cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
718
Views
10
Helpful
2
Replies

VPN with U2F 2 step verification ISR4000 Platform

Adrian-PL
Level 1
Level 1

Hello,

 

We want to deploy Cisco Annyconet VPN in HA that allows users to use Yubico Security Key for 2 step verification. We want to deploy it on 2x ISR4331/K9 or 2x ISR4331/K9 with an SEC license. I cannot find much information on the internet about this topic so I would be very thankful for any help in regard to those questions:

1.) Is it possible to deploy on ISR platform?

2.) If we want to use two devices as Active-Passive do we need double the amounts of license for anyconnect users?

3.) What other tools besides radius server and active directory server are needed to deploy this solution?

4.) Does we need an AX license for use of 2 Vrfs(VRF Lite)?

  

 

 

1 Accepted Solution

Accepted Solutions

@Adrian-PL IMO I wouldn't use an IOS-XE router for Remote Access VPN headend device, the ASA or FTD are the best devices for that purpose.

 

Yes, you can use the router for Remote Access VPN in HA, the latest supported solution for that scenario is FlexVPN, though there is not as much information on FlexVPN configuration as there would be for the ASA or FTD.

 

You can configure FlexVPN to authenticate users via RADIUS, so should integrate with you 2FA solution.

 

Reference guides https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

 

You purchase licenses per unique user

https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html

 

 

 

 

View solution in original post

2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

I do not believe that ISR can do remote VPN do stafeull switch over ( not that i am tested this)

 

Most of people around use case used ASA or Firepower these kind of solution.

 

ISR site to site VPN yes used and seen working as expected.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@Adrian-PL IMO I wouldn't use an IOS-XE router for Remote Access VPN headend device, the ASA or FTD are the best devices for that purpose.

 

Yes, you can use the router for Remote Access VPN in HA, the latest supported solution for that scenario is FlexVPN, though there is not as much information on FlexVPN configuration as there would be for the ASA or FTD.

 

You can configure FlexVPN to authenticate users via RADIUS, so should integrate with you 2FA solution.

 

Reference guides https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

 

You purchase licenses per unique user

https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html