I have spent quite some time to find out the way to get my switches web access through my RADIUS authentication. The main problem is my Windows 2012 NPS log is showing access granted but I still failed to access to the switches web interface (authentication failed for level 15) whereas ssh works well.
The issue is my NPS configuration which I missed out a attribute and caused the level 15 authorization failed to pass to the switch. The following are the NPS configuration summary:
- Cisco switch will send the credential by using PAP and you need to include the service type as well:
- You need to choose the PAP for the switch authentication (password will be sent as encrypted between switch and NPS and show clear text in NPS server):
- This is the part I missed and failed to send the authorization level:
- This is the point to define the authorization level:
The following are the configuration on the switches for ssh access only with local fallback:
aaa new-model
aaa authentication login default group radius local
Below are the additional configuration for web or CNA access:
ip radius source-interface Vlan##
radius-server host xx.xx.xx.xx key ciscosecret
Below are the additional configuration for web or CNA access:
aaa authorization exec default group radius local
radius-server attribute 6 on-for-login-auth
radius-server vsa send authentication
ip http authentication aaa
