2. NPS for our Cisco VPN Ruckus Wireless setup. All Im doing here is adding additional functionality. No problem. Lets get going. Lets start by creating some clients these will be our various Cisco Devices routers switches and such. Head over to NPS Network Policy Server applet, expand on RADIUS Clients and Servers, Right click on RADIUS Clients and choose New. Yup, just like that. Now, lets enter useful information. Notice that Im starting my Friendly name with Cisco more on that later. The shared secret is the same shared secret that I entered above in the Cisco config section under radius server key. They need to match. Click on the Advanced tab. Lets choose the Vendor Name of Cisco. This DOES work with RADIUS Standard but for fun lets choose Cisco. Were done. Click OK. Now, head back to the NPS. Right click on Network Policies, and choose New. Alrighty, here some screen shot galore. Follow along. Give your new policy a name something useful to you so you know which one it is especially if you have several different policies. Unspecified is fine for the type of NAS. Click Next. Okay, lets add some conditions. Click Add. Well restrict login to people based on AD membership so choose Windows Groups, and click Add. Click Add Groups. We want RADIUS Admins Click OK. Click OK again. Good. Now, we also want to apply this to the various RADIUS Clients that are important to us you know, the ones that start with Cisco click Add. What we want is Client Friendly Name Click Add. Scarface World Is Yours Ps2 Iso Files. And we want any RADIUS client that starts with Cisco so enter Cisco and click OK. Looks good so far. Click Next. Access Granted. Yes please. Click Next. Make sure PAP is checked. Click Next. No need to read the help if you dont want. No constraints to deal with. Click Next. Here comes the fun. Remove both the PPP Framed attributes. Then click Add. Choose Service Type. Click Add. Choose Others and Login Click OK Close. Thats all for Standard. Now, click on Vendor Specific. Great. Click Add. Choose Vendor Specific and click Add. Choose Cisco as your vendor. Yes, this conforms to RADIUS RFC. Click Configure Attribute. This string is what gives successful authentication enable or privilege 1. Cisco gear. Make the appropriate changes. Click OK. Click OK again. Looks good. Click OK again. Click Close. I used the defaults for all the rest of the NAP RRA stuff above. Click Next. All that looks good. Notice my name here is Cisco. Devices. Admins. 2 this is the 2nd time I did this and I cannot find my first screen shot. Pay no attention to that. Oopsie Click Finish. Lets Test. Great Now, lets test this sucker. Were going to telnet to my 8. W router 1. 0. 3. IP address. Lets go do it Drop to terminal. What This line may not run PPP. What does that mean Lets go check out the logs on NPS first. Heres the log entry. As I look at it more closely, Im granted full access. NPS did its job. What in the worldWhy can I not get access to my router Time for some Google fu. PAUSE FOR 2 DAYS OF HEAD BANGING So, as you google for the phrase This line may not run PPP. Microsoft Office 2013 Professional X86 X64 Serials Unlock'>Microsoft Office 2013 Professional X86 X64 Serials Unlock. Cisco RADIUS, youll find a ton of people with the same problem. And, all of them have this issue on Server 2. NPS. Why is that Well, this is where hezetation becomes a hero He lets me screen share his setup and poke through each and every window and session and attribute. Our Network Policies are identical minus the name. So, we then talk about global policies and Hez has an ah ha moment. The Fix. So, I have a single Connection Request global policy lets go to NPS and look at that. The Windows. Authentication policy overrides the others with certain settings. Settings. Check that out. PPP. Right there under RADIUS Attributes Standard. I dont need that. I have specific Network Policies to handle VPNRADIUS and such. Lets remove both of those the PPP Framed settings and click OK to apply the changes. Test Again. Right now lets test again. SUCCESS YAY Okay so thats that. I had the policy and Cisco configs right. What I missed was the fact that under Server 2. NPS, the Connection Request Policy settings could override globally individual Network Policies. Good info to know. Next step figuring this out for our various Dell Power. Connect switches random 3. THAT be fun. Update 9 1. I have added our various Cisco 1. APs into our AAA RADIUS admin setup and these instructions worked the same way as they did for routers switches etc. This works just fine. Hope this helps someone.