June 28, 2016
I’m assuming you have the NPS role installed on a Windows server, and a switch configured to the point where it can communicate with (can ping) the NPS server.
Create a new RADIUS client as follows:
Friendly Name - Anything you want
IP Address - The address of a specific switch, or the subnet that contains all your switch in CIDR format.
Create a new Connection Request Policy with the following settings:
Name - Switch Connection Policy
Type of server
Conditions - Add the following
Client Friendly Name = Friendly Name from above
Create a new network policy with:
Here are the relevant commands for the switch.
;Disable the telnet server since we don't want domain creds flying around in plain text no telnet-server ;Setup the RADIUS server info radius-server host
radius-server key " " ;Set switch to go immediately to enable mode once authenticated aaa authentication login privilege-mode ;Configure specific interfaces to use the RADIUS server aaa authentication web login peap-mschapv2 aaa authentication web enable peap-mschapv2 aaa authentication ssh login peap-mschapv2 aaa authentication ssh enable peap-mschapv2 ;I omitted console since I want a backdoor in case of network issues, and have adequate physical access controls ;aaa authentication console login peap-mschapv2 local ;aaa authentication console enable peap-mschapv2 local
Written by Eric Haskins, maker of things.