cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3923
Views
0
Helpful
7
Replies

Anyconnect on new ISR routers ?

We are trying to get AnyConnect to work with new ISR routers that runs IOS-XE, but we are running our heads into walls all the time.

We found out that SSLVPN is not possible - all right.

IKEv2 should be possible, but all the configuration guides we have found does not work for us.

Does anyone has a sample config for using AnyConnect with new ISR routers, where the client end (Anyconnect) just has to supply a username and password (no certificate).

 

PS: We are trying to get it to authenticate to a ISE, we dont see any problems with out policy in ISE, we think we have those "under control".

PPS: We are not security specialists :-)

 

/Thomas

7 Replies 7

JP Miranda Z
Cisco Employee
Cisco Employee

Hi Thomas Obbekaer Thomsen,

 

In this case you should be able to configure FlexVPN, the following configuration guide includes everything you need to get it up and running:

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

 

If after implementing that configuration you are still having problems you can share a sanitized config so i can take a look.

 

 

Hope this info helps!!

 

Rate if helps you!! 

 

-JP- 

Heres out current config (with a little info filtered out):

 

radius server DKTEST
!
aaa group server radius ISE
server name DKTEST
!
!
aaa authentication login a-eap-authen group ISE
aaa authorization network a-eap-author group ISE
aaa accounting network a-eap-acc start-stop group ISE
!
crypto ikev2 name-mangler NM
eap suffix delimiter @
!
!
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint TP_AC
aaa authentication anyconnect-eap a-eap-authen
aaa authorization group anyconnect-eap list a-eap-author
aaa authorization user anyconnect-eap list a-eap-author name-mangler NM
aaa accounting anyconnect-eap a-eap-acc
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AnyConnect-EAP
!
!
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback0
zone-member security INSIDE
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP
!

 

 

What "confused" us a bit from the sample config is the line:

aaa authorization group anyconnect-eap list a-eap-author <aaa-username>

We modded this to not include the word <aaa-username> because this did not make any sense to us.

 

Now we get Authenticated fine on the ISE.

But right after the Authentication, the router sends a Authorization, and this fails.

On the ISE it fails with : 

Failure Reason 22040 Wrong password or invalid shared secret

 

 

Heres our current config , and it works.

 

We created a case, and the solution (the one we where having the most trouble with) was to have local Authorization.

This local Authorization is then overwritten with the Cisco-AV-Pairs we return from the ISE, so it dosent "do" anything, but we still need the local one on the config.

 

(we also removed the NM).

 

------------------------

So the config now looks something like this:

------------------------

aaa authentication login a-eap-authen group ISE

aaa authorization network a-eap-author local

!

!

crypto ikev2 authorization policy ikev2-auth-policy
 pool VPN-POOL
 aaa attribute list AAA-attr

!

!

crypto ikev2 profile AnyConnect-EAP
 match identity remote key-id *$AnyConnectClient$*
 authentication local rsa-sig
 authentication remote anyconnect-eap aggregate
 pki trustpoint TP_AC
 dpd 60 2 on-demand
 aaa authentication anyconnect-eap a-eap-authen
 aaa authorization group anyconnect-eap list a-eap-author ikev2-auth-policy
 aaa authorization user anyconnect-eap cached
 aaa accounting anyconnect-eap a-eap-acc
 virtual-template 100

!

!

 

 

Now we just need to find out id DACLs works with this ... right now Im not in the optimistic corner ... no documentation mentiones DACL and Routers with FlexVPN ... (only ASAs)

 

Hi, I've never read anything that suggests DACLs are supported with FlexVPN and didn't appear to work when I previously briefly tested. ACLs and ZBFW are supported. These can be dynamically applied to each user session during authorization.

HTH

We where also looking at Zonebased firewall. We are looking at applying different VPN-Pools to different users from the ISE, and then do Zonebased firewall on that.

 

But are you saying that you dynamically apply ZBFW from the ISE to the ISR ?

Do you have a document I can look at, because I cannot seem to find any.

 

And from your answer, Im guessing you mean that DACLs are not supported ? Im a little confused here.

 

In your ISE Authorization Profile you define an Advanced Attribute setting for the following:

VPN Pool
cisco-av-pair = ipsec:addr-pool=VPN_POOL

ZBFW:-
cisco-av-pair= ip:interface-config=zone-member security INSIDE_ZONE

The VPN Pool called VPN_POOL must be defined on the hub router. Same applies for the ZBFW configuration, everything must already be configured, all you are doing is dynamically defining which zone the virtual-access interface will be a member of.

I wasn't confirming DACLs are not supported, merely that I've not read that they either are or are not supported. No information I've found....last time I looked. It may well have changed in newer versions of IOS.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: