cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
451
Views
10
Helpful
18
Replies
Highlighted
Cisco Employee

Re: Restrict AnyConnect FlexVPN Connectivity with CSR1kv in multi VRF scenario if IKEid (key) is leaked

Hi RJI,
I have next level issue posted here: https://community.cisco.com/t5/nso-developer-hub-discussions/cisco-ios-ned-doesn-t-support-ikev2-name-mangler-eap-option/m-p/3821903#M3519
any possibility to get the same result using mangler option of 'dn' /'email'/'fqdn' instead of using 'eap'.

crypto ikev2 name-mangler mangler1
eap suffix delimiter @
!
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Restrict AnyConnect FlexVPN Connectivity with CSR1kv in multi VRF scenario if IKEid (key) is leaked

Hi,
Do the client computers also have user certificates? You could use double authentication (eap + certificate) and authorize using the certificate, using the name-managler extracting a value from the DN:- state, OU etc.

HTH
Cisco Employee

Re: Restrict AnyConnect FlexVPN Connectivity with CSR1kv in multi VRF scenario if IKEid (key) is leaked

No, Clients are not having certificates at time of authetication. only the VRF trustpoint are having certificates for fqdn domain check.
Cisco Employee

Re: Restrict AnyConnect FlexVPN Connectivity with CSR1kv in multi VRF scenario if IKEid (key) is leaked

Hi RJI,
Do you have any idea on authorization prohibition/restriction? Can we restrict based on authorization by creating any user group per VRF in local AAA