I'm assuming you have the NPS role installed on a Windows server, and a switch configured to the point where it can communicate with (can ping) the NPS server.
Create RADIUS Client
Create a new RADIUS client as follows:
- Friendly Name - Anything you want
- IP Address - The address of a specific switch, or the subnet that contains all your switch in CIDR format.
- Shared Secret - A 32 char (or less) secret. You'll need it later.
Create the Connection Request Policy
Create a new Connection Request Policy with the following settings:
- Name - Switch Connection Policy
- Type of server
- Conditions - Add the following
- Client Friendly Name = Friendly Name from above
Create Network Policy
Create a new network policy with:
- Name - Anything you'd like
- Switch Admin Policy
- Type of server
- Windows Group - Used to filter to only admin users
- Add it and select an appropriate security group to have access to the switches.
- Client Friendly Name - Limit this policy to your switches. Use the friendly name from the RADIUS client.
- Access granted
- EAP Types
- Add PEAP
- Less Secure authentication methods
- Unselect all
- Under RADIUS Attributes>Standard
- Set Service-Type to Administrative (under "Others" drop-down)
Here are the relevant commands for the switch.
;Disable the telnet server since we don't want domain creds flying around in plain text no telnet-server ;Setup the RADIUS server info radius-server host <NPS Server IP> radius-server key "<Your Secret Key from the RADIUS Client in NPS>" ;Set switch to go immediately to enable mode once authenticated aaa authentication login privilege-mode ;Configure specific interfaces to use the RADIUS server aaa authentication web login peap-mschapv2 aaa authentication web enable peap-mschapv2 aaa authentication ssh login peap-mschapv2 aaa authentication ssh enable peap-mschapv2 ;I omitted console since I want a backdoor in case of network issues, and have adequate physical access controls ;aaa authentication console login peap-mschapv2 local ;aaa authentication console enable peap-mschapv2 local