Solved: Re: IKEv2 with Radius Radius Access-Challenge

jmsr · ‎10-23-2023

Hi

I am trying to implement MFA for Anyconnect VPN authentications. I am using IKEv2 and I am wondering if this tunnel is able to handle radius Access-Challenge responses.

The standard method of authentication works fine (without MFA, just normal Access-Request/Access-Accept or Reject) but when we introduce the Access-Challenge the router does seem to be handling it very well. Perhaps you can give me any advice on this subject?

The router I am using is a ISR4000 ZBFW.

Thanks!

gajownik · ‎10-27-2023

CSCvt81434 ENH: Support for OTP with RADIUS Access-Challenge message FlexVPN IKEv2 AnyConnect-EAP
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt81434

View solution in original post

MHM Cisco World · ‎10-23-2023

Can I see the config of ZBFW?

jmsr · ‎10-23-2023

This is what I have:

crypto pki trustpoint TP_Name
enrollment selfsigned
usage ike
serial-number none
fqdn mfa.test.com
ip-address none
subject-name cn=mfa.test.com
subject-alt-name mfa.test.com
revocation-check none
rsakeypair key 4096

crypto ikev2 profile ANYCONNECT-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint TP_Name
aaa authentication anyconnect-eap a-eap-authen
aaa authorization group anyconnect-eap list a-eap-author IKEV2-AUTHOR-POLICY
aaa authorization user anyconnect-eap cached
aaa accounting anyconnect-eap a-eap-acc
virtual-template 100

crypto ipsec transform-set ANYCONNECT-TS esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile ANYCONNECT-EAP
set transform-set ANYCONNECT-TS
set ikev2-profile ANYCONNECT-EAP

gajownik · ‎10-27-2023

CSCvt81434 ENH: Support for OTP with RADIUS Access-Challenge message FlexVPN IKEv2 AnyConnect-EAP
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt81434