cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2309
Views
10
Helpful
18
Replies

Restrict AnyConnect FlexVPN Connectivity with CSR1kv in multi VRF scenario if IKEid (key) is leaked

manoghos
Cisco Employee
Cisco Employee

Hi Experts,

I need help in configuring an ikev2 profile for VRF to restrict other VRF users.
AnyConnect Client 4.5 is using FlexVPN using AnyConnect-EAP authentication with an IKE ID for matching remote key identity.
Also, we are using a local AAA database.( No Radius/TACACS).

In case I got the IKE ID of any other tenant and using that in my AnyConnect profile I can connect to another tenant network.
I hope this can be restricted using name-mangler option in aaa authorization group/user in ikev2 profile but found limited examples for implementing it with local-AAA.

Please find the configuration snapshot.

 

18 Replies 18

Hi RJI,
I have next level issue posted here: https://community.cisco.com/t5/nso-developer-hub-discussions/cisco-ios-ned-doesn-t-support-ikev2-name-mangler-eap-option/m-p/3821903#M3519
any possibility to get the same result using mangler option of 'dn' /'email'/'fqdn' instead of using 'eap'.

crypto ikev2 name-mangler mangler1
eap suffix delimiter @
!

Hi,
Do the client computers also have user certificates? You could use double authentication (eap + certificate) and authorize using the certificate, using the name-managler extracting a value from the DN:- state, OU etc.

HTH

No, Clients are not having certificates at time of authetication. only the VRF trustpoint are having certificates for fqdn domain check.

Hi RJI,
Do you have any idea on authorization prohibition/restriction? Can we restrict based on authorization by creating any user group per VRF in local AAA
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: