RADIUS on Windows Server 2019
If you need to connect your network devices in your IT system, RADIUS (Remote Authentication Dial-In User Service) will help you to get AAA capabilities — Authentication, Authorization, and Accounting. I will show how to use RADIUS services on a Windows Server 2019. I will skip some installation parts, since you can find them on the internet and reference section, below. In this topology, there is a switch needs to be reached by an administrator using username and password. By using any RADIUS server, all authentication can be done easily and more securely. Once an administrator changes admin password, all registered devices can be accessible using a RADIUS server easily.
Step 1. Create a lab
Step 2. Register switch on a Radius Server
Step 3. Create a user and group on Active Directory
Step 4. Switch configuration
interface vlan 1
ip address 192.168.3.30 255.255.255.0
!!Generate RSA for ssh connection
ip domain-lookup monash.local
crypto key generate rsa modulus 1024
ip ssh version 2
!!ONLY ssh connection for the switch
username user password Test123
transport input ssh
!!Indicate RADIUS server and authentication method
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
radius-server host 192.168.3.4 key SECRET-KEY
Step 5. SSH connection from a client to switch
By using Active Directory user, namely john1, a ssh connection is occurred from client pc. All packets can be seen on wireshark capture such as request, accept, port number, encrypted password etc.
Step 6. Proof of the concept - capturing RADIUS packets
In conclusion, it is beneficial and practical to use an Active Directory and Network Policy Server services together. Once you change the password of client on an Active Directory, you do not need to change passwords on network devices again. It is time saving. Of course, you can use Cisco ISE or any other authentication services, however, if you have any Active Directory service and do not have ISE, you can use RADIUS services together for network devices authorization and wireless authentication for clients.