In a recent project I have been working on I had to install and configure NAP on Windows 2012 for Cisco Devices (this process is the same for Windows 2012 r2). I thought I would share the basic configuration settings required to enable this feature to allow Cisco device to talk to the Network Policy Server for Active Directory Authentication.
Firstly, we will need to install NAP via “Add Roles and Features”
For the purpose of this post I am installing NAP on my single DC within Lab Environment
Tick “Network Policy and Access Services” and Press “Add Features”
Press “Next” as we only need “Network Policy Server” and then Press “Install”
Now the we have successfully installed Network Policy Server. We need to create a Security Group to manage Authentication access to the Network Devices. Open “Active Directory Users and Computers”
Create a new Security Group in your required location within your AD Structure. I am creating a new security group in “OU=Groups,OU=LyncMe,DC=Lyncme,DC=Local”
Give the Group a name I will be using Network Device Access
Group Scope = Global
Group Type = Security
You will need to add the users who will be managing the Cisco Network Devices. So for example I have a group called Network Managers who are the Network Guys in my Lab Environment.
Now we have a Security Group to manage Network Access, you will need to launch “Network Policy Server” from Start Window
Once Network Policy Server has opened we will configure a Share Secret template to be used between Server and Network Device handshake. Go to “Template Management” and right click “Shared Secrets”, click “New”
You will see the below Window
You will need to enter a Template name, I will be using Cisco Device Access as the template name and you have the option to create a Manual Key or allow Windows to Generate a Key.
If you let Windows Generate a Key it will look like this
So depending on how much you hate your Network Team you can give them this secret or generate one yourself. The Warning Triangle states the following “Not all Radius Client support long secrets. You might need to edit the generated secret.”
But for the purpose of this blog I will use a Manual Secret of “HeWilNotPass”
We now need to create the Network Policy for NPS so under “Policies –> Right Click Network Policies, Press New”
You will now see the below Window where you need to specify a Policy Name. I have used Network Device Access
Press “Windows Groups” and Press “Add”
Press “Add Groups”
Enter your Group name you specified earlier i.e. Network Device Access
Press “Ok”, “OK” and “Next”
Tick “Access Granted” and Press “Next”
Tick “Encrypted authenitication (CHAP) and Unencrypted authenication (PAP, SPAP)” and Press “Next”
Press “No” to the Help Topic
At this stage I specified “Idle Timeout” and “Session Timeout” but you dont have to its completely your decision, then Press “Next”
You will now see the below window and will need to edit the following
Service Type to “Administrative” which listed under “Others” and then Press “Next”
Hopefully you will have a window thats looks like the below and you can then press “Finish”
We are now on to the final part of this post, which is to add a Network Device to manage.
So under “Radius Client –> Right Click Radius Clients, Press New”
You will now have to fill the following information
Enter a Friendly name of the Device
Enter IP or DNS Name of the device
Now in the Shared Secret drop down should have the template we created earlier in this post. So in the end you will end up with a window like the below.
This completes this post as the next step is for the Network Team to change the configuration on the switch to look at the new Network Policy Server