Re: FlexVPN remote access and Microsoft NPS

Calob · ‎04-05-2019

im planning to test Ikev2 Anyconnect Mutual RSA signature, i would like the remote client to be authorized using Microsoft NPS ( RADIUS server) but i don't find any documents showing how to configure the NPS.

how to configure the group definition on NPS ?
i read something about cisco password , how to set that on NPS ?

any help would be appreaciated

Thanks

Rob Ingram · ‎04-05-2019

Yes there is little information regarding configuring FlexVPN with RADIUS, in particular NPS.

You will need to create a "connection request policy" that matches the condition of the username, the username is the value you extract using the name-mangler. Create additional policies for each value extracted using the name-mangler.

Define Vendor specific RADIUS attributes, this will be cisco-AV-pair - at a minimum you will need to define a VPN Pool.

ipsec:addr-pool=VPN_POOL_NAME

HTH

Calob · ‎04-05-2019

i have created a group called ENG .

in the client certificate subject the OU is set to =ENG

Crypto ikev2 name-mangler NMGLR

Dn organization-unit

exit

!

crypto ikev2 profile RSA-PROFILE

identity local fqdn EDGE.homelab.com

match certificate Cert-MAP

Authentication remote rsa-sig

Authentication local rsa-sig

pki trustpoint Trusted-CA

aaa authorization group cert list RA-Author name-mangler NMGLR

Virtual-template 1

Exit

here's my NPS config

NPS CONFIG.PNG but now im facing another problem: AAA group authorization failed

you can find the output of the debug crypto ikev2 inside the txt file

debug aaa authorization:

*Apr 5 17:27:24.160: AAA/BIND(00000018): Bind i/f
*Apr 5 17:27:24.160: AAA/AUTHOR (0x18): Invalid method list id=0x0

Calob · ‎04-06-2019

Thanks for your reply :

Here’s how my configuration looks like :

Conf t

aaa new-model

!

# NEW RADIUS CONG

RADIUS SERVER FLEX-VPN-RAD

ADDRESS IPV4 10.22.0.10

key cisco@123

timeout 7

retransmit 10

exit

!

aaa group server radius NPS-LAB

SERVER NAME FLEX-VPN-RAD

exit

!

aaa authorization network RA-Authen group NPS-LAB

!

no crypto ikev2 http-url cert

ip local pool FlexVPN-Pool 10.55.0.100 10.55.0.200

# PROPOSAL

crypto ikev2 proposal PROPOSAL-LAB

encryption aes-cbc-256

integrity sha1

group 14

exit

!

#POLICY

crypto ikev2 policy POLICY-LAB

proposal PROPOSAL-LAB

match fvrf any

exit

# TRANSFORM SET

crypto ipsec transform-set SET-LAB esp-aes 256 esp-sha-hmac

mode tunnel

exit

!

#CRYPTO MAP

Crypto pki certificate map Cert-MAP 10

Issuer-name co homelab-INT

Exit

# NAME MANGLER

Crypto ikev2 name-mangler NMGLR

Dn organization-unit

exit

!

#IKEv2 PROFILE

crypto ikev2 profile RSA-PROFILE

identity local fqdn EDGE.homelab.com

match certificate Cert-MAP

Authentication remote rsa-sig

Authentication local rsa-sig

pki trustpoint Trusted-CA

aaa authorization group cert list RA-Author name-mangler NMGLR

Virtual-template 1

Exit

#IPsec PROFILE

crypto ipsec profile IPsec-RA-Profile

set transform-set SET-LAB

set ikev2-profile RSA-PROFILE

exit

# DVTI

Interface virtual-Template1 type Tunnel

Ip unnumbered ether 0/0

Tunnel mode ipsec ipv4

tunnel protection ipsec profile IPsec-RA-Profile

NPS Server:

I created a client that refers to my EDGE router

Then created a connection request policy with Client Friendly Name refers to EDGE and NAS IPv4 address

Then I created a network policy as shown here:

NPS CONFIG.PNG

But now im facing another problem related to the AAA authorization

*Apr 6 09:08:24.015: Domain: query for www.internal-pki.com type 1 to 10.22.0.10Reply received ok

*Apr 6 09:08:24.031: %PKI-6-PKI_CRL_DOWNLOADED: CRL download notification sent for Issuer = cn=homelab-INT-PKI-CA,dc=homelab,dc=com.

EDGE#

*Apr 6 09:08:24.034: AAA/BIND(0000000D): Bind i/f

*Apr 6 09:08:24.034: AAA/AUTHOR (0xD): Invalid method list id=0x0

you can find a text file containing the output of deby crypto ikev2.

Rob Ingram · ‎04-06-2019

Authorization appears to be failing, you are referencing a different method list.

*Apr 5 17:04:48.134: IKEv2:Using mlist RA-Author and username ENG for group author request
*Apr 5 17:04:48.134: IKEv2-ERROR:AAA group author request failed
*Apr 5 17:04:48.134: IKEv2-ERROR:(SESSION ID = 0,SA ID = 1):AAA group authorization failed

aaa authorization network RA-Authen group NPS-LAB

crypto ikev2 profile RSA-PROFILE

aaa authorization group cert list RA-Author name-mangler NMGLR

On the NPS server, you don't need to authenticate, you are just using NPS to authorize. Change User Group to Username value, it's just used to match the incoming request to the correct policy.

Calob · ‎04-06-2019

what do you mean by Change User Group to Username value ?

create a user as ENG instead of group ?

Rob Ingram · ‎04-06-2019

The value extracted from the OU with the name-mangler in your scenario is ENG - this is sent to the RADIUS server as the Username. Therefore you need to use the condition "User Name" in the NPS policy.

Connection requests with the OU of ENG will match that condition in the policy and then return the cisco-av-pair you define.

Calob · ‎04-07-2019

i would like to know why the recent replies have been deleted and now it's showing me acceed denied when i click on your reply from my email ?

would you pleaz point me to the offcial cisco documents addressing IKEv2 Anyconect with Microsoft NPS ?

Learner1987 · ‎12-04-2019

Here is a mistake:

aaa authorization network RA-Authen group NPS-LAB

it must be:

aaa authorization network RA-Author group NPS-LAB

in case of: aaa authorization group cert list RA-Author name-mangler NMGLR