Cisco C870



This is a quick how-to guide on how to have Microsoft Active Directory user accounts in a security group authenticate to Cisco gear. Afterwards you’ll be able to login with AD credentials on the Cisco router/switch for easier login control and management.

This guide assumes:

Find answers to any known issues with Cisco IOS c870-advipservicesk9-mz.124-15.T1.bin from the expert community at Experts Exchange. Cisco RV160W VPN Router with 4 Wireless Ports plus Wireless-AC VPN Firewall, Limited Lifetime Protection (RV160W-A-K9-NA) 4.2 out of 5 stars 87. What is the difference between these 2 versions of Cisco IOS? C870-advipservicesk9-mz.124-24.T1.bin c870-advsecurityk9-mz.124-24.T1.bin I know the advanced security IOS supports VPNs.

  • You have a full AD environment in place
  • You have a basic understanding of Cisco CLI commands
  • You have an AD security group in place for Cisco access
Configuration

First, install the RADIUS (network policy server) role onto your AD box.

We only need the network policy server role service.

Wait…..

Cisco C870

After the role finishes installing, we want to right-click on the NPS role and register it in AD.

Cisco c870 anyconnect

Next, lets add our first switch as a radius client, right-click -> new on ‘radius clients’.

Give it an easily identifiable name (we won’t ever actually need the name), ip address of the cisco device (you can also do entire subnets here), and a secret password

Once that’s done, right-click on ‘network policies’ and select ‘new’

Again, give your policy an easy to figure out name, leave server as ‘unspecified’ and click next.

Under conditions click ‘add’ then select the first option ‘windows groups’ and click ‘add’ again.

Add your already created Windows AD security group and ok out of the prompts.

Leave access permission at defaults and continue.

Set the authentication methods to what is shown below

If you see a warning prompt, click ‘no’ to continue.

Now we get into the tricky bits for Cisco equipment… Remove the ‘framed-protocol’ attribute.

On the left select ‘vendor specific’ and then click ‘add’

In the vendor dropdown select ‘Cisco’ and then click ‘Cisco-AV-Pair and then ‘add’.

click ‘add’ and enter the below value exactly as seen: shell:priv-lvl=15

Next until you see the completion screen, verify the settings at the bottom match what is seen here.

Don’t forget to scroll through them all!

Cisco c870 cisco

Cisco C870

Lastly, go back into ‘properties’ on your new policy and check the ‘ignore user account dial-in properties’ box, and click ‘ok’

And that’s it for the Windows side! You now have an AD tied RADIUS server ready to serve Cisco devices. Best practices recommends repeating this process on a second server for redundancy.

On the Cisco device, in config mode, make sure we have a proper aaa model….

Then create the new radius server group, you can add as many ‘server-private’ aka windows radius servers here as you like. Remember the key is the ‘secret’ that we set earlier in the Windows section. source-interface is recommended but not required.

Now we tell the Cisco device to try to authenticate via radius first, then if that fails fall back to local user accounts.

Finally, and optionally, you can set the device to not require the trailing @yourdomain.com at the end of your username when logging in via RADIUS. First set your AD domain name (ex. contoso.com), and then set the IP address of at least one domain controller (you can add more). Next tell radius to directly request our AD domain DCs, which will mean we can login with just AD usernames going forward, not fully qualified names.

Cisco 870 Router Price

And now your all set! Remember to save the config and test logging in as an active directory user on a new ssh session BEFORE closing your current session. If you fail to authenticate for any reason, you can continue to run commands/change the config on the currently open ssh session.