Re: add or show users in aaa group

WonderfulIT · ‎06-25-2019

Hi all,

fairly new to Cisco and on an ISR4431 there is an aaa group named flex_aaa and i cannot find the correct command to see what users are in here and also to add a user to that specific group ?

anyone point me in the right direction ?

Thanks

Ian

Rob Ingram · ‎06-25-2019

Hi,
If you are using a aaa group then I assume you are using RADIUS and therefore the users will be authenticated there and not local. If you provide the full configuration, we will be able to confirm either way.

HTH

WonderfulIT · ‎06-25-2019

aaah, right, it's got aaa authentication login anyconnect_aaa local so i was under the impression that was a local group instead of Radius ?

Rob Ingram · ‎06-25-2019

Ok, sounds like it's local authentication. You would just define a user locally, e.g:- username testuser password testpassword

Is the aaa group actually in use/referenced elsewhere? Without seeing the full configuration I won't be able confirm the exact configuration.

WonderfulIT · ‎06-25-2019

Yeah, sorry company policy to not display configs which is no help at a time like this but do you mean this reference ?

crypto ikev2 profile anyconnect-ikev2-profile-1

match identity remote key-id secure.domain.co.uk

identity local dn

authentication local rsa-sig

authentication remote rsa-sig

pki trustpoint secure.domain.co.uk

dpd 60 2 on-demand

aaa authentication eap anyconnect_aaa

aaa authorization group eap list anyconnect_aaa-1 anyconnect_aaa-local-policy-1

virtual-template 10

These are the aaa entries before that:

aaa authentication login default local

aaa authentication login anyconnect_aaa local

Rob Ingram · ‎06-25-2019

Interesting, your IKEv2 profile confirms the remote authentication method is rsa-sig but you've also got "aaa authentication eap...." defined.

crypto ikev2 profile anyconnect-ikev2-profile-1
 authentication remote rsa-sig

Without testing, I am pretty sure authentication will still be certificates and the "aaa authentication eap..." and "aaa authorization group...." commands are not doing anything, therefore you aren't using username/password for authentication.

Check the AnyConnect profile configuration for the "Auth method during IKE negotiation"

WonderfulIT · ‎06-25-2019

I’m guessing I may have done this wrong then.

The file shows:

<AuthMethodDuringIKENegotiation>EAP-AnyConnect</AuthMethodDuringIKENegotiation>

WonderfulIT · ‎06-25-2019

Also just noticed in sh run :

cisco flexvpn profile incomplete no local and or remote authentication

Rob Ingram · ‎06-25-2019

Your previous message indicated an IKEv2 Profile "crypto ikev2 profile anyconnect-ikev2-profile-1" with both a local and remote authentication method of rsa-sig. If you say that the profile is incomplete "no local and or remote authentication" then I assume you have another IKEv2 profile defined?

Refer to this FlexVPN guide which uses the local user database for authentication

WonderfulIT · ‎06-26-2019

Sorry, this is where i get lost.

Just to get it clear in my head then as i've never set this up but i have added a 3rd party certificate from GeoTrust so if i want to get users to specify a username and password to be able to connect then what do i need to configure specifically ?

Also from the sound of it i can then get users connected WITHOUT a username and password so is this then specified in the profile configuration tool ?

I've no preference whether it's via username or password as long as it works and is secure.

Apologies if i sound a bit vague

WonderfulIT · ‎06-26-2019

Read that link and am i correct in thinking then that the line "crypto ikev2 authorization policy" should then read after that the name i select (i.e where i've copied anyconnect-local-policy-1 from a guide i thought this was the command as opposed to entering a name i've made up so to speak) ?

If so then this name i insert relates to what part of the config i've entered ? (if that makes sense)

Thanks

Ian