Ezvpn ISAKMP authorization (mode config) on IOS using ACS issue

Erik Ingeberg — Mon, 11 Mar 2019 01:51:34 GMT

Hi,

I've set up ezvpn using DVTI for both hardware and software ezvpn clients on on a IOS router. Authentication authorization (mode config) is done with RADIUS towards ACS 4.2, and this is working fine.

In order to get this to work, I had to create users on ACS that have the same names as the ezvpn groups with password "cisco".

Users and ezvpn IOS NEM clients are getting authenticated and authorized correctly with the correct mode configuration. My problem is that I am able to log in with a vpn client using any group-name as username and the password "cisco".

Since the group-name is visible in the software client, and the password is always "cisco", it is very easy for unwanted users to get access (the enc_GroupPwd in the pcf file is very easily decrypted).

I have been trying to deny access to the username that is the same as the group-name, but then authentication fails.

Here is the relevant config for the software vpn client on the ezvpn server:

aaa authentication login acs group radius

aaa authorization network acs group radius

crypto isakmp policy 5

encr aes 256

authentication pre-share

group 2

crypto isakmp profile ezvpn-client

self-identity address

match identity group ezvpn-client

client authentication list acs

isakmp authorization list acs

client configuration address respond

virtual-template 30

crypto ipsec profile ezvpn-client

set transform-set tset

set reverse-route tag 10

set isakmp-profile ezvpn-client

interface Virtual-Template30 type tunnel

ip unnumbered Loopback0

ip ospf mtu-ignore

tunnel source x.x.x.x

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel protection ipsec profile ezvpn-client

ip local pool ezvpn-client-pool x.x.x.1 x.x.x.254

ip access-list extended split

permit ip x.x.x.x x.x.x.x any

radius server acs

address ipv4 x.x.x.x auth-port 1812 acct-port 1813

key xxxx

ACS group config (both the "ezvpn-client" user and regular users are members):

cisco-av-pair:

ipsec:key-exchange=ike

ipsec:key-exchange=pre-shared

ipsec:inacl=split

ipsec:addr-pool=ezvpn-client-pool

ipsec:user-vpn-group=ezvpn-client

IETF attributes:

[006] Service-Type: Outbound

[064] Tunnel-Type: IP ESP

[069] Tunnel-Password: xxxx

Is there any way to stop the "ezvpn-client" user being able to connect using the well know password "cisco"?

Ezvpn ISAKMP authorization (mode config) on IOS using ACS issue

Erik Ingeberg — Fri, 02 Mar 2012 09:38:50 GMT

I've tried using IOS CA rsa-sig for ISAKMP instead of pre-shared keys, and it works fine.

The problem is still the same though. Since the OU in the client certificate has to match the ezvpn group name (and corresponding ACS user), xauth is meaningless. There will always be a well known username who must have "cisco" as password. Anyone getting hold of a company laptop can get VPN access to corporate resources.

I'm starting to think that ISAKMP authorization with RADIUS is very insecure and should not be used under any circumstance.

Am I right in thinking that local ISAKMP authorization is the way to go for ezvpn?

topic Ezvpn ISAKMP authorization (mode config) on IOS using ACS issue in Network Access Control

Ezvpn ISAKMP authorization (mode config) on IOS using ACS issue

Ezvpn ISAKMP authorization (mode config) on IOS using ACS issue