HP Networking

Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius

Overview

This document provides an overview of how to configure the Windows Server 2008 R2 NPS Radius server for Radius login authentication with HP Networking ProCurve switches.

Additional sections describe the configuration of manager and operator logins, command authorization and command accounting.

Document Version / 1.0
Author / Peter Debruyne / / +32 474 95 25 46

Page 1 of 24

HP Networking

Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0

Contents

Overview

Installing NPS

Configuring NPS

NPS Domain access

Configure NPS Accounting (Logging)

Define Radius client

Define Network Policies

Configure the ProCurve device

Define radius server

Configure aaa authentication

Configure aaa accounting

Restricted Managers – Command Authorization

Network Policy for Restricted Managers

Update existing policies for Manager and Operator

Configure aaa command authorization for Restricted Manager

Installing NPS

On the Windows 2008 R2 Server, launch the Server Manager.

Under Roles, select Add role


Check the Network Policy and Access Services

Only the Network Policy Server is required for the Radius server to be installed.

Other components are the Microsoft dial/vpn server and the Microsoft NAP/NAC client health solution, which are not required for this guide.

Configuring NPS

NPS Domain access

After installation, verify that the NPS server has the permission to access user and group account information on the domain.

When installed on a Domain Controller, the NPS role has this access by default.

When installed on a Domain member server, grant access with this procedure:

Use the administrative tools to launch the Network Policy Server console:


When available, click the “start NPS service”option to start the service.

Register the NPS server, so it will be allowed to read user and group information from the domain:


Configure NPS Accounting (Logging)

Open the account folder and select configure accounting:


Based on your requirements, configure the local log file or SQL server accounting. This example shows the local log file only:


Leave all logging active and note the folder for the logfiles.

Consider the fail option, which means that in case the NPS cannot log the request, it will not allow logins (authentication or 802.1x). Set this options based on the business requirement.


Under accounting folder, select the logfile properties:

Configure the log file format, if you have existing IAS log file viewers (e.g. ) it may be required to configure the legacy log file format.

Configure the log file rotation (e.g. Daily):


When the switch is configured for aaa accounting commands radius, it will send all the executed commands on the switch as vendor-specific radius accounting to the NPS server.

These commands are ASCII encoded in the NPS log file, so barely readable, it is recommended to acquire a commerical log parser, such as e.g. IAS log viewer. This is the result when configured with IAS Log Viewer (trial), when the user “pm”connects to Switch1 and executes some commands:


Define Radius client

The NPS Radius server requires the network device to be registered as radius client.

In the NPS console, select RADIUS clients and create new client:


Enter a friendly name (typically includes the hostname) and the source IP address of the switch.

For layer3 switches with multiple IP addresses, create multiple radius clients for each possible source IP or configure the device to use a loopback IP address for RADIUS.

With the Enterprise Edition, a single Radius client record can be used for multiple devices by typing a subnet in the IP field, e.g. 10.100.10.0/24 instead of 10.100.10.1. This does require all devices to have the same radius shared secret.

Configure the shared secret, in this example “procurve”.


Define Network Policies

This section describes the creation of several Network policies for various levels of access.

Manager and Operator are the full access and restricted access methods. Restricted manager shows the command authorization. For the Restricted Manager to fuction, additional switch configuration is required, which is explained in the “configure the ProCurve device”section.

User and Group Requirements

This procedure assumes that some Windows users and groups have been created.

The following groups should have been created before starting this procedure:

  • P_Managerse.g. Full network admin
  • in this example, a user name “pm” has been created and is member of this group
  • P_Operatorse.g. First line, view only
  • in this example, a user name “po” has been created and is member of this group
  • P_Managers_Restrictede.g. Second line, assign ports to vlans
  • in this example, a user name “pml2” has been created and is member of this group

Manager

Create a new network policy:


Type a name for the policy name, e.g.

nameHP ProCurve Management – Manager

typeunspecified


Conditions

Add the conditions to filter the manager user logins. Only members of the windows group P_Managers will be allowed login to the management level:


This only applies to management logins (not 802.1x wired or wireless), so the additional condition is NAS Port type = Virtual:


The result of this condition screen is:


In the next screen, leave the Access Permission to

Access Granted

In the next screen, Configure Authentication Methods, configure the auth types.

For the management login on most ProCurve switches, the old encryption types should be configured:


On the 5400 series (as of K_13_51) supports peap-mschapv2 as authentication protocol between switch and radius server for telnet and ssh login requests.

The only requirement on the NPS server is to have a certificate (self signed, created by in house CA or an external, public certificate) and to configure EAP PEAP MSCHAPv2 as auth method on the existing Network Policy:


In case both old and new auth types must be supported, due to e.g. Various switch types / models, several Network Policies can be created and the conditions section can be updated for the PEAP policy and the PAP policy.

Several Network Policies:


Each auth type is covered as a condition in each policy:



Configure Constraints

no changes / restrictions

Configure Settings

remove the Framed-Protocol

Change the Service-Type to Administrative

This indicates that this login profile will be granted manager (read/write) access

Operator

This step will mainly repeat the section of Manager, so only changes are described with screenshots.

Create a new Policy

NameHP ProCurve Management – Operator

Type unspecified

Conditions

Windows GroupP_Operators

Nas-Port-TypeVirtual

Access Permission

Access Granted

Authentication Methods

Configure identical to Manager profile

This example:

CHAP

Constraints

no changes

Configure Settings

Remove Framed-Protocol

Change Service-Type to NAS-Prompt

This indicates that this login will be granted Operator (read only) access.

