i m setting up a flex vpn tunnel between 2 routers:
Server router: CSR 1000v hosted on AZURE
Edge router: IR809g
At the moment, the tunnel is ok with local authentication but i would like to enable AAA authentication with my Azure AD.
It is possibile? How can i do?
@a.feniello a Site-to-Site VPN authentication typically uses pre-shared key or certificates. You can use AAA for authorisation to a RADIUS server, there is no documentation for Azure AD. With the AnyConnect client you've got a user interacting to enter the authentication credentials, you don't with a router.
What is your goal here, why do you need to use Azure AD for a router to router Site-to-Site VPN?
@a.feniello ok, for the routers you should use PSK or certificates for authentication.
For the AnyConnect clients you can probably use Azure AD (no guides) https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-radius
Tbh, using ASA for Remote Access VPN is preferred over FlexVPN.
@a.feniello well looking at that guide previously provided, you install a Windows Server with the NPS role and then install the Azure AD Multi-Factor Authentication NPS extension on the Windows NPS server. This NPS server authenticates a user’s credentials against Active Directory, and then sends the Multi-Factor Authentication request to Azure.
The NPS server acts as the RADIUS server for the FlexVPN router.
@Rob Ingram Hi, i set up a vm which is running as nps server and registered it to the AD DC.
Now the problem is that if I attempt to connect through AnyConnect, it occurs this error:
Connection Request Policy Name: FlexVPN
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: radius.*****.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
In the NPS server settings I allowed all the available authentication methods as constraints and this is the ikev2 profile configured on the CSR1000v:
crypto ikev2 profile ******_VPN_Any
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint IOSCA
aaa authentication anyconnect-eap AnyConnect
aaa authorization group anyconnect-eap list AnyConnect
reconnect timeout 600
anyconnect profile acvpn
Can you help me?