If RADIUS accounting fails due to a full hard disk drive or other causes, NPS stops processing connection requests, preventing users from accessing network resources. NPS provides the ability to log to a Microsoft® SQL Server™ database in addition to, or instead of, logging to a local file. While debugging EAP-TLS authentication between Windows 7 desktop and the Windows Server 2016 NPS, I noticed that the Event Log for.
Introduction
This document describes the procedure of Remote Authentication Dial-In User Service (RADIUS) configuration on Cisco Wide Area Application Services (WAAS) and Windows 2008 R2 Network Policy Server (NPS).
Default WAAS configuration uses local authentication. Cisco WAAS supports RADIUS and Terminal Access Controller Access-Control System (TACACS+) also for Authentication, Authorization, and Accounting (AAA). This document covers the configuration for one device only. However, this also can be done under device group. All the configuration must be applied via WAAS CM GUI.
General WAAS AAA configuration is provided in the Cisco Wide Area Application Services Configuration Guide under chapter Configuring Administrative Login Authentication, Authorization, and Accounting.
Contributed by Hamilan Gnanabaskaran, Cisco TAC Engineer.
Edited by Sanaz Tayyar, Cisco TAC Engineer.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- WAAS 5.x or 6.x
- Windows NPS server
- AAA - RADIUS
Components Used
The information in this document is based on these software and hardware versions:
- Cisco WAAS - Virtual Central Manager (vCM)
- WAAS 6.2.3.b
- Windows 2008 NPS
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a default configuration. If your network is live, ensure that you understand the potential impact of any command.
Related Products
This document can also be applied with these hardware and software versions:
- vWAAS, ISR-WAAS and all the WAAS appliances
- WAAS 5.x or WAAS 6.x
- WAAS as Central Manager, Application Accelerator
Note: APPNAV-XE doesn't support this configuration. Router AAA pushes the configuration to APPNAV-XE.
Configuration Steps
These configuration need to be applied:
1. WAAS Central manager
1.1 AAA RADIUS configuration
1.2 AAA Authentication configuration
2. Windows 2008 R2 - NPS server configuration
2.1 RADIUS Clients Configuration
2.2 Network Policy Configuration
3. WAAS CM configuration for RADIUS User Accounts
1. WAAS Central Manager
1.1 In WAAS Central manager creates the RADIUS server under Configure>Security>AAA>RADIUS.
1.2 Configure Authentication method to reflect RADIUS under Configure>Security>AAA>Authentication Methods.
Primary Authentication method is chosen as RADIUS and secondary Authentication method is chosen as local. So, in the event of RADIUS failure customer can log in via local account.
2. Windows 2008 R2 -NPS Server Configuration
2.1 In the Windows 2008 R2 - NPS server, create the WAAS device IP as a RADIUS client.
Nadodi songs masstamilan. 2.2 In the Windows 2008 R2 - NPS server, create a network policy to match the WAAS devices and allow authentication.
In the LAB these parameters must be selected under NPS >Policies>Network Policy.
Condition can be matched with Radius Client Friendly Name. Other methods can be used such as IP address.
Authentication Methods as Unencrypted Authentication (PAP, SPAP).
Service-Type as Administrative.
Vendor Specific Attribute as Cisco-AV-Pair (Shell:priv-lvl=15).
Allow Full Network Access.
3. WAAS CM configuration for RADIUS User Accounts
Configure a user in RADIUS with privilege level 15 or 1, doesn't provide the access to WAAS CM GUI. The CMS database maintains a list of users, roles, and domains separate from the external AAA server.
After configuration of the external AAA server correctly to authenticate a user, the CM GUI must be configured to give that user the necessary roles and domains to work within the CM GUI.
If the RADIUS user is not in the CM under user, when log in to GUI with that user Your account does not have privileges to access any of the Central Manager Pages. Please Check with you Administrator about Provisioned roles and domains. This massage is displayed.
Configuration of local user name under WAAS CM without password.
