Using NPS to manage Cisco devices

In a a previous article, I illustated how to configure Radius server on Cisco switch/router. In this tutorial, I explain how to install and configure a free radius server (Microsoft NPS) to control Cisco device access.

Network Policy and Access Services is a component of Windows Server and it is the implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. As a RADIUS server, NPS performs centralized authentication and authorization for wireless devices, and it authorizes switch, remote access dial-up, and virtual private network (VPN) connections. Using NPS, you can centrally configure and manage network access authentication, provide authorization for connection requests, and accounting for information logs.

Install Microsoft NPS

Step 1 – Click on “Server Manager” on your Windows Server
Step 2 – Click on “Add Roles and Features”
Step 3 – Read the wizard and click on “Next”
Step 4 – Select “Role-based”
Step 5 – Select your server and click on “Next”
Step 6 – Select “Network Policy and Access Services”
Step 7 – A popup appears
Step 8 – Click on “Next”
Step 9 – Press Next and start the NPS installation

NPS Configuration

Step 10 – Run NPS

First of all, register NPS server to have permission to access user account credentials and dial-in properties in AD. Right-click NPS at the top of the tree and choose “Register server in Active Directory”.

Step 11 – Register the server

Now you can start your first configuration :)

Templates management

This is not mandatory, but my suggestion is to create a Shared Secrets Template to save the Radius key. The template is used in Radius client properties.

Step 1 – Add a new template
Step 2 – Define the radius key template

Radius Client

Define which devices can query the Radius server.

Step 1 – Add the radius client

Compile the name (2), the device IP address (3) and as radius key (4) select the template that you have previously defined. In “Advanced” select Cisco.

Step 2 – Define the radius client
Step 3 – Optionally, select Cisco as Vendor name

Connection Request Policies

They are sets of conditions and settings that allow network administrators to designate which RADIUS servers perform authentication and authorization of connection requests that the NPS server receives from RADIUS clients. In this example, the radius requests are managed by the local server.

Step 1 – Add a new connection request policy
Step 2 – Define a connection request policy name
Step 3 – Define which conditions must be matched; in this example all devices have to start with “Ciscozine-” name
Step 4 – Use local server to manage radius request
Step 5 – Click on next button; authentication settings will be chosen in the network policy menu
Step 6 – Click on next button; attribute/vendor specific settings will be chosen in the network policy menu
Step 7 – Click on finish button

Network Policies

Define whether a connection request is authorized to connect to the network.

Step 1 – Create a new Network Policy
Step 2 – Define a Network Policy name
Step 3 – Define the conditions

In this example two conditions are checked:

  • The switch/router name must start with the name “Ciscozine-Italy”.
    Note: The friendly name is defined in radius client section; it is not the device hostname!
  • The username used to log in the switch /router must belong to an AD group.

Remember: The condition accepts regular expression.

Step 4 – Define the access permission
Step 5 – Define the authentication protocols permitted; for ssh access you need to enable PAP authentication
Step 6 – Define constraints; in this example only idle timeout is used;
Step 7 – Select Service-Type: Administrative

Note: (Step 7) It defines which rights the user will have: when a user match this rule, the NPS will send back to the radius client (for instance a switch) the radius attribute “Service-type”. This attribute defines which rights the user will have in the session.

For instance, in telnet/ssh sessions:

Service-type -> Administrative: it gives privilege 15 rights

Service-type -> Login: it gives privilege 1 rights

RADIUS Internet Engineering Task Force (IETF) attributes are the original set of 255 standard attributes that are used to communicate AAA information between a client and a server. The IETF attributes are standard and the attribute data is predefined. All clients and servers that exchange AAA information using IETF attributes must agree on attribute data such as the exact meaning of the attributes and the general bounds of the values for each attribute.

RADIUS vendor-specific attributes (VSAs) are derived from a vendor-specific IETF attribute (attribute 26). Attribute 26 allows a vendor to create an additional 255 attributes; a vendor can create an attribute that does not match the data of any IETF attribute and encapsulate it behind attribute 26. The newly created attribute is accepted if the user accepts attribute 26.

Note: The radius attributes required to give different rights, depends by Cisco device; below some example to give administrative properties:

Cisco ASA/Sourcefire (ASDM / SSH)

Radius Standard: Service-type -> Administrative

Cisco WLC (web / SSH)

Radius Standard: Service-type -> Administrative

Cisco FMC (web / SSH)

Radius Standard: Class -> Administrator

Cisco FDM (web)

Vendor Specific: Cisco-AV-Pair -> fdm.userrole.authority.admin

Cisco FDM (SSH)

Radius Standard: Service-type -> Administrative

Cisco FTD (SSH)

Radius Standard: Class -> Administrator

Step 9 – Policy settings policy

Remember: when you change some settings, you must restart the NPS service.


Troubleshooting with NPS is quite difficult due to the lack of informations (comparing with Cisco ISE); in any case, if you want to analyze NPS log, open “event viewer” and select “Network policy and access services”. Below an example:


  1. Thanks you so much for this information. Could give an example of the client side config (cisco IOS-XE switch)? My switch sees the server but fails to get authenticated. Thanks.

  2. Thanks a lot! Im using for CISCO SG-350 authentication. Next step try works in Cisco ASA equipaments.

  3. Hi,

    Thanks for this, it says in the screenshot that PAP/SAP authentication is a plaintext authentication method and is one of the insecure authentication methods, do the credentials get transferred over the network in plaintext with this authentication method in that case?


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.