Authenticate AD users on Cisco switches through RADIUS

1. Create an AD group

  • Enter the users that you want to login to the switches to this group.

2. Now we will configure the Radius server.

Install the NPS server role.

After the role is installed we will open the management window.


3. Check that the NPS is configured on “Network Access Protection (NAP)”



4. Create a new Radius client.

  • Remember the Shard Secret password ( we will use it later in the switches.)

5. Create a new Radius Policy

  • User Groups – select the group that we created in Active Directory
  • The Client Friendly name – is the “new radius client” name that you enter in section 4 on this post.
  • This is how it should look.

Now lets config the switch.

Switch(config)#aaa new-model


Switch(config)#aaa authentication login default group radius local


Switch(config)#aaa authentication login No-Radius-Login local


(a policy that disables the use of radius authentication (we will use it in our console connection )


Switch(config)#aaa authorization exec default group radius if-authenticated

( if you connected to the switch you will stay connected to the switch even if the radius server is down.)


Switch(config)#radius-server host X.X.X.X

(Enter the ip address of your radius server)


Switch(config)#radius-server key *******

(Put the same password that you enter in the “new radius client”)

Config your switch line console.

Switch(config)#line con 0


login authentication No-Radius-Login


( when you connect using console cable you will connect using your local switch credentials)

And that’s it. now you can log in to the switches using your Domain user name and password!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.