10-07-2019 01:34 AM - edited 02-21-2020 09:45 PM
Hi all.
I have a 1101 router with flexvpn configured on it. The Anyconnect client connects and works. User authentication is done with Radius, particularly freeradius on Linux.
Now I'm trying to add per-user routes in Radius attributes, to be pushed to the client. They do not seem to work. Maybe someone could figure out what's going wrong.
I'm running c1100-universalk9_ias.16.09.02.SPA.bin on the router, with securityk9 permanent license.
The relevant config is:
aaa group server radius FlexVPN-AuthC-Server-Group-1
server-private 192.168.69.8 auth-port 1812 acct-port 1813 key xxxxxxxx
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login login-for-vpn group radius
aaa authentication login userauthen group radius
aaa authentication login FlexVPN-AuthC-List-1 group FlexVPN-AuthC-Server-Group-1
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network groupauthor group radius
aaa authorization network FlexVPN-AuthZ-List-1 local
crypto ikev2 authorization policy FlexVPN-Local-Policy-1
pool FlexVPN-Pool-1
dns 192.168.69.1
netmask 255.255.255.0
def-domain domain.local
!
!
crypto ikev2 proposal SHA1-only
encryption aes-cbc-256
integrity sha1
group 5
!
crypto ikev2 policy SHA1-only
match fvrf any
proposal SHA1-only
!
!
crypto ikev2 profile FlexVPN-IKEv2-Profile-1
match identity remote key-id domain.com
match identity remote key-id vpn.domain.com
identity local dn
authentication local rsa-sig
authentication remote eap query-identity
pki trustpoint Sectigo
dpd 60 2 on-demand
aaa authentication eap FlexVPN-AuthC-List-1
aaa authorization group eap list FlexVPN-AuthZ-List-1 FlexVPN-Local-Policy-1
virtual-template 10
!
radius server SERVER1
address ipv4 192.168.69.8 auth-port 1812 acct-port 1813
timeout 6
retransmit 10
key xxxxxx
!
On the radius server the user config is the following (there are old attributes from previus vpn typess, which did work). The route I would like to push is the one in cisco-avpair += "ipsec:route-set=prefix 192.168.69.0/24".
user Cleartext-Password := "pass"
cisco-avpair = "ipsec:addr-pool=mypool",
cisco-avpair += "ipsec:inacl=acl_vpnclient",
cisco-avpair += "ipsec:dns-servers=192.168.69.1 192.168.69.2",
cisco-avpair += "ipsec:user-save-password=1",
cisco-avpair += "webvpn:user-vpn-group=tutto",
cisco-avpair += "shell:priv-lvl=0",
cisco-avpair += "ipsec:route-set=prefix 192.168.69.0/24",
Tunnel-Private-Group-id += "ovpn",
Framed-Route += "192.168.69.0/24",
Framed-Route += "192.168.71.0/24",
Framed-Route += "192.168.72.0/24",
Framed-Route += "192.168.73.0/24",
Framed-Route += "192.168.75.0/24",
Framed-Route += "192.168.77.0/24",
Framed-Route += "192.168.78.0/24",
MS-Primary-DNS-Server += "192.168.69.1",
MS-Secondary-DNS-Server += "192.168.69.2"
I took a dump of debug radius and debug crypto ikev2. I attach it.
The client is Windows 10 with Anyconnect 4.7.02036 . I enabled debug routes on it. No sign of the 192.168.69.0 route. I pasted this debug file at the end of the previous attachment, since it seems I'm able to attach only one file.
Thank you in advance.
10-07-2019 02:00 AM
10-08-2019 06:08 AM
Hi RJI,
you pointed me in the right direction. I was not aware that I had to create a radius user for the authorization policy, and that the routes were to be put in that.
So with respect to my previous config, I did this:
! changed the authorization list from local to radius:
aaa authorization network FlexVPN-AuthZ-List-1 group radius
! deleted the local authorization policy
no crypto ikev2 authorization policy FlexVPN-Local-Policy-1
! Renamed the radius AAA user, just for clarity
crypto ikev2 profile FlexVPN-IKEv2-Profile-1
aaa authorization group eap list FlexVPN-AuthZ-List-1 FlexVPN-Radius-Policy-1
And in freeradius, I created the user for the authorization policy, this way. Now it works!! Thank you.
FlexVPN-Radius-Policy-1 Service-Type == Dialout-Framed-User, Auth-Type := Accept
Service-Type = Outbound-User,
Framed-IP-Netmask = 255.255.255.0,
cisco-avpair += "ipsec:addr-pool=FlexVPN-Pool-1",
cisco-avpair += "ipsec:route-set=prefix 192.168.69.0/24",
cisco-avpair += "ipsec:route-set=prefix 192.168.71.0/24",
cisco-avpair += "ipsec:dns-servers=192.168.69.1 192.168.69.2",
cisco-avpair += "ipsec:default-domain=domain.local",
cisco-avpair += "ipsec:interface-config=ip mtu 1300"
10-08-2019 06:23 AM
Hi,
Glad to hear it's working. Instead of using a static authorisation policy and defining that as a user in RADIUS you could use a name-mangler in order to provide different authorisation attributes. Check out this link, it has several posts on authorisation with or without radius integration using the name-mangler feature.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide