04-01-2022 03:23 AM
Hello,
i m setting up a flex vpn tunnel between 2 routers:
Server router: CSR 1000v hosted on AZURE
Edge router: IR809g
At the moment, the tunnel is ok with local authentication but i would like to enable AAA authentication with my Azure AD.
It is possibile? How can i do?
04-01-2022 03:46 AM
@angelito_mas for a Site-to-Site VPN between 2 routers, no.
Azure AD would generally be used for authentication of remote access VPN clients.
04-01-2022 04:09 AM
@Rob Ingram thanks for your reply.
So basically, with Flex VPN I can set up a tunnel between 2 routers just like a Site-to-Site IPSEC but using only local authentication?
Can't the edge router act as a simple vpn client just like it does with AnyConnect?
04-01-2022 04:15 AM
@angelito_mas a Site-to-Site VPN authentication typically uses pre-shared key or certificates. You can use AAA for authorisation to a RADIUS server, there is no documentation for Azure AD. With the AnyConnect client you've got a user interacting to enter the authentication credentials, you don't with a router.
What is your goal here, why do you need to use Azure AD for a router to router Site-to-Site VPN?
04-01-2022 04:26 AM
I would need to deploy multiple tunnels using Flex VPN and a single hub hosted on Azure.
The clients that will connect to the hub/router are of two types:
- Cisco IR809g router
- Windows clients with Any Connect
Authentication for both needs to be done through Azure AD.
04-01-2022 04:33 AM
@angelito_mas ok, for the routers you should use PSK or certificates for authentication.
For the AnyConnect clients you can probably use Azure AD (no guides) https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-radius
Tbh, using ASA for Remote Access VPN is preferred over FlexVPN.
04-05-2022 03:05 AM
@Rob Ingram so, I should create a VM as Domain Controller where I install Azure AD Connect to connect it to the AD running.
The router/hub will point to the private IP address in order to forward AAA requests. Right?
04-05-2022 08:54 AM - edited 04-05-2022 08:54 AM
@angelito_mas well looking at that guide previously provided, you install a Windows Server with the NPS role and then install the Azure AD Multi-Factor Authentication NPS extension on the Windows NPS server. This NPS server authenticates a user’s credentials against Active Directory, and then sends the Multi-Factor Authentication request to Azure.
The NPS server acts as the RADIUS server for the FlexVPN router.
04-12-2022 01:18 AM
@Rob Ingram Hi, i set up a vm which is running as nps server and registered it to the AD DC.
Now the problem is that if I attempt to connect through AnyConnect, it occurs this error:
Authentication Details:
Connection Request Policy Name: FlexVPN
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: radius.*****.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
In the NPS server settings I allowed all the available authentication methods as constraints and this is the ikev2 profile configured on the CSR1000v:
crypto ikev2 profile ******_VPN_Any
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint IOSCA
aaa authentication anyconnect-eap AnyConnect
aaa authorization group anyconnect-eap list AnyConnect
virtual-template 3
reconnect timeout 600
anyconnect profile acvpn
Can you help me?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide