@Rob Ingram thanks for your reply.

So basically, with Flex VPN I can set up a tunnel between 2 routers just like a Site-to-Site IPSEC but using only local authentication?

Can't the edge router act as a simple vpn client just like it does with AnyConnect?

@a.feniello a Site-to-Site VPN authentication typically uses pre-shared key or certificates. You can use AAA for authorisation to a RADIUS server, there is no documentation for Azure AD. With the AnyConnect client you've got a user interacting to enter the authentication credentials, you don't with a router.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-3s/sec-flex-vpn-xe-3s-book/sec-cfg-flex-serv.html

What is your goal here, why do you need to use Azure AD for a router to router Site-to-Site VPN?

I would need to deploy multiple tunnels using Flex VPN and a single hub hosted on Azure.
The clients that will connect to the hub/router are of two types:

- Cisco IR809g router
- Windows clients with Any Connect

Authentication for both needs to be done through Azure AD.

@a.feniello ok, for the routers you should use PSK or certificates for authentication.

For the AnyConnect clients you can probably use Azure AD (no guides) https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-radius

Tbh, using ASA for Remote Access VPN is preferred over FlexVPN.

@Rob Ingram so, I should create a VM as Domain Controller where I install Azure AD Connect to connect it to the AD running.

The router/hub will point to the private IP address in order to forward AAA requests. Right?

@a.feniello well looking at that guide previously provided, you install a Windows Server with the NPS role and then install the Azure AD Multi-Factor Authentication NPS extension on the Windows NPS server. This NPS server authenticates a user’s credentials against Active Directory, and then sends the Multi-Factor Authentication request to Azure.

The NPS server acts as the RADIUS server for the FlexVPN router.

@Rob Ingram Hi, i set up a vm which is running as nps server and registered it to the AD DC.

Now the problem is that if I attempt to connect through AnyConnect, it occurs this error:

Authentication Details:
Connection Request Policy Name: FlexVPN
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: radius.*****.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

 In the NPS server settings I allowed all the available authentication methods as constraints and this is the ikev2 profile configured on the CSR1000v:

crypto ikev2 profile ******_VPN_Any
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint IOSCA
aaa authentication anyconnect-eap AnyConnect
aaa authorization group anyconnect-eap list AnyConnect
virtual-template 3
reconnect timeout 600
anyconnect profile acvpn

Can you help me?