Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1626
Views
0
Helpful
3
Replies

FlexVPN with certificate-based AAA authentication on IR829 clients routers

Antho_Balitrand
Level 1
Level 1

‎06-20-2019 12:07 AM - edited ‎02-21-2020 09:41 PM

Hello dear CISCO community ! 

 

I need some help regarding FlexVPN configuration. 

I have a "central" router used as a VPN concentrator for several IR829 routers (4G mobile routers). 

Those routers use rsa-sig authentication on their ikev2 profile. The certificate is then checked by our "central" router. 

 

I would ilke to offload the authentication for those FlexVPN on ISE. I saw several configuration examples for anyconnect authentication, but not for client routers using certificates. 

Could you help? 

 

 

Anthony 

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎06-20-2019 12:24 AM

Hi,

RADIUS would be used for Authorization, authentication of certificates would still be between routers. This example here shows the configuration of FlexVPN routers and ISE for authorization.

 

HTH

0 Helpful

Antho_Balitrand
Level 1
Level 1
In response to Rob Ingram

‎06-20-2019 03:19 AM

Hi ! 

Thanks for your answer. So there's no way to offload the complete process (authentication + authorization) to an external AAA server ? 

 

 

Antho

0 Helpful

Rob Ingram
VIP
VIP
In response to Antho_Balitrand

‎06-20-2019 03:37 AM

Hi,
If you are using certificate authentication, the authentication is always between the routers themselves. External RADIUS is for authorization....you could still use the RADIUS server to permit/deny the session - this would be in addition to the authentication of the certificates between the routers.

HTH
0 Helpful
Customers Also Viewed These Support Documents