Installing and Configuring Network Access Policy for Cisco Devices

Hello Readers

In a recent project I have been working on I had to install and configure NAP on Windows 2012 for Cisco Devices (this process is the same for Windows 2012 r2). I thought I would share the basic configuration settings required to enable this feature to allow Cisco device to talk to the Network Policy Server for Active Directory Authentication.

Firstly, we will need to install NAP via “Add Roles and Features

image

Press “Next

For the purpose of this post I am installing NAP on my single DC within Lab Environment

image

Press “Next

Tick “Network Policy and Access Services” and Press “Add Features

Press “Next

image

Press “Next

image

Press “Next

image

Press “Next” as we only need “Network Policy Server” and then Press “Install

Now the we have successfully installed Network Policy Server. We need to create a Security Group to manage Authentication access to the Network Devices. Open “Active Directory Users and Computers

image 

Create a new Security Group in your required location within your AD Structure. I am creating a new security group in “OU=Groups,OU=LyncMe,DC=Lyncme,DC=Local

image

Give the Group a name I will be using Network Device Access

Group Scope = Global

Group Type = Security

You will need to add the users who will be managing the Cisco Network Devices. So for example I have a group called Network Managers who are the Network Guys in my Lab Environment.

image

Now we have a Security Group to manage Network Access, you will need to  launch “Network Policy Server” from Start Window

image

Once Network Policy Server has opened we will configure a Share Secret template to be used between Server and Network Device handshake. Go to “Template Management” and right click “Shared Secrets”, click “New”

image

You will see the below Window

image

You will need to enter a Template name, I will be using Cisco Device Access as the template name and you have the option to create a Manual Key or allow Windows to Generate a Key.

If you let Windows Generate a Key it will look like this

image

So depending on how much you hate your Network Team you can give them this secret or generate one yourself. The Warning Triangle states the following “Not all Radius Client support long secrets. You might need to edit the generated secret.”

But for the purpose of this blog I will use a Manual Secret of “HeWilNotPass”

We now need to create the Network Policy for NPS so under “Policies –> Right Click Network Policies, Press New”

image

You will now see the below Window where you need to specify a Policy Name. I have used Network Device Access

image

Press “Next

image

Press “Add

image

Press “Windows Groups” and Press “Add

Press “Add Groups

Enter your Group name you specified earlier i.e. Network Device Access

image

Press “Ok”, “OK” and “Next

Tick “Access Granted” and Press “Next

image

Tick “Encrypted authenitication (CHAP) and Unencrypted authenication (PAP, SPAP)” and Press “Next”

Press “No” to the Help Topic

At this stage I specified “Idle Timeout” and “Session Timeout” but you dont have to its completely your decision, then Press “Next

You will now see the below window and will need to edit the following

image

Service Type to “Administrative” which listed under “Others” and then Press “Next

Hopefully you will have a window thats looks like the below and you can then press “Finish

image

We are now on to the final part of this post, which is to add a Network Device to manage.

So under “Radius Client –> Right Click Radius Clients, Press New”

image

You will now have to fill the following information

image

Enter a Friendly name of the Device

Enter IP or DNS Name of the device

Now in the Shared Secret drop down should have the template we created earlier in this post. So in the end you will end up with a window like the below.

image

This completes this post as the next step is for the Network Team to change the configuration on the switch to look at the new Network Policy Server

 

Regards

Andrew Price

Leave a Reply

Your email address will not be published. Required fields are marked *