Cisco Nexus and Windows NPS

The Cisco Nexus radius setup is a little different then the IOS radius setup in NPS.

Windows NPS Network Policy

Add your Windows Group and NAS IPv4 Addresses


Add your Authentication Methods


Add these two Attribute Values:

priv-lvl=15
shell:roles=*”network-admin vdc-admin”

Cisco NEXUS Configuration

radius-server retransmit 3
radius-server deadtime 5
radius-server host 10.1.1.1 key RADIUS-KEY authentication accounting
radius-server host 10.1.1.2 key RADIUS-KEY authentication accounting

aaa group server radius MTR-Radius
server 10.1.1.2
server 10.1.1.2
source-interface loopback0

aaa authentication login default group MTR-Radius local
aaa authentication login console local
aaa accounting default group MTR-Radius
aaa authentication login error-enable

APC UPS & NPS Configuration

Nothing more than anything is having to look up a password for a device and not using my central admin account for logging into a devices. Here is how to configure Windows NPS to authenticate APC UPC devices.

NPS Network Policies:


Create Policy name:

Configure “Client IPv4 Address” and Windows Group. This will allow us to match just the UPS and Windows Group that should be allowed to control the UPS.

Configure (PAP)


Select Add

Now you have a working Network Policy

Shared Secrets Template:
As you will have a bunch of UPS to add to NPS I would create a Shared Template for easy addition of devices.

Radius Client Add:


Create a new radius host and select Shared Secret template:

APC UPS Configuration:


Configure RADIUS Server IP and Secret that you created on the NPS server. I also noticed my password was too long to test the settings. I just Skip Test and Apply. You can always disable the host on the NPS server if you make a mistake or use the local account.

That is how you configure APC UPS to use NPS for centralized authentication.

 

 

Windows NPS “The revocation function was unable to check revocation because the revocation server was offline.”

Today I decide I would add another Windows 2016 NPS server at our other datacenter for some redundancy. When I was doing my testing I got the following error.

At first I thought it was an issue with our offline root CA. For troubleshooting I turned the offline root CA. Hmm still getting the same issue. So I started looking at our sub certificate authority. After lunching Enterprise PKI mmc I saw the following. CDP Location #1 and #2 are saying “Unable to Download”

I fire up my web browser to go to http://pki.manualtokenring.com/cdp/MTRRootCA.crl and get a 503 from the web server. Hmm that strange…. Next place I decide to check is Internet Information Services (IIS) Manager. All web sites are online.  Next I browse where the crl files are located.  Everything looks to be ok.

After confirming the CRL is correct I restarted IIS. After restarting the IIS I could not get http://pki.manualtokenring.com/cdp/MTRRootCA.crl to load. Last thing to do was reboot the server. Sure enough after a reboot the server everything came back online. I hate to be that guy “Have you tried turning it off and back on” but this time it seem to resolve the issue.