Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2242
Views
2
Helpful
20
Replies

ikev2 profile certificate map problem

HermanAkv
Level 1
Level 1

‎11-04-2024 02:45 AM

I am trying to make two different ikev2 profiles for two different group of users. I am trying to distinguish between them based on the serial number of certificate. However any certificate that is issued by the CA always fall under the first profile. Even when I put there bogus serial number, it always connect with VPN-1. I have C1101.  Any idea what might be wrong?

 

crypto pki certificate map CERT-MAP-1 10 
serial-number eq 582228888 
crypto pki certificate map CERT-MAP-2 10 
serial-number eq 5111111111 
crypto ikev2 profile VPN-1
 match identity remote key-id *$AnyConnectClient$*
 match certificate CERT-MAP-1
 identity local dn 
 authentication remote ecdsa-sig
 authentication local ecdsa-sig
 authentication remote anyconnect-eap aggregate cert-request
 pki trustpoint TP
 aaa authentication anyconnect-eap AUTHEN
 aaa authorization group cert list AUTHOR ikev2-auth-policy-1-VPN
 aaa authorization group anyconnect-eap list AUTHOR ikev2-auth-policy-1-VPN
 virtual-template 100
 anyconnect profile acvpn
crypto ikev2 profile VPN-2
 match identity remote key-id *$AnyConnectClient$*
 match certificate CERT-MAP-2
 identity local dn 
 authentication remote ecdsa-sig
 authentication local ecdsa-sig
 authentication remote anyconnect-eap aggregate cert-request
 pki trustpoint TP
 aaa authentication anyconnect-eap AUTHEN
 aaa authorization group cert list AUTHOR ikev2-auth-policy-VPN-2
 aaa authorization group anyconnect-eap list AUTHOR ikev2-auth-policy-VPN-2
 aaa authorization user anyconnect-eap cached
 virtual-template 101
 anyconnect profile acvpn

interface Virtual-Template100 type tunnel
 ip unnumbered Loopback100
 ip mtu 1400
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-1
interface Virtual-Template101 type tunnel
 ip unnumbered Loopback101
 ip mtu 1400
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-2

crypto ipsec profile VPN-1
 set transform-set GCM 
 set pfs group21
 set ikev2-profile VPN-1
crypto ipsec profile VPN-2
 set transform-set GCM 
 set pfs group21
 set ikev2-profile VPN-2

 

 

Labels:
0 Helpful
20 Replies 20

MHM Cisco World
VIP
VIP

‎11-04-2024 03:04 AM

can you check serial-number, it sensitive case value 

MHM

0 Helpful

Rob Ingram
VIP
VIP

‎11-04-2024 03:37 AM

@HermanAkv You could try using "co" for contains instead of "eq" equals - in case you haven't included the entire serial number in the output above (or obfuscated it), as the output looks too short for the entire serial number.

Using the certificate map isn't very scalable, as you have to have multiple IKEV2 Profiles, authorisation profiles etc for each match.

Name managler would be a better suggestion, you can use a common dVTI, IKEv2 profile and a unique authorisation policy, where the name of the authorisation policy exactly matches the name of the value extracted from the certificate using the name managler - however it does not support matching on serial number - only attributes from dn, email, fqdn or eap.

0 Helpful

HermanAkv
Level 1
Level 1
In response to Rob Ingram

‎11-04-2024 05:55 AM

sounds good but never I never work with name managler so that might be a bit challenging for me

0 Helpful

Rob Ingram
VIP
VIP
In response to HermanAkv

‎11-04-2024 06:13 AM

@HermanAkv turn on IKEv2 debugging and determine the error messages related to failing to match using the serial number.

Name Mangler example:

crypto ikev2 authorization policy RED
 aaa attribute list RED
 route set interface
 route set remote ipv4 10.1.0.0 255.255.255.0
 route set remote ipv4 10.1.1.0 255.255.255.0
!
crypto ikev2 authorization policy BLUE
 aaa attribute list BLUE
! 
crypto ikev2 name-mangler NM_OU
 dn organization-unit
! 
crypto ikev2 profile IKEV2_PROFILE
 aaa authorization group cert list FLEX_LOCAL_AUTHOR name-mangler NM_OU

When the certificate is used for authentication, the router extracts the "organisation-unit" value from the certificate, which in this instance is RED or BLUE. So when authorised and the extracted value is RED, the RED authorisation policy is applied and the client inherits those settings. The organisation-unit attribute on the certificate obviously must contain either RED or BLUE (or anything you wish). This is obviously more scalable and requires less configuration than creating multiple dvti, ikev2 profiles etc.

0 Helpful

HermanAkv
Level 1
Level 1
In response to Rob Ingram

‎11-05-2024 01:48 AM

Is it possible to combine it somehow with aaa authorization group anyconnect-eap list command?

0 Helpful

Rob Ingram
VIP
VIP
In response to HermanAkv

‎11-05-2024 09:58 AM

@HermanAkv why do you need to authorise both certificate and anyconnect-eap? authorisation of the certificate would be sufficient.

