cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1081
Views
5
Helpful
3
Replies

Radius routes not working in Flexvpn with Anyconnect

liotti
Level 1
Level 1

Hi all.

 

I have a 1101 router with flexvpn configured on it. The Anyconnect client connects and works. User authentication is done with Radius, particularly freeradius on Linux. 

Now I'm trying to add per-user routes in Radius attributes, to be pushed to the client. They do not seem to work. Maybe someone could figure out what's going wrong.

 

I'm running c1100-universalk9_ias.16.09.02.SPA.bin on the router, with securityk9 permanent license.

 

The relevant config is:

 

aaa group server radius FlexVPN-AuthC-Server-Group-1
server-private 192.168.69.8 auth-port 1812 acct-port 1813 key xxxxxxxx
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login login-for-vpn group radius
aaa authentication login userauthen group radius
aaa authentication login FlexVPN-AuthC-List-1 group FlexVPN-AuthC-Server-Group-1
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network groupauthor group radius
aaa authorization network FlexVPN-AuthZ-List-1 local

 

crypto ikev2 authorization policy FlexVPN-Local-Policy-1
pool FlexVPN-Pool-1
dns 192.168.69.1
netmask 255.255.255.0
def-domain domain.local
!

!
crypto ikev2 proposal SHA1-only
encryption aes-cbc-256
integrity sha1
group 5
!
crypto ikev2 policy SHA1-only
match fvrf any
proposal SHA1-only
!
!

crypto ikev2 profile FlexVPN-IKEv2-Profile-1
match identity remote key-id domain.com
match identity remote key-id vpn.domain.com
identity local dn
authentication local rsa-sig
authentication remote eap query-identity
pki trustpoint Sectigo
dpd 60 2 on-demand
aaa authentication eap FlexVPN-AuthC-List-1
aaa authorization group eap list FlexVPN-AuthZ-List-1 FlexVPN-Local-Policy-1
virtual-template 10

!

radius server SERVER1
address ipv4 192.168.69.8 auth-port 1812 acct-port 1813
timeout 6
retransmit 10
key xxxxxx
!

 

On the radius server the user config is the following (there are old attributes from previus vpn typess, which did work). The route I would like to push is the one in cisco-avpair += "ipsec:route-set=prefix 192.168.69.0/24".

 

user Cleartext-Password := "pass"
cisco-avpair = "ipsec:addr-pool=mypool",
cisco-avpair += "ipsec:inacl=acl_vpnclient",
cisco-avpair += "ipsec:dns-servers=192.168.69.1 192.168.69.2",
cisco-avpair += "ipsec:user-save-password=1",
cisco-avpair += "webvpn:user-vpn-group=tutto",
cisco-avpair += "shell:priv-lvl=0",
cisco-avpair += "ipsec:route-set=prefix 192.168.69.0/24",
Tunnel-Private-Group-id += "ovpn",
Framed-Route += "192.168.69.0/24",
Framed-Route += "192.168.71.0/24",
Framed-Route += "192.168.72.0/24",
Framed-Route += "192.168.73.0/24",
Framed-Route += "192.168.75.0/24",
Framed-Route += "192.168.77.0/24",
Framed-Route += "192.168.78.0/24",
MS-Primary-DNS-Server += "192.168.69.1",
MS-Secondary-DNS-Server += "192.168.69.2"

 

I took a dump of debug radius and debug crypto ikev2. I attach it. 

The client is Windows 10 with Anyconnect 4.7.02036 . I enabled debug routes on it. No sign of the 192.168.69.0 route. I pasted this debug file at the end of the previous attachment, since it seems I'm able to attach only one file.

 

Thank you in advance.

 

3 Replies 3

Hi,
You configuration above is currently using a local Authorisation list not radius, I assume that's just an old config?

Does the client session receive all the other settings, IP pool, DNS from radius etc?

What is the output of "show crypto ikev2 sa detailed" for the users' session does it list all the remote subnets learnt from radius?

For testing, if you used local authorisation list on the router and distributed the static routes are they learnt by the client?

HTH

Hi RJI,

 

you pointed me in the right direction. I was not aware that I had to create a radius user for the authorization policy, and that the routes were to be put in that.

 

So with respect to my previous config, I did this:

 

! changed the authorization list from local to radius:

aaa authorization network FlexVPN-AuthZ-List-1 group radius

 

! deleted the local authorization policy

no crypto ikev2 authorization policy FlexVPN-Local-Policy-1

 

! Renamed the radius AAA user, just for clarity

crypto ikev2 profile FlexVPN-IKEv2-Profile-1

 aaa authorization group eap list FlexVPN-AuthZ-List-1 FlexVPN-Radius-Policy-1

 

And in freeradius, I created the user for the authorization policy, this way. Now it works!! Thank you.

 

FlexVPN-Radius-Policy-1 Service-Type == Dialout-Framed-User, Auth-Type := Accept
  Service-Type = Outbound-User,
  Framed-IP-Netmask = 255.255.255.0,
  cisco-avpair += "ipsec:addr-pool=FlexVPN-Pool-1",
  cisco-avpair += "ipsec:route-set=prefix 192.168.69.0/24",
  cisco-avpair += "ipsec:route-set=prefix 192.168.71.0/24",
  cisco-avpair += "ipsec:dns-servers=192.168.69.1 192.168.69.2",
  cisco-avpair += "ipsec:default-domain=domain.local",
  cisco-avpair += "ipsec:interface-config=ip mtu 1300"

Hi,

Glad to hear it's working. Instead of using a static authorisation policy and defining that as a user in RADIUS you could use a name-mangler in order to provide different authorisation attributes. Check out this link, it has several posts on authorisation with or without radius integration using the name-mangler feature.

 

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: