Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2534
Views
10
Helpful
11
Replies

FlexVPN with ACS integration

asmithivas
Level 1
Level 1

‎06-21-2017 02:01 AM - edited ‎02-21-2020 09:19 PM

I want to implement Site-to-Site FlexVPN with ACS to control [allow/not allow] access from spoke.

Is that possible? Can anyone help me with configuration?

Story:

Customer using Site-to-Site EzVPN with ACS for existing network.

Since EzVPN use user authentication.

They can control to [allow/not allow] spoke by enable/disable user in ACS.

Now I am going to propose a new hardware(IR829 and ISR4321) which is not support EzVPN

So I go with FlexVPN.

Customer wants to control spoke the same way they use before. They don't want to use CLI.

Is that possible? Can anyone help me with configuration?

Labels:
0 Helpful
11 Replies 11

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-22-2017 07:51 PM

No one has replied yet, so I'll tell you what I do.

I usually configure the head end (ISR4321 in your case) as a certificate server, and use that to issue certificates to the spoke.  If you want to stop a spoke connecting you then revoke its certificate.  However there is no GUI for doing this.

You could potentially deploy a Windows Server as your certificate server.  This would then allow you to use the GUI of the Certificate Manager to revoke spoke certificates.  Note that getting FlexVPN working using Microsoft Certificate Server is a lot more work and I would only wish it on my worst enemy.

I wrote this guide for using Cisco AnyConnect IKEv2 with an IOS router.  However FlexVPN also uses IKEv2, so a lot of the certificate stuff is very similar.  Note that this guide is using strong Suite-B cryptography.

http://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html

asmithivas
Level 1
Level 1
In response to Philip D'Ath

‎06-23-2017 02:20 AM

From what I read, there is FlexVPN AAA.

Not sure if this feature can add more command like static route after successful authorization?

Is this possible to do with ACS?

0 Helpful

Rob Ingram
VIP
VIP
In response to asmithivas

‎06-25-2017 03:27 AM

Yes, FlexVPN can do central AAA with ACS/ISE. The AAA server can authorise (or not) each spoke router, push down multiple attributes such as routes, ACL, VRF, QoS policies etc.

HTH

0 Helpful

asmithivas
Level 1
Level 1
In response to Rob Ingram

‎06-25-2017 08:19 PM

Do you have example configuration?

Does it need to use certificate for authentication between Spoke and Hub?

Does Spoke need to have direct access to ACS? Or the hub will forward authentication packet to ACS?

0 Helpful

Rob Ingram
VIP
VIP
In response to asmithivas

‎06-29-2017 11:45 AM

Sorry, no I don't have a full working config to hand.

Not sure if you can only use certificates, but when I played around with it I was using certificates. Using the name mangler command you can extract say the OU attribute (you can select various attributes if you wish) in a certificate and match that in an Authorization rule on ACS/ISE.

If you want different settings per type of spoke, just configure a different OU value in the spoke routers certificate (or whatever value you specify in the name mangler)  and then match the attribute in the Authorization rule to push the desired settings to the routers.

The Hub will act as a proxy, so ACS/ISE will see the request from the Hub and not the spoke.

0 Helpful

Rob Ingram
VIP
VIP
In response to Rob Ingram

‎07-02-2017 09:04 AM

Here is a working example config, from the hub with certificate authentication. Whatever value you extract using the name-mangler is what you'll need to match against on the RADIUS server.

radius server ISE1
 address ipv4 192.168.X.X auth-port 1812 acct-port 1813
 key Cisco1234
!
aaa new-model
!
aaa group server radius ISE
 server name ISE1
!
aaa authorization network FLEX group ISE
aaa accounting network FLEX start-stop group ISE

crypto pki certificate map CERT_MAP 5
 issuer-name co lab-pki-ca

crypto ikev2 name-mangler FLEX_NM
 dn common-name

crypto ikev2 profile IKEV2_PROFILE
 match certificate CERT_MAP
 identity local dn
 authentication local rsa-sig
 authentication remote rsa-sig
 pki trustpoint PKI_ROOT
 aaa authorization user cert list FLEX name-mangler FLEX_NM password Cisco1234
 aaa accounting cert FLEX
 virtual-template 1

asmithivas
Level 1
Level 1
In response to Rob Ingram

‎07-02-2017 08:05 PM

Could you please share ISE screenshot?

I manage to do local AAA with certificate but when I try to use ACS, the VPN never come up.

0 Helpful

Rob Ingram
VIP
VIP
In response to asmithivas

‎07-04-2017 05:29 AM

Do you see any errors on ACS? Is it even attempting to communicate with ACS?

Make sure you've only configured AAA authorization on the Hub

0 Helpful

asmithivas
Level 1
Level 1
In response to Rob Ingram

‎07-04-2017 09:56 PM

From ACS, I didn't see any radius authentication.

Do I miss something in configuration?

I set username Router2.test.com with password Cisco1234

I've attached the configuration from my lab.

Could you please help verify?

Router1 is hub and IOS CA for certificate

Router2 is spoke

Note: If I change

aaa authorization user cert list FLEX name-mangler FLEX_NM password Cisco1234

to

aaa authorization group cert list AUTHOR policy-1 local

then everything works.

ACS is working fine for other authentication services.

Preview file
11 KB
Preview file
9 KB
0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to asmithivas

‎07-04-2017 10:58 PM

This guide is not quite what you want - but it does include a lot of the bits you are asking about.

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115755-flexvpn-ike-eap-00.html

0 Helpful

Rob Ingram
VIP
VIP
In response to asmithivas

‎07-05-2017 12:55 PM

Is the radius server UP on the hub? - show aaa servers

Is the hub defined as NAD on ACS?

0 Helpful
Customers Also Viewed These Support Documents