Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1927
Views
0
Helpful
6
Replies

AnyConnect IPSec: how to make rsa-sig and aaa authentication?

Yacudzer
Level 1
Level 1

‎01-28-2018 10:55 AM - edited ‎03-12-2019 04:57 AM

On my 1921 I maked SSL vpn:

aaa authorization network REMOTEAUTHOR local
...
crypto pki trustpoint VPN.RSKRES.RU-tp
...
 authorization username subjectname commonname
...

webvpn gateway webvpn-gw
 hostname myhostname.ru
 ip address a.b.c.d port 443
 http-redirect port 80
 ssl encryption aes256-sha1
 ssl trustpoint VPN.RSKRES.RU-tp
 inservice
 !
webvpn context webvpn-ctx
 virtual-template 1
 aaa authentication list REMOTEAUTHEN
 gateway webvpn-gw
 authentication certificate aaa
 username-prefill
 ca trustpoint VPN.RSKRES.RU-tp
 !
 ssl encryption aes256-sha1
 ssl authenticate verify all
 inservice
 !
 policy group pol_1
   functions svc-enabled
   functions svc-required
   timeout idle 3600
   svc address-pool "REMOTE-USER-pool" netmask 255.255.255.255
   svc dpd-interval client 60
   svc dpd-interval gateway 60
   svc mtu 1300
   svc profile RemoteSSLIPSEC
   svc split dns "local"
   svc split include acl REMOTE-USER-stdacl
   svc dns-server primary 192.168.1.1
 default-group-policy pol_1

User install certificate issued by my certification authority, press "Connect", enter password (username is pre-filling from CommonName field of certificate) and AnyConnect making connection.

I want to connect using IpSec (ikev2) with certification and aaa authentication (like SSL-vpn described above). I makes this config:

crypto ikev2 authorization policy REMOTE-authpol
 pool REMOTE-USER-pool
 dns 192.168.1.1
 netmask 255.255.255.255
 split-dns local
 include-local-lan
 route set access-list REMOTE-USER-stdacl
!
crypto ikev2 proposal aes256sha
 encryption aes-cbc-256
 integrity sha1
 group 2
!
crypto ikev2 policy 10
 match fvrf any
 proposal aes256sha
!
!
crypto ikev2 profile RemoteUser-ikev2prof
 match certificate REMOTE-USER-cert-map2
 identity local dn
 authentication local rsa-sig
 authentication remote rsa-sig
 pki trustpoint VPN.RSKRES.RU-tp
 aaa authorization group cert list REMOTEAUTHOR REMOTE-authpol
 virtual-template 102

It works, but i need additional authentication using aaa username and password. How i can to do it?

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎01-28-2018 11:21 AM

Hi, If you want to authenticate the user using username and password, you would define the remote authentication under the IKEv2 profile using "eap query-identity".

 

E.g

crypto ikev2 profile RemoteUser-ikev2prof
 authentication remote eap query-identity
 aaa authentication eap REMOTEAUTHOR

0 Helpful

Yacudzer
Level 1
Level 1
In response to Rob Ingram

‎01-28-2018 11:34 AM

@Rob Ingram wrote:

Hi, If you want to authenticate the user using username and password, you would define the remote authentication under the IKEv2 profile using "eap query-identity".


RJI, thank you for reply, but I want to authenticate users using AND certificate AND aaa username.

Is it possible?

0 Helpful

Rob Ingram
VIP
VIP
In response to Yacudzer

‎01-28-2018 11:55 AM

Hi, Well on the Hub router the authentication method is still "authentication local rsa-sig"so the local client needs to authenticate the router by trusting the root certificate used by the Hub router, but no I do not believe there is an option to specify the client must authenticate using Cert & UN/PW as you can do on an ASA.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-28-2018 01:46 PM

I wrote a cookbook on you to configure AnyConnect to use IKEv2 with certificates and Suite-B cryptography on IOS.  It has most of what you are wanting.

http://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎01-28-2018 01:47 PM

To the best of my knowledge you can authenticate using certificates or username but not both.

 

Note that you can protect the private key using a local password.

0 Helpful

Yacudzer
Level 1
Level 1
In response to Philip D'Ath

‎01-29-2018 11:14 AM - edited ‎01-29-2018 11:15 AM

@Philip D'Ath wrote:

To the best of my knowledge you can authenticate using certificates or username but not both.


I cannot believe it: EasyVPN using XAuth authentication (regardless of certificate authentication); webvpn using additional authentication (with certificates - you can to see exapble above, in my first message, and it works!); ikev2 can extract user name for aaa authentication by command "crypto ikev2 name-mangler Mangler" and then using it in aaa authorization group etc... but it does not work correctly... I think that it possible, just need to know how!

0 Helpful
Customers Also Viewed These Support Documents