0 Helpful

HermanAkv
Level 1
Level 1
In response to Rob Ingram

‎11-05-2024 10:13 AM - edited ‎11-05-2024 10:14 AM

@Rob Ingram  Since I am not able to make it work with the user name I would say certificate would be sufficient if the name-mangler works correctly. This is my config which is not working:

 

 

 

crypto ikev2 profile VPN-INT
 match identity remote key-id *$AnyConnectClient$
 identity local dn 
 authentication remote ecdsa-sig
 authentication local ecdsa-sig
 pki trustpoint TP-VPN
 aaa authentication anyconnect-eap AUTHEN
 aaa authorization group cert list AUTHOR name-mangler INT_MN
 aaa authorization user anyconnect-eap cached
 virtual-template 101
 anyconnect profile acvpn

crypto ikev2 authorization policy TEST-SUBJECT 
 pool VPN-INT-POOL
 dns 172.19.10.1
 netmask 255.255.255.0
 aaa attribute list TEST-SUBJECT
 route set access-list split_tunnel-INT-VPN

crypto ikev2 authorization policy TEST-ADMIN 
 pool VPN-ADMIN-POOL
 dns 172.17.10.1
 netmask 255.255.255.0
 aaa attribute list TEST-ADMIN
 route set access-list split_tunnel-ADMIN-VPN

crypto ikev2 name-mangler INT_MN
 dn common-name

 

 

 

I am receiving error as on attached picture

Preview file
15 KB
0 Helpful

HermanAkv
Level 1
Level 1

‎11-04-2024 04:19 AM

Actually the output is a testing config. I tried to do it but even though I had a correct SN in ikev2 profile VPN-2, I was still connected through VPN-1. So I enter bogus SN to check if the certificate map is working and it seems it isn't at all. With above config I am still able to connect despite the SN is incorrect. I have no idea why this config is working.

Preview file
2 KB

MHM Cisco World
VIP
VIP
In response to HermanAkv

‎11-04-2024 04:24 AM - edited ‎11-04-2024 04:29 AM 

 match identity remote key-id *$AnyConnectClient$*

the issue then because of first match, 
I know is important for RA VPN but remove it and check 

I check and  find cisco example which as I guess use match map only not match both map and identity 
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/220471-configure-flexvpn-ikev2-for-windows-buil.html

MHM

0 Helpful

HermanAkv
Level 1
Level 1

‎11-04-2024 04:46 AM

I've tried it. I couldn't connect when there is a bogus SN but couldn't also connect with correct SN.

0 Helpful

MHM Cisco World
VIP
VIP
In response to HermanAkv

‎11-04-2024 04:50 AM

please dont use bogus SN 
share last config let me make double check 

MHM

0 Helpful

HermanAkv
Level 1
Level 1

‎11-04-2024 05:06 AM - edited ‎11-04-2024 05:07 AM

Here it is:

 

 

crypto pki certificate map CERT-MAP-1 10
 serial-number eq 2a23b6c98e5adf54
crypto pki certificate map CERT-MAP-2 10
 serial-number eq 1f3b24afc262fd70
crypto ikev2 profile VPN-1
 match certificate CERT-MAP-1
 identity local dn 
 authentication remote ecdsa-sig
 authentication local ecdsa-sig
 authentication remote anyconnect-eap aggregate cert-request
 pki trustpoint TP
 aaa authentication anyconnect-eap AUTHEN
 aaa authorization group cert list AUTHOR ikev2-auth-policy-1-VPN
 aaa authorization group anyconnect-eap list AUTHOR ikev2-auth-policy-1-VPN
 virtual-template 100
 anyconnect profile acvpn
crypto ikev2 profile VPN-2
 match certificate CERT-MAP-2
 identity local dn 
 authentication remote ecdsa-sig
 authentication local ecdsa-sig
 authentication remote anyconnect-eap aggregate cert-request
 pki trustpoint TP
 aaa authentication anyconnect-eap AUTHEN
 aaa authorization group cert list AUTHOR ikev2-auth-policy-VPN-2
 aaa authorization group anyconnect-eap list AUTHOR ikev2-auth-policy-VPN-2
 aaa authorization user anyconnect-eap cached
 virtual-template 101
 anyconnect profile acvpn

interface Virtual-Template100 type tunnel
 ip unnumbered Loopback100
 ip mtu 1400
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-1
interface Virtual-Template101 type tunnel
 ip unnumbered Loopback101
 ip mtu 1400
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-2

crypto ipsec profile VPN-1
 set transform-set GCM 
 set pfs group21
 set ikev2-profile VPN-1
crypto ipsec profile VPN-2
 set transform-set GCM 
 set pfs group21
 set ikev2-profile VPN-2

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to HermanAkv

‎11-04-2024 05:42 AM 

aaa authorization group cert list AUTHOR ikev2-auth-policy-1-VPN

Check the list name I think it wrong 

Also use 

No crypto ikev2 http-url cert 

Other than this your config is OK from my view

Thanks 

MHM

0 Helpful

HermanAkv
Level 1
Level 1
In response to MHM Cisco World

‎11-04-2024 05:52 AM

here is the config, don't know what might be wrong there:

aaa authorization network AUTHOR local 

crypto ikev2 authorization policy ikev2-auth-policy-1-VPN 
 pool VPN-1-POOL
 dns 172.17.10.1
 netmask 255.255.255.0
 route set access-list split_tunnel-1-VPN

no crypto ikev2 http-url cert

 

0 Helpful
Customers Also Viewed These Support Documents