Professional Documents
Culture Documents
COGNITIVE CAMPUS
(/ARISTACOMMUNITY/S/TOPIC/0…
Related Articles
Title
Setting up AD, NPS, and RADIUS authentication using Windows NPS
Troubleshooting RADIUS
Authentication/Authorization Issues
3.2K
Article Type (/AristaCommunity/s/article/troubleshooting-ra-
Configuration dius-authentication-authorization-issues)
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 1/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Authentication/Authorization Issues
authentication, authorization and accounting for wireless, authenticating switch, and remote
(/AristaCommunity/s/article/troubleshooting-radius-
access dial-up, and virtual private network (VPN) connections. authentication-authorization-issues)
Active Directory Domain Services (AD DS) - This feature stores information of Users, Using tcpdump for Troubleshooting
computers, and other devices in the network such as credentials, groups, and domains. AD DS (/AristaCommunity/s/article/using-tcpdump-for-
helps administrators securely manage this information and facilitates resource sharing and troubleshooting)
collaboration between users.
General 6
For this lab, we have a Windows Server 2016 hosted on Vmware ESXi 6.7 with reachability to an (/AristaCommunity/s/topic/0TO2I000000DaWKWA0/general)
Arista DUT and CVP, the setup would be the same for a Windows Server 2019.
Route/Switch 32
(/AristaCommunity/s/topic/0TO2I000000DaWGWA0/routeswitc
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 2/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
We can do it by clicking the windows icon on the taskbar and click on Server Manager.
The next step would be to open the Server Manager and select "Add roles and features" from
the dashboard or click on the "manage" > "Add roles and features"
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 3/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
That should open up a wizard as shown below, click on "Next".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 4/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Click on "select server from a server pool" and we should be able to see the server created
with the right IP address.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 5/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Then we will be selecting the Roles that we would like configured, in this case, we would like to
configure NPS and AD DS and hence, we would be selecting those roles.
Once we click "Next", it would ask if we need to add any additional features, "Group Policy
Management" and "Remote Server Administration Tools" would be selected by default and we
can click "Next".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 6/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
The next few pages would explain about services that are being installed on the Server.
Continue to click "Next" until we arrive at the page shown in the next step.
It would a list of all roles, role services, and features that are being installed on the Server.
Once we confirm them we can click on "Install".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 7/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
This would complete the installation of features and would show up the features on the left side
column of the Server Manager page.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 8/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
We will also be able to view the features installed on the dashboard as green if they are
successfully installed. Now, we will need to promote the Server to the Domain Controller as a
post-deployment step for AD DS. This is done to make the server authoritative for an Active
Directory domain.
By clicking on the "promote this server to a domain controller", it would open a wizard where
we can choose any of the provided options depending on the environment but in this case, we
will be selecting "Add a new forest" and will be typing in a root domain name.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
After clicking "Next", it would take us to the "Domain Controller options". By default, the "Forest
the Cookie Settings.
functional level" and "Domain functional level" should show the Windows Server version and Accept All Cookies
then we would need to create a Directory Services Restore Mode (DSRM). The DSRM is a
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 9/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
function that is used to take the Server into maintenance mode especially during restoring
backups of Active Directory. The password is critical and hence, it is recommended to change
it at regular intervals. Anyone with local access can log in to the DC and reboot the device or
modify or copy the Active Directory database. Once, the password is added, click "Next".
Next, we can select DNS delegation but in our case, we do not have an authoritative parent
zone, hence, we can proceed to click "Next".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 10/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
The next page would be for additional options, where we can add the NetBIOS domain name, it
would automatically auto-populate based on what was added on Step 14.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 11/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
It would then open a page to specify the path, in this case, we are using the default path as
shown below to store the AD database.
Next, it would show us the options that were selected for Review, once reviewed we can
proceed to click "Next".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 12/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
It would then proceed to perform a prerequisite check, once, done, it should read "All
prerequisite check passed successfully". We can proceed to click install.
Please Note: This step will automatically reboot the server once the installation is complete.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 13/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Once we open it, we should see the AD created with the assigned domain name in step 14.
Upon expanding it, we will see a folder named "Users". It's under this folder where we will be
creating Usernames and passwords that would be authorized by NPS to log in to the switch.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 14/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Once we double click on "User", it should open up a wizard which you let us add first name,
initials, last name, and full name for the user. In this case, we are creating a user named
"artest1" and click "Next" as shown below:
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 15/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Next, we will have to choose a strong password and you can choose any of the following
options based on security policies. In this case for the purpose of the lab, I have chosen
"Password never expires".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 16/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Click on "Next", review the username and password setting and click finish.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 17/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
There we go!! we should have our user "artest1" in our AD as shown below:
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 18/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Now, we will need to add our user to a group. To do so we would follow the same step as
step2. Right-click on "Users" > Select "New" > Select "Group".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 19/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
A wizard would then open where we will need to provide a name for the group to be created.
In this case, we have given the name "AristaTestGroup".
Now we should see both the user and group in the active directory.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 20/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
The Next Step, would be to associate the User to be part of the group. For this we need to
right-click on the user > select "Add to a group" > it should open a box where we can type in
the group name "AristaTestGroup" > click on "Check Names" (this would help validate the
group name). Once this is done click "OK".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 21/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
To confirm that the user is part of the group, right-click on the user > properties > select
"member of" tab on top and we should be able to see the group "AristaTestGroup" associated
with the user "artest1".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 22/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Before we continue with "OK", another parameter would need to be checked i.e. if the user
would be authenticated via NPS. To confirm, under the same window, select the "Dial-in" tab
on top, and under "Network Access Permission", confirm if the "Control access through NPS
Network Policy" is selected.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 23/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 24/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Under NPS (Local) > Standard configuration, we will be able to see two options, "RADIUS
server for dial-up or VPN connection" and "RADIUS server for 802.1x Wireless or Wired
connections. For this case, we will be using "RADIUS server for dial-up or VPN connections"
and select "Configure VPN or Dial-up" below it.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 25/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 26/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Add "RADIUS clients" by selecting "Add" > Type in a friendly name "Aristaswitch" > type
shared secret password (this would be configured as the "Key" under the switch configuration
for RADIUS, so be sure to REMEMBER it!!) and click "OK".
If DNS is being used, be sure to click "Verify" to check if the DNS can resolve the hostname.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 27/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
"Aristaswitch" should be seen under RADIUS clients as shown below and click "Next".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 28/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 29/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Add user groups that the user is part of. To do so, click "Add" > type the group name
"AristaTestGroup" > click on "Check Names" to verify the group > click "OK".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 30/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
We should now see "AristaTestGroups" added under Groups and click "Next".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 31/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
We can apply input/output IP filters, in this case, we have none and hence, we can continue to
click "Next.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 32/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 33/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
The Realm Name is a portion of the username which is used by the ISP to identify which
connection requests to route to this server. In this case, we do not require a Realm Name and
can continue to click "Next".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 34/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
It would state "You have successfully created the following policies and configured the
following RADIUS clients", then click on "Finish".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 35/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Under "RADIUS clients and Servers" > RADIUS clients, we should be able to see the switch
added successfully and enabled.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 36/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 37/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Give it a Policy name as shown below and click "Next". In this case, we have used "arista".
Here we add conditions required by selecting "Add" > Select "Access Client IPv4 Address" > Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
Specify IP address > OK
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 38/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
We should then see the client added to the conditions page as shown below and click "Next"
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 39/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Here is where we specify if the authentication would occur locally or if needs to be redirected to
a different RADIUS server. In this case, authentication is being done locally, hence,
"Authenticate requests on this server" is selected as shown below.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 40/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Continue to click "Next" until we reach the "Finish" which should look like the following and
click "Finish.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 41/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Next, we will be configuring the "Network Policies" where we specify which User/Group would
be authorized and the conditions under which they can or cannot connect. To configure right
click on "Network Policies" > select "New"
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 42/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Give a Policy name, in this case, the name "Arista_Network_Policy" is given as shown below,
and click "Next"
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 43/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Here we add conditions as we did earlier in step 3 by selecting "Add" but we would select
"User Groups" > type "AristaTestGroup" (Group created earlier) > click on "Check Names" to
make sure the group is right > click "OK" twice and we should arrive at the following page.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 44/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Here we specify access permission where a user can be denied or granted access. In this
case, we will be selecting "Access Granted"
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 45/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 46/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
We would not need to make changes to the "Configure Contraints" page so we can click "Next"
to arrive at the "Configure Settings" page. Here we would remove "Framed Protocol" by
clicking on it > select remove
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 47/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Next, we would be changing "Service-Type" by clicking on it > select Edit > select "Others" >
from the drop-down menu select "NAS Prompt" > click"OK" > click "Next"
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 48/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
We would then need to Vendor-Specific Attributes by selecting "Vendor Specific" > select "Add"
> scroll down and select "Vendor-Specific" > select "Add"
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 49/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Click on "Add" > select "Enter Vendor Code" as 30065 > select "Yes. It conforms" > select
"Configure Attribute" > select "Vendor-assigned attribute number" as 1 (all attributes will have
the same number 1) > select "String" > type "shell:roles=network-admin" under "Attribute
Value" > click "OK"> click "OK" again and we should see it added.
We will follow the same steps as above to add the other attributes. Next, we will add the
privilege level, by typing "shell:priv-lvl=15" under "Attribute Value"
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 50/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 51/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
We should see the following added as shown below and click "OK" > click "Close".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 52/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Select "Encryption" > de-select "No encryption" as we do not want our traffic from our access
clients to the access servers not encrypted.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 53/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Next, make sure the Network Policy is set in the right processing order. If not, you can right-
click on the "Network Policy Name" > select "Move Up".
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 54/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Phew!!! We are finally done with the configuration on the Server Side.
* Please note: EOS local accounts are not used unless the radius server is unreachable
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 55/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
You can check on the switch side if the authentication works by running the command "show
radius". You should be able to see the message sent/received and if they were accepted or
not.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 56/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
arista#show radius
Messages sent: 5
Messages received: 5
Requests accepted: 5
Requests rejected: 0
Requests timeout: 0
Requests retransmitted: 0
Bad responses: 0
DNS errors: 0
DM request received: 0
DM ack sent: 0
DM Nak sent: 0
You can also check under "show users detail" to check if the user is authenticated correctly
You can also take a packet capture on port 1812 as shown below
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 57/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
On the Windows Server end, you can look at the Event Viewer > click on "Custom Views" >
click on "Server Roles" > click on "Network Policy and Access Servers" and check if the user is
authenticated correctly with the right parameters or not.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 58/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 59/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Click on the "gear icon" on the top right corner once you log in using local user at first > select
"Access Control" > select "RADIUS" under Authentication and Authorization Source > click on
"Add Server" > provide an IP address, shared key as configured earlier (Step4 under RADIUS
Server configuration)
Be sure to add the CVP IP address as a RADIUS client and under "Content Request Policies"
as done earlier for the switch.
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 60/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Cookies Settings
We can
By clicking see All
“Accept thatCookies,”
the useryou
is successfully authenticated
agree to the storing of cookiesvia
onRADIUS as to
your device shown below.
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 61/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
We can confirm the same under Event Viewer on the Windows Server.
If the issue is still seen, collect the below outputs and reach out to Arista TAC support by sending
an email at support@arista.com (mailto:support@arista.com)
CLI commands:
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage,
Cognitive Campusand assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
(/AristaCommunity/s/topic/0TO2I00…
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 62/64
7/14/22, 3:38 PM Setting up AD, NPS, and RADIUS authentication using Windows NPS
Support
Product Documentation
(https://www.arista.com/en/support/product-documentation)
Investor Relations
(https://investors.arista.com/)
© 2022 Arista Networks, Inc. All rights reserved. Terms of Use (https://www.arista.com/en/terms-of-use) Privacy Policy (https://www.arista.com/en/privacy-policy)
Cookies Settings
By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation,
analyze site usage, and assist in our marketing efforts. If you would like more details or other options, please review
the Cookie Settings.
Accept All Cookies
https://aristanetworks.force.com/AristaCommunity/s/article/setting-up-ad-nps-and-radius-authentication-using-windows-nps 64/64