Finish wizard

Other Logins to Virtual Port – Deny

To prevent other policies to accidently allow access to your switch management interfaces, add an additional policy with

ConditionNAS-Port-Type Virtual

Access LevelDeny access

Put this policy directly under the Manager and Operator policies, which should be placed at the top of the policy hierarchy (before 802.1x or MAC login policies).

The only exception would be a VPN Server / Concentrator policy, which will require the virtual port, but that policy can get the additional condition based on the NAS IP address and be placed in front of the deny all virtual policy.

Network Policy Order

Verify the order of the policy and adjust to the requirements:


The order is important, since NPS will process the login request top-down. So if there is a login request for a user which connects through a virtual port and who is member of the group P_Managers (the policy conditions), then the manager profile will be sent to the switch, so the user will login as service-type “administrative”,which is a manager.

The same logic applies to the Operator policy.

The order is important to resolve conflicts. If a user would be member of both the P_Managers and P_Operators groups, then the order will decide which profile will be sent to the switch.

In this example, a user who is member of both groups will become a Manager on the switch, since the Manager policy is processed first.

In case the security policy dictates that a user should get the least configured priviledge, then the order should be reversed.

Configure the ProCurve device

This section describes the configuration of the network device.

Define radius server

In configuration mode on the switch, configure the radius server (NPS IP)and the secret:

radius-server host 10.100.10.10 key "procurve"

Configure aaa authentication

Configure a test login profile for e.g. SSH. This will not impact the telnet login methods:

aaa authentication ssh login radius

aaa authentication ssh enable radius

login describes the initial login to the switch (as operator, so readonly)

enable describes the move from operator mode (readonly) to manager (readwrite) with the enable command

When the 5400 series is used with recent firmware, and the NPS Server is configured with PEAP MSCHAPv2 authentication as descibed in the NPS section, use these commands:

aaa authentication telnet login peap-mschapv2

aaa authentication telnet enable peap-mschapv2

With only these commands, a manager would always login as operator first, then have to type “enable”to get the manager login prompt.

The switch can be configured to immediatly respect the login level with this command:

aaa authentication login privilege-mode

Test the login with an ssh client with a P_Manager user and P_Operator user.

Manager user:



Login with operator user:



Configure aaa accounting

To support command logging to the NPS server, activate aaa accounting:

aaa accounting commands interim-update radius

To get switch reload information, 802.1x or MAC auth session info and interim updates every 10 mintues, configure these commands as well:

aaa accounting exec start-stop radius

aaa accounting network start-stop radius

aaa accounting system start-stop radius

aaa accounting update periodic 600

Restricted Managers – Command Authorization

This section describes how to configure command authorization. This must be configured on Radius and on the switch, so if existing Manager and Operator policies have been created, these must be updated as well or they will not function anymore.

Network Policy for Restricted Managers

In NPS, create a new policy. See the previous Manager policy for detailed steps.

This step will mainly repeat the section of Manager, so only changes are described with screenshots.

Create a new Policy

NameHP ProCurve Management – Managers Restricted

Type unspecified

Conditions

Windows GroupP_Managers_Restricted

Nas-Port-TypeVirtual

optionally filter on the Authentication type if PEAP/PAP must be choosen

Access Permission

Access Granted

Authentication Methods

Configure identical to Manager profile (PAP or PEAP)

Constraints

no changes

Configure Settings

Remove Framed-Protocol

Change Service-Type to Administrative

This indicates that this login will be granted Manager (readwrite) access.

Select the Vendor-Specific list and add the Vendor specific attribute:


Add a VSA (Vendor Specific Attribute):

Number2

TypeString

ValueSpecify the list of commands, semi-colon separated. Regular expressions are supported and can be used to force begin of line (^), end of line ($) etc.

This can be usefull, since the ProCurve cli allows continuation of typing from global config. E.g. A user can do:

  • conf
    int a1
    disable

or on 1 line:

  • conf
    int a1 disable

In the example below, the vlan and int commands are restricted, with the $ sign, so the user must enter the vlan or interface context, where they can then type the context commands:

Value^conf.;^show.;speed-duplex.;^ping;^traceroute.;^vlan [1-9][0-9]*$;^untag.;^wr.;^en.;^int.*[1-9][0-9]*$;^name.;clear st.;^dis.;^ena.;^reload


Add another VSA, to indicate if this list should be allowed or denied:

Number3

TypeDecimal (not string !)

Value0 (allow only list of attribute 2) or 1 (deny list of attribute 2)


Finish wizard

Update existing policies for Manager and Operator

When the switch is configured to check for these attributes, all management logins have to be configured with these attributes, even when no restrictions should apply to the login.

Otherwise, this error will show for the existing managers:


Open the existing Managers and Operator network policy in NPS.

Under the Vendor Specific, add the 2 VSA:

Vendor Code11

Conformsyes

Attribute number2

Typestring

Value.(. represents any character)

Vendor Code11

Conformsyes

Attribute number3

Type decimal

Value0(allow the above list)

This will allow these profiles to type all commands which are normally allowed for manager or operator access.

Configure aaa command authorization for Restricted Manager

On the Switch, configure the command authorization:

aaa authorization commands radius

Login with a user which is member of the P_Managers_Restricted group:


Verify that the attribute command list is applied to this session.

Also note that thanks to the $ sign in the attribute command list, it is no longer supported to type continuing commands from global config:


End of document

Page 1 of 24

HP Networking

Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0