Username must bind with right roles under Role Management for each user.
If the user needs to have read-only access or limited access, this can be configured under roles.
Verification
In the WAAS devices this configuration is pushed.
radius-server key ****
radius-server host 10.66.86.125 auth-port 1645
!
authentication login local enable secondary
authentication login radius enable primary
authentication configuration local enable secondary
authentication configuration radius enable primary
authentication fail-over server-unreachable
The Cisco CLI Analyzer (registered customers only) supports certain show commands. Use the Cisco CLI Analyzer in order to view an analysis of show command output.
- authentication- Configure Authentication
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
- Check the windows domain logs
- #debug aaa authorization from WAAS CM CLI
Related Information
Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy.
As a RADIUS server, NPS performs centralized authentication and authorization for wireless devices, and it authorizes switch, remote access dial-up, and virtual private network (VPN) connections. Using NPS, you can centrally configure and manage network access authentication, provide authorization for connection requests, and accounting for information logs.
As a RADIUS proxy, NPS allows you to configure connection request policies that tell the NPS which connection requests to forward to other RADIUS servers. You can also configure NPS to forward accounting data to be logged by one or more computers in a remote RADIUS server group.
Applications Manager monitors the availability and performance of Radius servers, and proactively alerts administrators of authentication, authorization, or accounting bottlenecks encountered by the NPS Server.
Monitoring NPS performance
Are you experiencing sluggish application performance in your Microsoft NPS environment? Monitor the availability and performance of your Microsoft NPS configured as a RADIUS server. You can plan capacity, ensure your host CPU has adequate resources, and monitor your storage memory with CPU and Memory Usage stats. Without impacting application performance, you can add more resources based on server needs.
Gain insights into your NPS policy engine
How quickly your NPS matches connection requests with network policies is a good measure of the efficiency of its policy engine. With Applications Manager, you can measure just that! You will see the length of time taken by NPS to process requests, the rate of pending requests on NPS, and the number of requests that matched configured policies. With this approach, Applications Manager exposes processing bottlenecks on the NPS and how they impact policy matching.
Microsoft NPS accounting
The NPS also provides a central accounting recording service for all accounting requests sent by the clients. The accounting request and response measures serve as effective indicators of the workload on the NPS server. Accounting data can also assist with network access troubleshooting. With Applications Manager, you can easily track accounting requests and responses between NPS and clients; uncover the load on a server to pinpoint irregularities in load balancing; proactively detect potential slowdowns, accurately isolate what is causing it, and promptly fix the problem. Additionally, you can capture the rate at which packets are dropped, as well as how many erroneous packets are received by the server; which in turn will shed light on any issues with the client, or in the network connection between the server and the client.
Microsoft NPS authentication
When NPS is used as a RADIUS server, it provides a central authentication and authorization service for all access requests that are sent by RADIUS clients, and it authenticates user credentials for connection attempts. As a RADIUS proxy, NPS is a central switching or routing point through which RADIUS access and accounting messages flow.
Using Applications Manager, you can be instantly notified if your NPS frequently defies access requests or rejects requests very often. You can also rapidly capture any unusual delays in request authentication by NPS; track the Access-Request messages sent by every access server for authentication, and report the rate at which these access requests are challenged or rejected by NPS.
Detect real-time performance issues and fix them faster
Applications Manager helps you distinguish consistent performance patterns from anomalies, which is critical to ensuring that your data platform delivers optimal performance for the end users of your applications. Additionally, you will be alerted if there are potential slowdowns in NPS authentication, and you'll be able to spot any abnormal number of rejections of access requests, as well as authentication bottlenecks. By receiving instant notifications of performance issues and bottlenecks, you can take quick remedial action before your end users experience issues.
With Applications Manager, you gain system-wide visibility into resource utilization, application performance, and operational health of your NPS and application performance. Quickly begin NPS Monitoring with Applications Manager’s full-fledged, 30-day free trial edition.