Stuck in the new problem for me with VPN. Client wants to use standard IKEv2 client in Windows and other platforms OSes (mobiles), but have no own CA, neither any other infrastructure suitable for AAA/RADIUS, i.e. there is a ISR 4000 series router alone on site. Standard clients can authenticate only by EAP, and FlexVPN EAP on Cisco requires at least valid server certificate and, according to any documentation available, clients certificates or external RADIUS server.
So, how can i solve that mess? Make a RADIUS and CA on router itself? Or just purchase one SSL cert for VPN server auth and use a local user database (login local) for client/AAA auth?