Solved: Cisco ISR 1100 - FlexVPN Anyconnect IPsec

Patrik Nechajev · ‎09-08-2022

Hello all,

I have ISR 1100 IOS-XE 16.8.1 with FlexVPN Anyconnect via IPsec configured and i have ran into an issue of access for specific users.

I'm using split tunneling for needed networks but how can I create user groups and allow them access to specific network?
There is nothing like username xxx attributes, vpn-filters and so on....
Do you have idea?

Thank you for any help.
BR,
Patrik

Rob Ingram · ‎09-08-2022

@Patrik Nechajev well you are limited in what you can do with FlexVPN, the RADIUS option is the best.

Other options could be to use different key-id for different types of users (requires multiple anyconnect profiles), which reference a different authorisation list. Or use certificates with name mangler.

View solution in original post

Rob Ingram · ‎09-08-2022

@Patrik Nechajev if you use RADIUS authenticating against AD, you can authorise the users in AD groups and apply different settings such as ACL etc.

Patrik Nechajev · ‎09-08-2022

Hello Rob, sorry i forgot to mention that i'm using local database. Thank you anyway.

Rob Ingram · ‎09-08-2022

@Patrik Nechajev well you are limited in what you can do with FlexVPN, the RADIUS option is the best.

Other options could be to use different key-id for different types of users (requires multiple anyconnect profiles), which reference a different authorisation list. Or use certificates with name mangler.

Patrik Nechajev · ‎09-08-2022

Hello Rob,
i have just tried key-id and different profile, it is working as expected!
Thank you very much.

BR,
Patrik

MHM Cisco World · ‎09-08-2022

can I see config ?

Patrik Nechajev · ‎09-08-2022

Sure.

!
aaa authentication login a-eap-authen-local local
aaa authorization network a-eap-author-grp local
!

!
crypto ikev2 authorization policy ikev2-auth-policy
pool ACPOOL
dns 1.1.1.1
route set access-list SPLIT
!
crypto ikev2 authorization policy ikev2-klient
pool ACPOOL
dns 1.1.1.1
route set access-list SPLIT2
!
crypto ikev2 proposal IKEv2-prop1
encryption aes-cbc-256
integrity sha256
group 14 19
!
crypto ikev2 policy IKEv2-pol
proposal IKEv2-prop1
!
!
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint Rozanka-Client
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 100
!
crypto ikev2 profile AnyConnect-Klient
match identity remote key-id *$klient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint Rozanka-Client
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-klient
aaa authorization user anyconnect-eap cached
virtual-template 101
!
no crypto ikev2 http-url cert
!

crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AnyConnect-EAP
!
crypto ipsec profile AnyConnect-Klient
set transform-set TS
set ikev2-profile AnyConnect-Klient
!
!
interface Loopback100
ip address 10.0.0.1 255.255.255.255
!
interface Loopback101
ip address 10.0.0.2 255.255.255.255
!
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP
!
interface Virtual-Template101 type tunnel
ip unnumbered Loopback101
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-Klient
!
!
ip local pool ACPOOL 192.168.100.5 192.168.100.50
!
ip access-list standard SPLIT
10 permit 192.168.1.0 0.0.0.255
ip access-list standard SPLIT2
10 permit 192.168.8.0 0.0.0.255
!

To distinguish clients you just need to set IKE Identity parameter in AnyConnect Profile Editor and fill correct value from match identity remote key-id.
BR,
Patrik