Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
165
Views
0
Helpful
1
Replies

IKEv2 with no ext CA and RADIUS

a.ponomarenko1
Level 1
Level 1

‎08-12-2015 08:57 AM

Stuck in the new problem for me with VPN. Client wants to use standard IKEv2 client in Windows and other platforms OSes (mobiles), but have no own CA, neither any other infrastructure suitable for AAA/RADIUS, i.e. there is a ISR 4000 series router alone on site. Standard clients can authenticate only by EAP, and FlexVPN EAP on Cisco requires at least valid server certificate and, according to any documentation available, clients certificates or external RADIUS server.

 

So, how can i solve that mess? Make a RADIUS and CA on router itself? Or just purchase one SSL cert for VPN server auth and use a local user database (login local) for client/AAA auth?

Labels:
0 Helpful
1 Reply 1

a.ponomarenko1
Level 1
Level 1

‎09-11-2015 07:30 AM

OK, you can`t make a local RADIUS server on router itself, this was possible only on certain G2 models. But you can create a local CA, with latest IOS it supports all features needed (EKU, SAN). Unfortunately, you are limited to site-to-site solutions effectively by absence of easy ways to obtain multiple certificates from local CA (both Web Interface and Config Pro are useless in such task).

 

0 Helpful
Customers Also Viewed These Support Documents