Automate Your job – Synchronise NPS Servers and Push Config Changes to Multiple Devices

A recent project I was working on involved migrating a clients switches, routers, firewalls, VPN and wireless to two new NPS servers (live and DR) from their existing and hard to manage four. The situation they had was that Cisco switches, routers and firewalls would use RADIUS to authenticate VTY sessions but over time the configurations had diverged and there was a lack of commonality and structure behind which RADIUS servers should be used. Similarly, wireless profiles on their Cisco WLC that used 802.1x authentication also had no controls over which RADIUS servers should be used.

With up to 50 network devices to configure with the new RADIUS config as well as remove surplus backdoor accounts and then test I started to think outside the box – thankfully the client had CatTools on premise which I leveraged to inject the new RADIUS configuration commands into the configuration. When it came to testing, I simply changed the logon methods for each switch within CatTools to use the authorised AD account and ran a config backup for each devices – any that failed the job would be logged and manually investigated.

That was pretty much it for 90% of the network devices and the remaining AnyConnect VPN and WiFi WLC configurations were pretty straight forward using the GUIs. The other task was to setup the two new NPS servers with the configs from the existing four. For this I used the inbuilt export feature which saves the configuration as an XML file. Because of this, it was straight forward to manipulate and merge the files prior to importing in the new NPS servers. Another hurdle was how to maintain the configurations between the two NPS servers with minimal (or zero) human input – for this it is possible to use only two methods:

  • Manual export / import between servers after any changes
  • Use PowerShell to do the above for you as a scheduled task: http://poshcode.org/1502 (Credit to JGrote)

This script works a treat and ensure the DR NPS configuration is kept aligned with the live NPS policies, client lists and so on and takes barely any effort to setup.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s