cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1313
Views
10
Helpful
6
Replies

Cisco ISR 1100 - FlexVPN Anyconnect IPsec

Patrik Nechajev
Beginner
Beginner

Hello all,

I have ISR 1100 IOS-XE 16.8.1 with FlexVPN Anyconnect via IPsec configured and i have ran into an issue of access for specific users. 

I'm using split tunneling for needed networks but how can I create user groups and allow them access to specific network?
There is nothing like username xxx attributes, vpn-filters and so on.... 
Do you have idea?

Thank you for any help.
BR,
Patrik

1 Accepted Solution

Accepted Solutions

@Patrik Nechajev well you are limited in what you can do with FlexVPN, the RADIUS option is the best.

Other options could be to use different key-id for different types of users (requires multiple anyconnect profiles), which reference a different authorisation list. Or use certificates with name mangler.

View solution in original post

6 Replies 6

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Patrik Nechajev if you use RADIUS authenticating against AD, you can authorise the users in AD groups and apply different settings such as ACL etc.

Hello Rob, sorry i forgot to mention that i'm using local database. Thank you anyway.

@Patrik Nechajev well you are limited in what you can do with FlexVPN, the RADIUS option is the best.

Other options could be to use different key-id for different types of users (requires multiple anyconnect profiles), which reference a different authorisation list. Or use certificates with name mangler.

Hello Rob, 
i have just tried key-id and different profile, it is working as expected!
Thank you very much.

BR,
Patrik

MHM Cisco World
Advisor
Advisor

can I see config ?

Sure.


!
aaa authentication login a-eap-authen-local local
aaa authorization network a-eap-author-grp local
!

!
crypto ikev2 authorization policy ikev2-auth-policy
pool ACPOOL
dns 1.1.1.1
route set access-list SPLIT
!
crypto ikev2 authorization policy ikev2-klient
pool ACPOOL
dns 1.1.1.1
route set access-list SPLIT2
!
crypto ikev2 proposal IKEv2-prop1
encryption aes-cbc-256
integrity sha256
group 14 19
!
crypto ikev2 policy IKEv2-pol
proposal IKEv2-prop1
!
!
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint Rozanka-Client
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 100
!
crypto ikev2 profile AnyConnect-Klient
match identity remote key-id *$klient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint Rozanka-Client
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-klient
aaa authorization user anyconnect-eap cached
virtual-template 101
!
no crypto ikev2 http-url cert
!

crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AnyConnect-EAP
!
crypto ipsec profile AnyConnect-Klient
set transform-set TS
set ikev2-profile AnyConnect-Klient
!
!
interface Loopback100
ip address 10.0.0.1 255.255.255.255
!
interface Loopback101
ip address 10.0.0.2 255.255.255.255
!
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP
!
interface Virtual-Template101 type tunnel
ip unnumbered Loopback101
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-Klient
!
!
ip local pool ACPOOL 192.168.100.5 192.168.100.50
!
ip access-list standard SPLIT
10 permit 192.168.1.0 0.0.0.255
ip access-list standard SPLIT2
10 permit 192.168.8.0 0.0.0.255
!

To distinguish clients you just need to set IKE Identity parameter in AnyConnect Profile Editor and fill correct value from match identity remote key-id. 
BR,
Patrik

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: