Configuring FlexVPN external AAA with RADIUS

This post will describe how to configure FlexVPN authorization using RADIUS AAA, ISE 2.4 will be used as the RADIUS server.

The Hub router will authenticate the spoke routers with RSA certificates. The spoke routers’ certificate will have an value in the OU (organisational unit) field which will identify the location e.g. US-Branch or UK-Branch.  An IKEv2 name-mangler will be used to extract the OU value from the certificate and use this in the authorization request to the RADIUS server. Depending on matching on location in the Authorization rules the RADIUS server will return different values per location.

The Hub router will authenticate the spoke routers with RSA certificates. The spoke routers’ certificate will have an value in the OU (organisational unit) field which will identify the location e.g. US-Branch or UK-Branch.  An IKEv2 name-mangler will be used to extract the OU value from the certificate and use this in the authorization request to the RADIUS server. Depending on matching on location in the Authorization rules the RADIUS server will return different values per location.

This post will not describe the basics of configuring FlexVPN Hub-and-Spoke or certificate authentication; however following posts provide information on how to configure everything not covered in this post:

FlexVPN Hub-and-Spoke
FlexVPN with Certificate authentication

The following AV (attribute values) will be pushed to the spoke routers:

  • VRF
  • IP address assigned from IP Address POOL
  • IP address assigned from DHCP IP Address

Hub Configuration

AAA 

aaa new-model
!
aaa authorization network FLEX group ISE
aaa accounting network FLEX start-stop group ISE
!
a
aa server radius dynamic-author
 client 192.168.10.20 server-key Cisco1234
!

radius server ISE24
 address ipv4 192.168.10.20 auth-port 1645 acct-port 1646
 key Cisco1234
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server dead-criteria time 20 tries 2
radius-server deadtime 1
!
interface Loopback1
description RADIUS Source
ip address 172.16.2.1 255.255.255.0
!
aaa group server radius ISE
 server name ISE24
 ip radius source-interface Loopback1 

VRF & Loopback Interfaces 

ip vrf US
ip vrf UK
!

interface Loopback100
 description UK TUNNEL SOURCE
 ip vrf forwarding UK
 ip address 10.100.0.1 255.255.255.255
!
interface Loopback101
 ip vrf forwarding UK
 ip address 10.100.1.1 255.255.255.255
!
i
nterface Loopback200
 description US TUNNEL SOURCE
ip vrf forwarding US
 ip address 10.200.0.1 255.255.255.255
!

i
nterface Loopback201
 ip vrf forwarding US
 ip address 10.200.1.1 255.255.255.255 

Routing Protocol

The loopback interfaces need advertising into the routing protocol.

router eigrp EIGRP
 address-family ipv4 unicast vrf UK autonomous-system 1
  topology base
  exit-af-topology
  network 10.100.0.0 0.0.3.255
  exit-address-family
 address-family ipv4 unicast vrf US autonomous-system 1
  topology base
  exit-af-topology
  network 10.200.0.0 0.0.3.255
  exit-address-family
a
ddress-family ipv4 unicast autonomous-system 1
topology base
exit-af-topology
 network 172.16.0.0
network 192.168.251.0 

Virtual-Template

It is important that the Virtual-Template not be configured with an IP address, the RADIUS server will push instruct which Loopback to use as the source IP address per session (depending on which spoke it authorising).

interface Virtual-Template2 type tunnel
 no ip address
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel protection ipsec profile IPSEC_PROFILE 

IKEv2 Name Mangler

The name-mangler will extract the OU from the spoke router’s certificate and use for authorisation. This name-mangler is referenced in the IKEv2 Profile.

crypto ikev2 name-mangler NM
 dn organization-unit 

IKEv2 Profile with group authorization

Authorization can be configured per user or per group. In this instance we will only be authorizing per group. The aaa authorisation command is referencing the previously created aaa method-list (FLEX) name-mangler (NM), it will use the password Cisco1234. A local user account must be created on the RADIUS server with the username that matches the OU value and the password Cisco1234 (as specified in the configuration below). The default password is cisco.

crypto ikev2 profile IKEV2_PROFILE
 match certificate CERT_MAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint VPN_TP
 dpd 10 2 periodic
 aaa authorization group cert list FLEX name-mangler NM password Cisco1234
 aaa accounting cert FLEX
 virtual-template 1 mode auto 

VPN IP Address Pool

ip local pool VPN_POOL 172.16.0.10 172.16.0.254 

Spoke 1 Configuration

Spoke 1 router will configured to be a Branch router located in the UK, it’s certificate will be configured as below.

crypto pki trustpoint VPN_TP
 subject-name CN=branch-1.lab.net,OU=UK-Branch,O=LAB,ST=London,C=GB


AAA

aaa new-model
aaa authorization network FLEX local 

IKEv2 Authorisation Policy

crypto ikev2 authorization policy default
 route set interface 

IKEv2 Profile

The IKEv2 Profile defines the method-list (FLEX) and the IKEv2 Authorization Policy (default), in order to send it’s tunnel interface IP address to the Hub.

crypto ikev2 profile IKEV2_PROFILE
 match certificate CERT_MAP
identity local dn
 authentication local rsa-sig
 authentication remote rsa-sig
pki trustpoint VPN_TP
 dpd 10 2 on-demand
 aaa authorization group cert list FLEX default 

Tunnel Interface

The tunnel interface will be configured to receive a tunnel IP address from a DHCP server.

interface Tunnel0
 ip address negotiated
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 1.1.1.5
 tunnel protection ipsec profile IPSEC_PROFILE 

Loopback Interfaces

Loopback interfaces configured only to simulate networks behind spoke router.

interface Loopback2
 ip address 10.10.2.1 255.255.255.255
interface Loopback3
 ip address 10.10.3.1 255.255.255.255 

Routing Protocol

Redistribution of networks, no need for named eigrp.

router eigrp 1
 network 10.10.0.0 0.0.3.255
 network 172.16.0.0 

Spoke 2 Configuration

Spoke 2 router will configured to be a Branch router located in the US, it’s certificate will be configured as below.

crypto pki trustpoint VPN_TP
 subject-name CN=branch-2.lab.net,OU=US-Branch,O=LAB,ST=Florida,C=US


AAA

aaa new-model
aaa authorization network FLEX local 

IKEv2 Authorisation Policy

crypto ikev2 authorization policy default
 route set interface 

IKEv2 Profile

The IKEv2 Profile defines the method-list (FLEX) and the IKEv2 Authorization Policy (default), in order to send it’s tunnel interface IP address to the Hub.

crypto ikev2 profile IKEV2_PROFILE
match certificate CERT_MAP
 identity local dn
 authentication local rsa-sig
 authentication remote rsa-sig
 pki trustpoint VPN_TP
 dpd 10 2 on-demand
 aaa authorization group cert list FLEX default 

Tunnel Interface

The tunnel interface will be configured to receive a tunnel IP address from a VPN Pool defined on the Hub.

interface Tunnel0
 ip address negotiated
tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 1.1.1.5
 tunnel protection ipsec profile IPSEC_PROFILE 

Loopback Interfaces

Loopback interfaces configured only to simulate networks behind spoke router.

interface Loopback2
ip address 10.20.2.1 255.255.255.255
interface Loopback3
 ip address 10.20.3.1 255.255.255.255 

Routing Protocol

Redistribution of networks, no need for named eigrp.

router eigrp 1
network 10.20.0.0 0.0.3.255
 network 172.16.0.0

ISE Configuration

Local User Accounts

A user account must be created for each location, in this scenario US-Branch and UK-Branch. The password will be set as Cisco1234, as specified in the IKEv2_PROFILE. If no password is specified in the IKEv2 profile then the default password of cisco will be sent in the radius packet, therefore that password should be set when creating the user accounts.

  • Navigate to
    Administration > Identities > Users
  • Create users as required  

 

Network Devices and Groups

  • Navigate to Administration > Network Device Groups
  • Create a new group called FlexVPN_Router, nest this under All Device Types
  • Navigate to Administration > Network Devices
  • Create a new Network Device
    • Add descriptive name for the Hub Router
    • Add IP address
    • Select Device Type as FlexVPN_Router
    • Tick RADIUS Authentication Settings
    • Specify the Shared Secret as specified in the AAA configuration on the Hub
    • Click Save when complete

Authorization Profiles

  • Navigate to
    Policy > Policy Elements > Authorization > Authorization Profiles
  • Create new Authorization Profiles as per the table below
Authorization Profile Name Attribute Details
FlexVPN_UK Access Type = ACCESS_ACCEPT
cisco-av-pair = ip:interface-config=ip vrf forwarding UK
cisco-av-pair = ip:interface-config=ip unnumbered loopback100
cisco-av-pair = ipsec:group-dhcp-server=192.168.10.5
cisco-av-pair = ipsec:dhcp-giaddr=172.16.1.1
FlexVPN_US Access Type = ACCESS_ACCEPT
cisco-av-pair = ip:interface-config=ip vrf forwarding US
cisco-av-pair = ip:interface-config=ip unnumbered loopback200
cisco-av-pair = ipsec:addr-pool=VPN_POOL
FlexVPN_Client Access Type = ACCESS_ACCEPT
cisco-av-pair = ipsec:route-accept=any
cisco-av-pair = ipsec:route-set=interface

NOTE – the Authorization Profile FlexVPN_Client is not necessarily needed as the attributes could be included in the other rules, but rather it helps to show that multiple Authorization Profiles can be sent to a client and applied successfully. 

Policy Sets

  • Navigate to
    Policy > Policy Set
  • Define a new Policy Set with a descriptive name e.g. FlexVPN
  • Specify the Condition as:
  • DEVICE:Device Type EQUALS All Device Types#FlexVPN_Router


  • Create an Authentication Policy, specify Conditions and Use


  • Create an Authorization rule for UK-Branch
  • Define the Condition for UK-Branch
  • Network Access:Username CONTAINS UK-Branch
  • Define the Profiles for UK-Branch
  • FlexVPN_Client AND FlexVPN_UK
  • Repeat the procedure for the additional


Verification

  • From the ISE logs you can confirm that correct identity (UK-Branch or US-Branch) is sent to identify itself on the RADIUS server (ISE) and what Authorization Profile sent to the client.


  • Enable radius debugging on the Hub router (debug radius).
  • From the output you can confirm what authorization attributes were sent/received. You can determine the User-Name sent was derived from the OU attribute in the certificate (US-Branch) and the Cisco AV-Pairs defined in the Authorization Profiles (VRF, Loopback and an IP address from the VPN_POOL) were sent to the spoke router.


  • The IP Tunnel IP address is from within the range defined on the local pool defined on the Hub router.


  • The routing table only has routes defined in the US vrf.
  • The spoke router can successfully ping the remote network


  • From the debug of a UK-Branch spoke router we can determine the difference in configuration pushed from the RADIUS server.
  • We can determine the correct User-Name derived from the OU in the certificate via the name-mangler
  • The Cisco AV pairs as before, except this time we can determine the configured DHCP server used and the source gateway address
  • We can determine the IP address assigned to this router via Framed-IP-Address


  • From the DHCP server itself, we can confirm the IP address was assigned. The source for the RADIUS is of course the Hub router (which is why the DHCP server registered the Hubs’ name) however the IP address was assigned to the UK-Branch router branch-1.lab.net.


  • The routing table only has routes defined in the UK vrf.
  • The spoke router can successfully ping the remote network


  • Running show crypto ikev2 sa detailed on the hub confirms:
  • Each individual tunnel ID with the usual encryption, integrity and authentication methods
  • The iVRF
  • Remote ID (from certificate authentication)
  • The assigned IP address


References

Additional RADIUS Attributes Values

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-mt/sec-flex-vpn-15-mt-book/sec-apx-flex-rad.pdf

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s