The Cisco Nexus radius setup is a little different then the IOS radius setup in NPS.
Windows NPS Network Policy
Add your Windows Group and NAS IPv4 Addresses
Add your Authentication Methods
Add these two Attribute Values:
Cisco NEXUS Configuration
radius-server retransmit 3
radius-server deadtime 5
radius-server host 10.1.1.1 key RADIUS-KEY authentication accounting
radius-server host 10.1.1.2 key RADIUS-KEY authentication accounting
aaa group server radius MTR-Radius
aaa authentication login default group MTR-Radius local
aaa authentication login console local
aaa accounting default group MTR-Radius
aaa authentication login error-enable
Nothing more than anything is having to look up a password for a device and not using my central admin account for logging into a devices. Here is how to configure Windows NPS to authenticate APC UPC devices.
NPS Network Policies:
Create Policy name:
Configure “Client IPv4 Address” and Windows Group. This will allow us to match just the UPS and Windows Group that should be allowed to control the UPS.
Now you have a working Network Policy
Shared Secrets Template:
As you will have a bunch of UPS to add to NPS I would create a Shared Template for easy addition of devices.
Radius Client Add:
Create a new radius host and select Shared Secret template:
APC UPS Configuration:
Configure RADIUS Server IP and Secret that you created on the NPS server. I also noticed my password was too long to test the settings. I just Skip Test and Apply. You can always disable the host on the NPS server if you make a mistake or use the local account.
That is how you configure APC UPS to use NPS for centralized authentication.
Today I decide I would add another Windows 2016 NPS server at our other datacenter for some redundancy. When I was doing my testing I got the following error.
At first I thought it was an issue with our offline root CA. For troubleshooting I turned the offline root CA. Hmm still getting the same issue. So I started looking at our sub certificate authority. After lunching Enterprise PKI mmc I saw the following. CDP Location #1 and #2 are saying “Unable to Download”
I fire up my web browser to go to http://pki.manualtokenring.com/cdp/MTRRootCA.crl and get a 503 from the web server. Hmm that strange…. Next place I decide to check is Internet Information Services (IIS) Manager. All web sites are online. Next I browse where the crl files are located. Everything looks to be ok.
After confirming the CRL is correct I restarted IIS. After restarting the IIS I could not get http://pki.manualtokenring.com/cdp/MTRRootCA.crl to load. Last thing to do was reboot the server. Sure enough after a reboot the server everything came back online. I hate to be that guy “Have you tried turning it off and back on” but this time it seem to resolve the issue.
Share knowledge I come across designing and troubleshooting issue network issues.