1 of 37

CISCO AAA – WINDOWS SERVER

Luis Sabala

2 of 37

TOOLKIT

  • Oracle VM VirtualBox
    • Windows Server 2022 VM
  • GNS3 environment
  • Ansible Automation

3 of 37

WINDOWS SERVER SETUP

  1. Install Oracle VM VirtualBox
    • https://www.virtualbox.org/wiki/Downloads
  2. Install Windows Server 2022 edition .iso
  3. Deploy an instance of Windows Server with VirtualBox
  4. Parameters
    • Base Memory: 2GB
    • Processors: 1CPU
    • Disk Size: 20GB
    • Network Adapter: Bridged

4 of 37

Reference Images (1)

5 of 37

Reference Images (2)

6 of 37

Reference Images (3)

7 of 37

Reference Images (4)

8 of 37

WINDOWS SERVER SETUP

  1. Verify that Windows Server can ping the GNS3 node prior to proceeding further
  2. Server Manager > Dashboard
    • Add roles and features
    • Installation Type: Role-based or feature-based installation
    • Server Selection: Default should list the local Windows Server
    • Server Roles: Select ‘Network Policy and Access Services Tools’ checkbox
    • Select ‘Restart the destination server automatically if required’ checkbox
    • Select ‘Install’
    • Once complete select Tools > Network Policy Server

9 of 37

Adding RADIUS Client

Configured Parameters

  1. Settings
    • Name: Westlake-R1
    • Address: 192.168.4.20
    • Shared Secret: Sharedkey123
  2. Advanced
    • Vendor: Cisco

10 of 37

Adding Local Users & Groups

  1. Open Computer Management
  2. Define 2 groups
  3. Define 2 users
  4. To add users to groups
    • Select Group > Properties > Add

11 of 37

Adding Network Policies (Priv-15)

  1. Open Server Manager Dashboard > Network Policy Server
  2. Add new policy
  3. Condition: Select Windows Groups
  4. Add created group & select ‘next’
  5. Select ‘Access granted’ Permission
  6. Auth Type: Select only ‘Unencrypted authentication (PAP, SPAP)’
  7. Select ‘Next’ until you reach RADIUS Attributes section

12 of 37

Reference: Adding Network Policies (2)

13 of 37

Adding Network Policies (3)

  1. Standard Attributes
    • Remove Default Framed Protocol
    • Edit Service-Type to the value ‘Login’
  2. Vendor Specific Attributes
    • Click ‘Add’ & select ‘Vendor-Specific’
    • Under Attribute Information click ‘Add’ & select ‘Cisco’ from list
    • Select ‘Configure Attribute’ & specify the following parameters from image
    • Click ‘OK’ then ‘Close’

14 of 37

Adding Network Policies (4)

  1. With the following vendor specific policy listed click ‘Next’ followed by ‘Finished’
  2. For policy modifications: Double click policy

15 of 37

Adding Network Policies (Priv-1)

16 of 37

Adding Network Policies (2)

17 of 37

Adding Network Policies (3)

18 of 37

Adding Network Policies (4)

19 of 37

Adding Network Policies (5)

20 of 37

GNS3 TOPOLOGY

21 of 37

AAA TASK REQUIREMENTS

  1. User A
    • User: Thomas
    • Pass: s3cretPasswd
    • Privilege Level: 15

2) User B

    • User: Johnny
    • Pass: r3gularPasswd
    • Privilege Level: 1

3) Enable Password: Westlake-R1

4) AAA Failover

    • User: Localuser
    • Pass: localpassword

22 of 37

AAA CONFIGURATION

  1. Test connectivity to the Windows Server prior to router configuration
  2. Ansible Tasks for Playbook
    1. Configure local failover user
    2. Define AAA
    3. Define AAA Server Parameters
    4. Define AAA Group Parameters
    5. Define AAA Methods
    6. Apply AAA Methods
    7. Test!

23 of 37

TASK 1: LOCAL USER

24 of 37

TASK 2: DEFINE AAA

25 of 37

TASK 3: DEFINE AAA SERVER

26 of 37

TASK 4: DEFINE AAA GROUP PARAMETERS

27 of 37

TASK 5: DEFINE AAA METHODS

28 of 37

TASK 6: APPLY AAA METHODS

29 of 37

TASK 7: TEST!

  • User: Thomas
  • Privilege: 15
  • Login Password: s3cretPasswd
  • No Enable Password necessary

30 of 37

TASK 7: TEST!

  • User: Johnny
  • Privilege: 1
  • Login Password: r3gularPasswd
  • Enable Password: Westlake-R1

31 of 37

TASK 7: TEST!

  • User: LocalUser
  • Privilege: 1
  • Fall-back to local authentication
  • Enable Password: Westlake-R1

32 of 37

WIRESHARK PACKET CAPTURE (ACCESS-REQUEST)

  • RADIUS Access-Request packet
    • RADIUS Default Features
      • Passwords are sent encrypted using MD5 hashing algorithm
      • Protocol utilizes a UDP payload
      • Default protocol numbers: 1812/1813 & 1645/1646

33 of 37

WIRESHARK PACKET CAPTURE (ACCESS-ACCEPT)

  • RADIUS Access-Accept packet

34 of 37

WIRESHARK PACKET CAPTURE (FAILOVER)

  • RADIUS Duplicate Request Packets
  • No reply from RADIUS Server
  • Local Cisco Authentication failover

35 of 37

WINDOWS EVENT VIEWER

  • Successful Login Attempt

36 of 37

WINDOWS EVENT VIEWER

  • Unsuccessful Login Attempt

37 of 37

THANK YOU

  • Luis Sabala