10-23-2023 06:05 AM
Hi
I am trying to implement MFA for Anyconnect VPN authentications. I am using IKEv2 and I am wondering if this tunnel is able to handle radius Access-Challenge responses.
The standard method of authentication works fine (without MFA, just normal Access-Request/Access-Accept or Reject) but when we introduce the Access-Challenge the router does seem to be handling it very well. Perhaps you can give me any advice on this subject?
The router I am using is a ISR4000 ZBFW.
Thanks!
Solved! Go to Solution.
10-27-2023 05:23 AM
CSCvt81434 ENH: Support for OTP with RADIUS Access-Challenge message FlexVPN IKEv2 AnyConnect-EAP
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt81434
10-23-2023 06:42 AM
Can I see the config of ZBFW?
10-23-2023 07:28 AM
This is what I have:
crypto pki trustpoint TP_Name
enrollment selfsigned
usage ike
serial-number none
fqdn mfa.test.com
ip-address none
subject-name cn=mfa.test.com
subject-alt-name mfa.test.com
revocation-check none
rsakeypair key 4096
crypto ikev2 profile ANYCONNECT-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint TP_Name
aaa authentication anyconnect-eap a-eap-authen
aaa authorization group anyconnect-eap list a-eap-author IKEV2-AUTHOR-POLICY
aaa authorization user anyconnect-eap cached
aaa accounting anyconnect-eap a-eap-acc
virtual-template 100
crypto ipsec transform-set ANYCONNECT-TS esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile ANYCONNECT-EAP
set transform-set ANYCONNECT-TS
set ikev2-profile ANYCONNECT-EAP
10-27-2023 05:23 AM
CSCvt81434 ENH: Support for OTP with RADIUS Access-Challenge message FlexVPN IKEv2 AnyConnect-EAP
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt81434
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide