Re: AnyConnect - IOS router - machine certificate verification

Mike-Zimmermann · ‎05-09-2022

Hi,

I would like to connect to an IOS Router (C881G-4G-GA-K9, version 15.8(3)M7) with AnyConnect (4.10.x) and 2 factor authentication (username/pw and machine certificate verification).

The connection works with the following ikev2-profile-config and with username/pw authentication, but the machine certificate is not checked.

Does anyone know the right config (IOS / AnyConnect / NPAS) so that also the machine certificate is verified?

The VPN connection to our firepower works and the username/pw and also the machine certificate is checked from the firewall.

crypto ikev2 profile ikev2-profile_AnyConnect
match identity remote key-id ABC-Lab
authentication local rsa-sig
authentication remote eap query-identity
pki trustpoint tp_ABC-Issuing-CA-1
aaa authentication eap aaa-auth-radius
aaa authorization group eap list vpn-auth ikev2-author-policy_AnyConnect
virtual-template 1

Thx!

Regards,

Mike

MHM Cisco World · ‎05-09-2022

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html

Mike-Zimmermann · ‎05-10-2022

Thanks for the fast reply and the link, but I should have mentioned that I am looking for a config which checks beside the username/pw also the client machine certificate from an IPsec AnyConnect connection related to a Windows radius server.
The config works already with the verification of the username and pw from the radius server, but I can connect to the router with and without a machine certificate. So this should be checked also.
Do you know how to configure it or where its best described? Do I need to have the company Issuing CA certificate on the router or the radius server? (The client certificate trusts the Issuing CA) What do I have to configure in the AnyConnect Profile on the client?

Thanks!

Rob Ingram · ‎05-10-2022

@Mike-Zimmermann you can configure aggregate (double) authentication using the following under the IKEv2 profile.

crypto ikev2 profile IKEV2_PROFILE
 authentication remote anyconnect-eap aggregate cert-request

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-16-8/sec-flex-vpn-xe-16-8-book/sec-cfg-flex-aggr.html

Mike-Zimmermann · ‎09-15-2022

Hi,

I finally made it and the double-authentication, username/pw (checked by a radius server) AND machine certificate-check, works. Additionally we keep the “match identity remote key-id ABC-Lab” from the old config.

In our case we use an Issuing-CA, and therefore we also need to create a secound trustpoint with the root CA certificate!

So here is a part of the final config for admins who facing the same task:

AnyConnectLocalPolicy.xml

BypassDownloader>true</BypassDownloader>

AnyConnectProfile.xml

<CertificateStore>Machine</CertificateStore>

<AuthMethodDuringIKENegotiation>EAP-AnyConnect</AuthMethodDuringIKENegotiation>

New IKEv2 Profile, compared with my first blog entry:

crypto ikev2 profile ikev2-profile_AnyConnect

match identity remote key-id ABC-Lab

authentication local rsa-sig

authentication remote anyconnect-eap aggregate cert-request

pki trustpoint tp_ABC-Issuing-CA-1

pki trustpoint tp_ABC-Root-CA

aaa authentication anyconnect-eap aaa-auth-radius

aaa authorization group anyconnect-eap list vpn-auth ikev2-author-policy_AnyConnect

virtual-template 1

The only question for which I couldn’t find an answer yet is, why does the user authentication with the radius server (Windows Server 2019) take place using PAP and not encrypted (CHAP)? This is a high security risk and actually a no-go. Does anyone know the reason why or how to change it?

Thx!