Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
726
Views
0
Helpful
4
Replies

Cisco ASA VPN ikev2 LDAP authentication

gabriele-lngs
Level 1
Level 1

‎03-10-2023 12:29 AM

Hello,

I'm trying to configure a VPN server (Cisco FirePower 1100) for Remote Access,
using IKEv2 with PSK and LDAP for user authentication.

So far I'm was able to correctly set the IKEv2 part,
but the problem is that every connection is accepted,
without asking for user credentials.

My current configuration looks like this:

 

aaa-server MY-LDAP protocol ldap
aaa-server MY-LDAP (outside) host ldap.mysite.com
 ***** hidden, but it works (tested with ikev1) *****

crypto ipsec ikev2 ipsec-proposal ipsec-proposal
 protocol esp encryption aes-256 aes-192 aes
 protocol esp integrity sha-256 sha-1

crypto dynamic-map DYNMAP 1 set ikev2 ipsec-proposal ipsec-proposal
crypto dynamic-map DYNMAP 1 set reverse-route
crypto map CMAP 1 ipsec-isakmp dynamic DYNMAP
crypto map CMAP interface outside

crypto ikev2 policy 1
 encryption aes-256
 integrity sha512 sha256
 group 21 20 19 16 15 14
 prf sha512 sha256
 lifetime seconds 86400
crypto ikev2 enable outside

group-policy DefaultRA internal
group-policy DefaultRA attributes
 vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
 group-lock value DefaultRAGroup
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value def_acl

tunnel-group DefaultRAGroup general-attributes
 address-pool vpn-client-pool
 authentication-server-group MY-LDAP
 authorization-server-group MY-LDAP
 default-group-policy DefaultRA
tunnel-group DefaultRAGroup ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

 

For the client testing, I'm using a mac, with the following configuration setted:
    Under Settings -> Network -> new VPN(IKEv2)
    server address = remote ID = vpn.mysite.com
    Authentication Settings -> Shared Secred = myPSK

 

Thank You in advance,
Gabriele

Labels:
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎03-10-2023 02:24 AM 

 default-group-policy DefaultRA

 group-lock value DefaultRAGroup <<- THIS MUST CHANGE TO MATCH THE GROUP-POLICY DefaultRA
0 Helpful

gabriele-lngs
Level 1
Level 1
In response to MHM Cisco World

‎03-10-2023 05:23 AM

@MHM Cisco World wrote:

 

 

 group-lock value DefaultRAGroup <<- THIS MUST CHANGE TO MATCH THE GROUP-POLICY DefaultRA

 

 

I don't fully understand.
I tried to remove this line from the configuration (`no group-lock`), but the outcome remains the same.

0 Helpful

MHM Cisco World
VIP
VIP
In response to gabriele-lngs

‎03-10-2023 06:29 AM

outcome be same for any anyconnect connect before, you must try new user or clear the anyconnect vpn-sessiondb. 

0 Helpful

gabriele-lngs
Level 1
Level 1
In response to MHM Cisco World

‎03-13-2023 01:03 AM

I tried but still same result: I can connect without being asked for credentials.

For clarity, I'm not using anyconnect on my client, but the macOS vpn software, under settings->network->vpn(ikev2)

0 Helpful
Customers Also Viewed These Support Documents