11-27-2018 05:34 AM - edited 03-12-2019 05:32 AM
We are trying to get AnyConnect to work with new ISR routers that runs IOS-XE, but we are running our heads into walls all the time.
We found out that SSLVPN is not possible - all right.
IKEv2 should be possible, but all the configuration guides we have found does not work for us.
Does anyone has a sample config for using AnyConnect with new ISR routers, where the client end (Anyconnect) just has to supply a username and password (no certificate).
PS: We are trying to get it to authenticate to a ISE, we dont see any problems with out policy in ISE, we think we have those "under control".
PPS: We are not security specialists :-)
/Thomas
11-27-2018 06:58 AM
In this case you should be able to configure FlexVPN, the following configuration guide includes everything you need to get it up and running:
If after implementing that configuration you are still having problems you can share a sanitized config so i can take a look.
Hope this info helps!!
Rate if helps you!!
-JP-
12-03-2018 01:49 AM
Heres out current config (with a little info filtered out):
radius server DKTEST
!
aaa group server radius ISE
server name DKTEST
!
!
aaa authentication login a-eap-authen group ISE
aaa authorization network a-eap-author group ISE
aaa accounting network a-eap-acc start-stop group ISE
!
crypto ikev2 name-mangler NM
eap suffix delimiter @
!
!
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint TP_AC
aaa authentication anyconnect-eap a-eap-authen
aaa authorization group anyconnect-eap list a-eap-author
aaa authorization user anyconnect-eap list a-eap-author name-mangler NM
aaa accounting anyconnect-eap a-eap-acc
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AnyConnect-EAP
!
!
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback0
zone-member security INSIDE
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP
!
12-03-2018 01:58 AM
What "confused" us a bit from the sample config is the line:
aaa authorization group anyconnect-eap list a-eap-author <aaa-username>
We modded this to not include the word <aaa-username> because this did not make any sense to us.
Now we get Authenticated fine on the ISE.
But right after the Authentication, the router sends a Authorization, and this fails.
On the ISE it fails with :
Failure Reason | 22040 Wrong password or invalid shared secret |
12-10-2018 02:11 AM - edited 12-10-2018 02:13 AM
Heres our current config , and it works.
We created a case, and the solution (the one we where having the most trouble with) was to have local Authorization.
This local Authorization is then overwritten with the Cisco-AV-Pairs we return from the ISE, so it dosent "do" anything, but we still need the local one on the config.
(we also removed the NM).
------------------------
So the config now looks something like this:
------------------------
aaa authentication login a-eap-authen group ISE
aaa authorization network a-eap-author local
!
!
crypto ikev2 authorization policy ikev2-auth-policy
pool VPN-POOL
aaa attribute list AAA-attr
!
!
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint TP_AC
dpd 60 2 on-demand
aaa authentication anyconnect-eap a-eap-authen
aaa authorization group anyconnect-eap list a-eap-author ikev2-auth-policy
aaa authorization user anyconnect-eap cached
aaa accounting anyconnect-eap a-eap-acc
virtual-template 100
!
!
Now we just need to find out id DACLs works with this ... right now Im not in the optimistic corner ... no documentation mentiones DACL and Routers with FlexVPN ... (only ASAs)
12-10-2018 04:04 AM
12-10-2018 04:19 AM
We where also looking at Zonebased firewall. We are looking at applying different VPN-Pools to different users from the ISE, and then do Zonebased firewall on that.
But are you saying that you dynamically apply ZBFW from the ISE to the ISR ?
Do you have a document I can look at, because I cannot seem to find any.
And from your answer, Im guessing you mean that DACLs are not supported ? Im a little confused here.
12-10-2018 05:18 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide