HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius Overview This document provides an overview of how to configure the Windows Server 2008 R2 NPS Radius server for Radius login authentication with HP Networking ProCurve switches. Additional sections describe the configuration of manager and operator logins, command authorization and command accounting. Document Version 1.0 Author Peter Debruyne peter.debruyne@belpro.be +32 474 95 25 46 Page 1 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 Contents Overview............................................................................................................................................................ 1 Installing NPS ..................................................................................................................................................... 2 Configuring NPS ............................................................................................................................................. 3 NPS Domain access .................................................................................................................................... 3 Configure NPS Accounting (Logging) ......................................................................................................... 4 Define Radius client ................................................................................................................................... 7 Define Network Policies ............................................................................................................................ 8 Configure the ProCurve device .................................................................................................................... 17 Define radius server................................................................................................................................. 17 Configure aaa authentication .................................................................................................................. 17 Configure aaa accounting ........................................................................................................................ 19 Restricted Managers – Command Authorization ........................................................................................ 20 Network Policy for Restricted Managers................................................................................................. 20 Update existing policies for Manager and Operator ............................................................................... 23 Configure aaa command authorization for Restricted Manager ............................................................ 23 Installing NPS On the Windows 2008 R2 Server, launch the Server Manager. Under Roles, select Add role Page 2 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 Check the Network Policy and Access Services Only the Network Policy Server is required for the Radius server to be installed. Other components are the Microsoft dial/vpn server and the Microsoft NAP/NAC client health solution, which are not required for this guide. Configuring NPS NPS Domain access After installation, verify that the NPS server has the permission to access user and group account information on the domain. When installed on a Domain Controller, the NPS role has this access by default. When installed on a Domain member server, grant access with this procedure: Use the administrative tools to launch the Network Policy Server console: Page 3 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 When available, click the “start NPS service”option to start the service. Register the NPS server, so it will be allowed to read user and group information from the domain: Configure NPS Accounting (Logging) Open the account folder and select configure accounting: Page 4 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 Based on your requirements, configure the local log file or SQL server accounting. This example shows the local log file only: Leave all logging active and note the folder for the logfiles. Consider the fail option, which means that in case the NPS cannot log the request, it will not allow logins (authentication or 802.1x). Set this options based on the business requirement. Page 5 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 Under accounting folder, select the logfile properties: Configure the log file format, if you have existing IAS log file viewers (e.g. http://www.deepsoftware.ru/iasviewer/ ) it may be required to configure the legacy log file format. Configure the log file rotation (e.g. Daily): When the switch is configured for aaa accounting commands radius, it will send all the executed commands on the switch as vendor-specific radius accounting to the NPS server. Page 6 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 These commands are ASCII encoded in the NPS log file, so barely readable, it is recommended to acquire a commerical log parser, such as e.g. IAS log viewer. This is the result when configured with IAS Log Viewer (trial), when the user “pm”connects to Switch1 and executes some commands: Define Radius client The NPS Radius server requires the network device to be registered as radius client. In the NPS console, select RADIUS clients and create new client: Enter a friendly name (typically includes the hostname) and the source IP address of the switch. For layer3 switches with multiple IP addresses, create multiple radius clients for each possible source IP or configure the device to use a loopback IP address for RADIUS. With the Enterprise Edition, a single Radius client record can be used for multiple devices by typing a subnet in the IP field, e.g. 10.100.10.0/24 instead of 10.100.10.1. This does require all devices to have the same radius shared secret. Configure the shared secret, in this example “procurve”. Page 7 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 Define Network Policies This section describes the creation of several Network policies for various levels of access. Manager and Operator are the full access and restricted access methods. Restricted manager shows the command authorization. For the Restricted Manager to fuction, additional switch configuration is required, which is explained in the “configure the ProCurve device”section. User and Group Requirements This procedure assumes that some Windows users and groups have been created. The following groups should have been created before starting this procedure: P_Managers in this example, a user name “pm” has been created and is member of this group P_Operators e.g. Full network admin e.g. First line, view only in this example, a user name “po” has been created and is member of this group P_Managers_Restricted e.g. Second line, assign ports to vlans Page 8 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 in this example, a user name “pml2” has been created and is member of this group Manager Create a new network policy: Type a name for the policy name, e.g. name HP ProCurve Management – Manager type unspecified Conditions Add the conditions to filter the manager user logins. Only members of the windows group P_Managers will be allowed login to the management level: Page 9 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 This only applies to management logins (not 802.1x wired or wireless), so the additional condition is NAS Port type = Virtual: Page 10 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 The result of this condition screen is: In the next screen, leave the Access Permission to Access Granted In the next screen, Configure Authentication Methods, configure the auth types. For the management login on most ProCurve switches, the old encryption types should be configured: Page 11 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 On the 5400 series (as of K_13_51) supports peap-mschapv2 as authentication protocol between switch and radius server for telnet and ssh login requests. The only requirement on the NPS server is to have a certificate (self signed, created by in house CA or an external, public certificate) and to configure EAP PEAP MSCHAPv2 as auth method on the existing Network Policy: Page 12 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 In case both old and new auth types must be supported, due to e.g. Various switch types / models, several Network Policies can be created and the conditions section can be updated for the PEAP policy and the PAP policy. Several Network Policies: Each auth type is covered as a condition in each policy: Page 13 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 Configure Constraints no changes / restrictions Configure Settings remove the Framed-Protocol Change the Service-Type to Administrative This indicates that this login profile will be granted manager (read/write) access Page 14 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 Operator This step will mainly repeat the section of Manager, so only changes are described with screenshots. Create a new Policy Name HP ProCurve Management – Operator Type unspecified Conditions Windows Group P_Operators Nas-Port-Type Virtual Access Permission Access Granted Authentication Methods Configure identical to Manager profile This example: CHAP Constraints no changes Configure Settings Page 15 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 Remove Framed-Protocol Change Service-Type to NAS-Prompt This indicates that this login will be granted Operator (read only) access. Finish wizard Other Logins to Virtual Port – Deny To prevent other policies to accidently allow access to your switch management interfaces, add an additional policy with Condition NAS-Port-Type Access Level Deny access Virtual Put this policy directly under the Manager and Operator policies, which should be placed at the top of the policy hierarchy (before 802.1x or MAC login policies). The only exception would be a VPN Server / Concentrator policy, which will require the virtual port, but that policy can get the additional condition based on the NAS IP address and be placed in front of the deny all virtual policy. Network Policy Order Verify the order of the policy and adjust to the requirements: The order is important, since NPS will process the login request top-down. So if there is a login request for a user which connects through a virtual port and who is member of the group P_Managers (the policy conditions), then the manager profile will be sent to the switch, so the user will login as service-type “administrative”,which is a manager. The same logic applies to the Operator policy. Page 16 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 The order is important to resolve conflicts. If a user would be member of both the P_Managers and P_Operators groups, then the order will decide which profile will be sent to the switch. In this example, a user who is member of both groups will become a Manager on the switch, since the Manager policy is processed first. In case the security policy dictates that a user should get the least configured priviledge, then the order should be reversed. Configure the ProCurve device This section describes the configuration of the network device. Define radius server In configuration mode on the switch, configure the radius server (NPS IP)and the secret: radius-server host 10.100.10.10 key "procurve" Configure aaa authentication Configure a test login profile for e.g. SSH. This will not impact the telnet login methods: aaa authentication ssh login radius aaa authentication ssh enable radius login describes the initial login to the switch (as operator, so readonly) enable describes the move from operator mode (readonly) to manager (readwrite) with the enable command When the 5400 series is used with recent firmware, and the NPS Server is configured with PEAP MSCHAPv2 authentication as descibed in the NPS section, use these commands: aaa authentication telnet login peap-mschapv2 aaa authentication telnet enable peap-mschapv2 With only these commands, a manager would always login as operator first, then have to type “enable”to get the manager login prompt. The switch can be configured to immediatly respect the login level with this command: Page 17 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 aaa authentication login privilege-mode Test the login with an ssh client with a P_Manager user and P_Operator user. Manager user: Login with operator user: Page 18 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 Configure aaa accounting To support command logging to the NPS server, activate aaa accounting: aaa accounting commands interim-update radius To get switch reload information, 802.1x or MAC auth session info and interim updates every 10 mintues, configure these commands as well: aaa accounting exec start-stop radius aaa accounting network start-stop radius aaa accounting system start-stop radius aaa accounting update periodic 600 Page 19 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 Restricted Managers – Command Authorization This section describes how to configure command authorization. This must be configured on Radius and on the switch, so if existing Manager and Operator policies have been created, these must be updated as well or they will not function anymore. Network Policy for Restricted Managers In NPS, create a new policy. See the previous Manager policy for detailed steps. This step will mainly repeat the section of Manager, so only changes are described with screenshots. Create a new Policy Name HP ProCurve Management – Managers Restricted Type unspecified Conditions Windows Group P_Managers_Restricted Nas-Port-Type Virtual optionally filter on the Authentication type if PEAP/PAP must be choosen Access Permission Access Granted Authentication Methods Configure identical to Manager profile (PAP or PEAP) Constraints no changes Configure Settings Remove Framed-Protocol Change Service-Type to Administrative This indicates that this login will be granted Manager (readwrite) access. Select the Vendor-Specific list and add the Vendor specific attribute: Page 20 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 Add a VSA (Vendor Specific Attribute): Number 2 Type String Value Specify the list of commands, semi-colon separated. Regular expressions are supported and can be used to force begin of line (^), end of line ($) etc. This can be usefull, since the ProCurve cli allows continuation of typing from global config. E.g. A user can do: conf int a1 disable or on 1 line: conf int a1 disable In the example below, the vlan and int commands are restricted, with the $ sign, so the user must enter the vlan or interface context, where they can then type the context commands: Value ^conf.;^show.;speed-duplex.;^ping;^traceroute.;^vlan [1-9][09]*$;^untag.;^wr.;^en.;^int.*[1-9][0-9]*$;^name.;clear st.;^dis.;^ena.;^reload Page 21 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 Add another VSA, to indicate if this list should be allowed or denied: Number 3 Type Decimal (not string !) Value 0 (allow only list of attribute 2) or 1 (deny list of attribute 2) Finish wizard Page 22 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 Update existing policies for Manager and Operator When the switch is configured to check for these attributes, all management logins have to be configured with these attributes, even when no restrictions should apply to the login. Otherwise, this error will show for the existing managers: Open the existing Managers and Operator network policy in NPS. Under the Vendor Specific, add the 2 VSA: Vendor Code 11 Conforms yes Attribute number 2 Type string Value . Vendor Code 11 Conforms yes Attribute number 3 Type decimal Value 0 (. represents any character) (allow the above list) This will allow these profiles to type all commands which are normally allowed for manager or operator access. Configure aaa command authorization for Restricted Manager On the Switch, configure the command authorization: aaa authorization commands radius Login with a user which is member of the P_Managers_Restricted group: Page 23 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0 Verify that the attribute command list is applied to this session. Also note that thanks to the $ sign in the attribute command list, it is no longer supported to type continuing commands from global config: End of document Page 24 of 24 HP Networking Switch Authentication with Microsoft Windows Server 2008 R2 NPS Radius v1.0