Menu Close

RADIUS on Windows Server 2019

If you need to connect your network devices in your IT system, RADIUS (Remote Authentication Dial-In User Service) will help you to get AAA capabilities — Authentication, Authorization, and Accounting. I will show how to use RADIUS services on a Windows Server 2019. I will skip some installation parts, since you can find them on the internet and reference section, below. In this topology, there is a switch needs to be reached by an administrator using username and password. By using any RADIUS server, all authentication can be done easily and more securely. Once an administrator changes admin password, all registered devices can be accessible using a RADIUS server easily.

Step 1. Create a lab

Step 2. Register switch on a Radius Server

Step 3. Create a user and group on Active Directory

Step 4. Switch configuration

!!S1 Configuration
=======================================
interface vlan 1
  ip address 192.168.3.30 255.255.255.0
  no shutdown
=======================================
!!Generate RSA for ssh connection
ip domain-lookup monash.local
crypto key generate rsa modulus 1024 
ip ssh version 2
=======================================
!!ONLY ssh connection for the switch
username user password Test123
line vty
  transport input ssh
=======================================
!!Indicate RADIUS server and authentication method
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated

radius-server host 192.168.3.4 key SECRET-KEY
service password-encryption

Step 5. SSH connection from a client to switch

By using Active Directory user, namely john1, a ssh connection is occurred from client pc. All packets can be seen on wireshark capture such as request, accept, port number, encrypted password etc.

Step 6. Proof of the concept - capturing RADIUS packets

In conclusion, it is beneficial and practical to use an Active Directory and Network Policy Server services together. Once you change the password of client on an Active Directory, you do not need to change passwords on network devices again. It is time saving. Of course, you can use Cisco ISE or any other authentication services, however, if you have any Active Directory service and do not have ISE, you can use RADIUS services together for network devices authorization and wireless authentication for clients.

References:

https://theitbros.com/radius-server-configuration-on-windows/

Tagged ,

Leave a Reply

Your email address will not be published. Required fields are marked *