05-09-2022 05:24 AM
Hi,
I would like to connect to an IOS Router (C881G-4G-GA-K9, version 15.8(3)M7) with AnyConnect (4.10.x) and 2 factor authentication (username/pw and machine certificate verification).
The connection works with the following ikev2-profile-config and with username/pw authentication, but the machine certificate is not checked.
Does anyone know the right config (IOS / AnyConnect / NPAS) so that also the machine certificate is verified?
The VPN connection to our firepower works and the username/pw and also the machine certificate is checked from the firewall.
crypto ikev2 profile ikev2-profile_AnyConnect
match identity remote key-id ABC-Lab
authentication local rsa-sig
authentication remote eap query-identity
pki trustpoint tp_ABC-Issuing-CA-1
aaa authentication eap aaa-auth-radius
aaa authorization group eap list vpn-auth ikev2-author-policy_AnyConnect
virtual-template 1
Thx!
Regards,
Mike
05-09-2022 05:56 AM
05-10-2022 05:13 AM
Thanks for the fast reply and the link, but I should have mentioned that I am looking for a config which checks beside the username/pw also the client machine certificate from an IPsec AnyConnect connection related to a Windows radius server.
The config works already with the verification of the username and pw from the radius server, but I can connect to the router with and without a machine certificate. So this should be checked also.
Do you know how to configure it or where its best described? Do I need to have the company Issuing CA certificate on the router or the radius server? (The client certificate trusts the Issuing CA) What do I have to configure in the AnyConnect Profile on the client?
Thanks!
05-10-2022 05:21 AM
@Mike-Zimmermann you can configure aggregate (double) authentication using the following under the IKEv2 profile.
crypto ikev2 profile IKEV2_PROFILE
authentication remote anyconnect-eap aggregate cert-request
09-15-2022 04:25 AM
Hi,
I finally made it and the double-authentication, username/pw (checked by a radius server) AND machine certificate-check, works. Additionally we keep the “match identity remote key-id ABC-Lab” from the old config.
In our case we use an Issuing-CA, and therefore we also need to create a secound trustpoint with the root CA certificate!
So here is a part of the final config for admins who facing the same task:
AnyConnectLocalPolicy.xml
BypassDownloader>true</BypassDownloader>
AnyConnectProfile.xml
<CertificateStore>Machine</CertificateStore>
<AuthMethodDuringIKENegotiation>EAP-AnyConnect</AuthMethodDuringIKENegotiation>
<IKEIdentity>ABC-Lab</IKEIdentity>
New IKEv2 Profile, compared with my first blog entry:
crypto ikev2 profile ikev2-profile_AnyConnect
match identity remote key-id ABC-Lab
authentication local rsa-sig
authentication remote anyconnect-eap aggregate cert-request
pki trustpoint tp_ABC-Issuing-CA-1
pki trustpoint tp_ABC-Root-CA
aaa authentication anyconnect-eap aaa-auth-radius
aaa authorization group anyconnect-eap list vpn-auth ikev2-author-policy_AnyConnect
virtual-template 1
The only question for which I couldn’t find an answer yet is, why does the user authentication with the radius server (Windows Server 2019) take place using PAP and not encrypted (CHAP)? This is a high security risk and actually a no-go. Does anyone know the reason why or how to change it?
Thx!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide