Showing results for 
Search instead for 
Did you mean: 

FlexVPN and Azure AD



i m setting up a flex vpn tunnel between 2 routers:


Server router: CSR 1000v hosted on AZURE

Edge router: IR809g


At the moment, the tunnel is ok with local authentication but i would like to enable AAA authentication with my Azure AD.

It is possibile? How can i do?

8 Replies 8

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@a.feniello for a Site-to-Site VPN between 2 routers, no.

Azure AD would generally be used for authentication of remote access VPN clients.

@Rob Ingram thanks for your reply.


So basically, with Flex VPN I can set up a tunnel between 2 routers just like a Site-to-Site IPSEC but using only local authentication?


Can't the edge router act as a simple vpn client just like it does with AnyConnect?

@a.feniello a Site-to-Site VPN authentication typically uses pre-shared key or certificates. You can use AAA for authorisation to a RADIUS server, there is no documentation for Azure AD. With the AnyConnect client you've got a user interacting to enter the authentication credentials, you don't with a router.


What is your goal here, why do you need to use Azure AD for a router to router Site-to-Site VPN?

I would need to deploy multiple tunnels using Flex VPN and a single hub hosted on Azure.
The clients that will connect to the hub/router are of two types:

- Cisco IR809g router
- Windows clients with Any Connect

Authentication for both needs to be done through Azure AD.

@a.feniello ok, for the routers you should use PSK or certificates for authentication.

For the AnyConnect clients you can probably use Azure AD (no guides)


Tbh, using ASA for Remote Access VPN is preferred over FlexVPN.

@Rob Ingram so, I should create a VM as Domain Controller where I install Azure AD Connect to connect it to the AD running.

The router/hub will point to the private IP address in order to forward AAA requests. Right?

@a.feniello well looking at that guide previously provided, you install a Windows Server with the NPS role and then install the Azure AD Multi-Factor Authentication NPS extension on the Windows NPS server. This NPS server authenticates a user’s credentials against Active Directory, and then sends the Multi-Factor Authentication request to Azure.


The NPS server acts as the RADIUS server for the FlexVPN router.

@Rob Ingram Hi, i set up a vm which is running as nps server and registered it to the AD DC.

Now the problem is that if I attempt to connect through AnyConnect, it occurs this error:

Authentication Details:
Connection Request Policy Name: FlexVPN
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: radius.*****.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

 In the NPS server settings I allowed all the available authentication methods as constraints and this is the ikev2 profile configured on the CSR1000v:


crypto ikev2 profile ******_VPN_Any
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint IOSCA
aaa authentication anyconnect-eap AnyConnect
aaa authorization group anyconnect-eap list AnyConnect
virtual-template 3
reconnect timeout 600
anyconnect profile acvpn

Can you help me?


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers