Authenticate the Cisco Devices using Active Directory

Router and AD copy

We want to authenticate and authorize the user on Cisco devices using the Microsoft Active Directory. In this tutorial, we want to create two Active Directory groups, Network Admin and Network Tech. Network Admin have full access to Cisco devices (privilege level 15) while Network Tech have custom access (like show commands including show running and interface configurations) only.

arbab belong to the Network Admin group

ali  belong to the Network Tech group

Network Policy and Access Services:

Before starting this tutorial, I assume that you have installed the Active Directory and it is up and running. Let’s start the tutorial by adding the NPS Role:

Start -> Administrative Tools -> Server Manager

1 copy

Click on Roles and then select the Add Roles:

2 copy

Click Next:

3 copy

Select Network Policy and Access Services and click Next:

4 copy

Click Next:

5 copy

Select Network Policy Server and click Next:

6 copy

Click Install:

7 copy

Click Close:

8 copy

Configure Cisco Router as RADIUS Client in NPS:

Right Click on RADIUS Client and Select New:

9 copy

Fill the information according to your environment:

Router/Switch Friendly Name, IP address and Shared secret:

10 copy

Create an Active Directory User Group:

Next, we need to create an Active Directory User Group, which will use to access the routers/switches.

 Start -> Administrative Tools -> Active Directory Users and Computers

11 copy

Right click on User, and select Group from the New menu:

12 copy

Name your Group, select the Group scope and type:

13 copy

Right Click on the newly created Group and select Properties:

14 copy

Move to the Members tab and click on Add:

15 copy

Select the desired member that you want to add to this group and click OK:

16 copy

After adding all the desired members, Finally click OK:

17 copy

Create a Network Policy:

Right Click on Network Policy and select New:

18 copy

Give any meaningful name and select Next:

19 copy

Click on Add:

20 copy

Select Windows Groups and click Add:

21 copy

A popup window will be opened, click Add Groups on it:

22 copy

Select the Group that we have created above (may be you want to use your existing group) and click OK:

23 copy

Again Click OK:

24 copy

After Adding the Group, Click Next:

25 copy

Select  Access granted and click Next:


Uncheck the default options and check Unencrypted authentication (PAP, SPAP) and select Next:

27 copy

Select No on the popup window:

27a copy

Skip the Constraints values by clicking Next (else you can configure it according to your requirement):

28 copy

Remove the default attributes by selecting each attribute and click remove:

29 copy

After that click on Add:


Select Service-Type from Attributes and click on OK:


Select Login from Attribute Information:

32 copy

It will return you to the previous page, from there select Close:

33 copy

Select Vendor Specific under RADIUS Attributes and click Add:

34 copy

From the Vendor, Select Cisco and Cisco-AV-Pair from Attributes and Click Add:

35 copy

It will open popup window, select Add on this window:

36 copy

Enter shell:priv-lvl=15 for the Privilege level 15 user’s group (aka Network Admin with full access on the routers/switches) and click OK:

37 copy

After returning to the RADIUS Attributes window, click Next:

38 copy

Click Finish:

39 copy

Move this Network Policy on the top:

40 copy

Cisco Router Configuration:

Check the ip address and ping the Domain Controller to verify the connectivity:

show ip interface brief


Configure AAA security services,radius group and private key:

conf t
aaa new-model
aaa group server radius ADAAA
server-private key password

2Note: ADAAA is just my group name and is the ip address of Domain controller, so change them according to your environment.

To enable the Authentication & Authorization, use the following commands:

aaa authentication login default group ADAAA
aaa authorization exec default group ADAAA


Now, configure the authentication to the vty line(s):

line vty 0 4
transport input telnet ssh
login authentication default


Telnet/SSH to the Router from Client Machine:

Now, try to login to the router from the client machine using the Active Directory username and password:


Enter the username and password:



Create new Network Policy with Privilege level 3:

Member of this group can only check the configuration using show commands and can only configure the interface(s).

Create a new Active Directory Group (same as we created above), assign the users to this group and also create the new network policy using the exact same steps that we follow above with the changes at the following steps:


level3 copy

level3a copy

Move this Network Policy on the top:

level3b copy

Test from Client Machine:

User Ali belong to the privilege level 3 group that can only run show command and even cannot check the running config:


Allow user Ali, to view the running config, configure the router using level 15 account or using the console:

privilege exec all level 3 show running-config


Now, check that Ali can view the running config:

show running-config view full


User Ali, even cannot run the configure terminal command:


Allow user Ali, to run the configure terminal command as well as the interface related commands:

privilege exec level 3 configure terminal
privilege configure all level 3 interface


Now, run configure terminal and interface commands again as user Ali:


Hope this will help you!

Please Remember me in your prayers!

3 responses to “Authenticate the Cisco Devices using Active Directory

  1. Michel January 15, 2013 at 6:32 am

    Great, please on linux!!

  2. Pingback: Authenticate the Cisco Devices using Active Directory | aghazada

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: