03-23-2022 05:38 AM - edited 03-23-2022 05:55 AM
Hello,
We want to deploy Cisco Annyconet VPN in HA that allows users to use Yubico Security Key for 2 step verification. We want to deploy it on 2x ISR4331/K9 or 2x ISR4331/K9 with an SEC license. I cannot find much information on the internet about this topic so I would be very thankful for any help in regard to those questions:
1.) Is it possible to deploy on ISR platform?
2.) If we want to use two devices as Active-Passive do we need double the amounts of license for anyconnect users?
3.) What other tools besides radius server and active directory server are needed to deploy this solution?
4.) Does we need an AX license for use of 2 Vrfs(VRF Lite)?
Solved! Go to Solution.
03-23-2022 05:49 AM
@Adrian-PL IMO I wouldn't use an IOS-XE router for Remote Access VPN headend device, the ASA or FTD are the best devices for that purpose.
Yes, you can use the router for Remote Access VPN in HA, the latest supported solution for that scenario is FlexVPN, though there is not as much information on FlexVPN configuration as there would be for the ASA or FTD.
You can configure FlexVPN to authenticate users via RADIUS, so should integrate with you 2FA solution.
Reference guides https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
You purchase licenses per unique user
https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html
03-23-2022 05:48 AM - edited 03-23-2022 05:54 AM
I do not believe that ISR can do remote VPN do stafeull switch over ( not that i am tested this)
Most of people around use case used ASA or Firepower these kind of solution.
ISR site to site VPN yes used and seen working as expected.
03-23-2022 05:49 AM
@Adrian-PL IMO I wouldn't use an IOS-XE router for Remote Access VPN headend device, the ASA or FTD are the best devices for that purpose.
Yes, you can use the router for Remote Access VPN in HA, the latest supported solution for that scenario is FlexVPN, though there is not as much information on FlexVPN configuration as there would be for the ASA or FTD.
You can configure FlexVPN to authenticate users via RADIUS, so should integrate with you 2FA solution.
Reference guides https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
You purchase licenses per unique user
https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide