Hi,
I'd never used radius for PSK authentication before, but was intrigued. I've spent sometime in my lab and got it working. In my lab the Hub authenticates itself to the spokes using a certificate but the spokes are authenticated using PSK which is via the radius server (ISE).
SPOKE
crypto ikev2 keyring KEYRING
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local Cisco1234
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn domain lab.net
match certificate CERT_MAP
identity local fqdn BRANCH-1-RTR.lab.net
authentication local pre-share
authentication remote rsa-sig
keyring local KEYRING
pki trustpoint VPN_TP
dpd 10 2 on-demand
HUB
aaa new-model
aaa authorization network FLEX group ISE
aaa accounting network FLEX start-stop group ISE
!
crypto ikev2 name-mangler PSK
fqdn hostname
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn domain lab.net
identity local dn
authentication remote pre-share
authentication local rsa-sig
keyring aaa FLEX name-mangler PSK password Cisco1234
pki trustpoint VPN_TP
aaa authorization user psk list FLEX name-mangler PSK password Cisco1234
aaa accounting psk FLEX
virtual-template 1 mode auto
The name-mangler extracts the hostname in this instance BRANCH-1-RTR, this is sent in the radius packet and needs to be defined on ISE as a User Account with a password specified as Cisco1234 - this password is specified in the ikev2 profile above, the default password if not defined is cisco btw.
I then created an Authorization Profile with the following attribute - cisco-av-pair = ipsec:ikev2-password-remote=Cisco1234
The Authorization Policy rule matches on Calling Station ID (could match on the username previously defined) of the spoke router and returns the result of the Authorization Profile previously defined.
You create User accounts, Authorization Profile and Authorization Policy rules per spoke.
HTH
