Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1452
Views
5
Helpful
2
Replies

FTD IKEv2 to Windows 10 Native client with dynamic Group Policies

Go to solution
TomasGahura2939
Level 1
Level 1

‎11-06-2020 05:35 AM

Dear all,

 

lately I have managed to make FTD to support IKEv2 tunnel from Windows 10 Native client, using only certificate authentication.

However the configuration is working only with one locally created address-pool.

 

For SSL we have 3 different Group Policies assigned based on the username input in Anyconnect login. AD will than assign correct group policy for that VPN user.

 

Is there a way how to configure IKEv2 to extract username from certificate, verify than username on AD and send correct group policy same as SSL VPN?

 

Thank you for any suggestions.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolai Borchorst
Level 1
Level 1

‎11-06-2020 10:17 AM

I don't belive this is possible on FTD, but might be possible using ISE for authentication and authorization. You cannot use EAP-TLS for authenticating Anyconnect SSL Sessions with ISE, but a combination of the discussions in below links could provide useful info. 

https://community.cisco.com/t5/network-access-control/vpn-certificate-auth-using-ise/td-p/3513185

https://www.petenetlive.com/KB/Article/0001155 

Best Regards
Nicolai Borchorst
CCIE Security #65775

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Nicolai Borchorst
Level 1
Level 1

‎11-06-2020 10:17 AM

I don't belive this is possible on FTD, but might be possible using ISE for authentication and authorization. You cannot use EAP-TLS for authenticating Anyconnect SSL Sessions with ISE, but a combination of the discussions in below links could provide useful info. 

https://community.cisco.com/t5/network-access-control/vpn-certificate-auth-using-ise/td-p/3513185

https://www.petenetlive.com/KB/Article/0001155 

Best Regards
Nicolai Borchorst
CCIE Security #65775
0 Helpful

Go to solution
TomasGahura2939
Level 1
Level 1
In response to Nicolai Borchorst

‎11-09-2020 02:59 AM

Nicolai thank you so much!

 

I was missing out the authorization part of the request, since authentication happened only on FTD box (which only authenticated the client certificate).

 

For anyone wondering, I have managed to make working config for Win 10 native IKEv2 "always on" VPN tunnel. FTD will extrace the UPN from certificate and ISE will assign the correct group policy for each user.

 

tunnel-group DefaultRAGroup general-attributes
authorization-server-group ISE_RADIUS
authorization-required
username-from-certificate UPN
tunnel-group DefaultRAGroup ipsec-attributes
peer-id-validate cert
ikev2 rsa-sig-hash sha1
ikev2 remote-authentication certificate
ikev2 local-authentication certificate cert_tp

 

Thank you!

Customers Also Viewed These Support Documents