Configuring FlexVPN external AAA with RADIUS

This post will describe how to configure FlexVPN authorization using RADIUS AAA, ISE 2.4 will be used as the RADIUS server.

The Hub router will authenticate the spoke routers with RSA certificates. The spoke routers’ certificate will have an value in the OU (organisational unit) field which will identify the location e.g. US-Branch or UK-Branch.  An IKEv2 name-mangler will be used to extract the OU value from the certificate and use this in the authorization request to the RADIUS server. Depending on matching on location in the Authorization rules the RADIUS server will return different values per location.
Continue reading “Configuring FlexVPN external AAA with RADIUS”

Advertisements

Configuring ASA AnyConnect IKEv2/IPSec VPN

See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).

ASA Configuration

Create a Crypto Keypair

crypto key generate rsa label VPN_KEY modulus 2048

Create a CA Trustpoint

crypto ca trustpoint LAB_PKI
fqdn asa-1.lab.net
subject-name CN=asa-1.lab.net,OU=LAB,ST=London,C=GB
keypair VPN_KEY
enrollment terminal
crl nocheck

Continue reading “Configuring ASA AnyConnect IKEv2/IPSec VPN”

Configuring ASA AnyConnect SSL-VPN

This blog post will document how to configure an AnyConnect SSL-VPN on a Cisco ASA firewall using Cisco ISE (2.1 patch 5) as a AAA server for authentication.

ISE Configuration

It is assumed that ISE is installed and configured with the basics (IP addresses and integrated into AD).

Define the ASA as a Network Device

  • Navigate to Administration > Network Resources > Network Devices
  • Create new by clicking Add and define the ASA
  • Specify the INSIDE interface IP address of the ASA
  • Tick the RADIUS Authentication Settings box
  • Specify a shared secret, this will need to match on the ASA configuration
  • Click Save


Continue reading “Configuring ASA AnyConnect SSL-VPN”

Configuring IKEv2 Crypto Map between IOS Router and ASA Firewall

This blog post will document the steps to configure an IKEv2/IPSec Site-to-Site VPN between a Cisco ASA firewall (ASAv 9.9.1) and an IOS Router (v15.4) using a Pre-Shared Key (PSK).

Simple topology:


ASA Firewall Configuration

// Define IKEv2 Policy
crypto ikev2 policy 10
encryption aes-gcm
integrity null
group 5
prf sha256
lifetime seconds 86400

Continue reading “Configuring IKEv2 Crypto Map between IOS Router and ASA Firewall”

Configuring Cisco FlexVPN with Certificate authentication

The intention of this blog post is to describe the steps to configure certificate authentication for FlexVPN on a Cisco IOS router. This post will not describe all the steps to enrol for a certificate or all the steps to configure FlexVPN, refer to the previous blog posts list below.

The configuration used is based on the FlexVPN sVTI blog post below and has successfully enrolled for certificates on all routers. VPN connectivity has been established using PSK, the configuration below will convert from PSK to certificate authentication.

References

Requesting a certificate on Cisco IOS router using SCEP or manual enrolment
Configuring FlexVPN VTI and Hub-and-Spoke on Cisco routers

Configure FlexVPN for Certificate authentication

All certificates in this FlexVPN lab are signed by the CA called lab-PKI-CA

Run the command show crypto pki certificates to identify the issuer, in this instance lab-PKI-CA


Continue reading “Configuring Cisco FlexVPN with Certificate authentication”

Configuring Cisco IOS SSL-VPN with RADIUS

This post describes how to configure a Cisco IOS Router with WebVPN. Cisco ISE (v2.1) will be used as a RADIUS server, to provide authentication and authorization. For testing purposes group membership will be used to determined which RADIUS attributes will be pushed to the connecting client.

RADIUS Server Configuration

For authorization Admin users will be permitted to use split tunnel, these configuration settings will be controlled centrally and pushed to the clients if they pass authorization.

Step 1 – Define Network Device

Add the Router as a Network Device, ensure to enter the shared secret password, this must match the shared secret configured on the router.



Continue reading “Configuring Cisco IOS SSL-VPN with RADIUS”

Cisco ASA AnyConnect VPN with Static Client IP Address

When using a Cisco ASA with the AnyConnect VPN Client software in some instances it is useful to assign the same static IP address to a client whenever they connect to the VPN. Within Active Directory you can configure per user a static IP address and use this IP address whenever the user connects to the VPN. The RADIUS Server (in this instance Cisco ISE 2.0) can be configured to query the attribute in AD which is the” msRADIUSFramedIPAddress” value and assign to the client whenever they connect.

This blog post describes the steps to modify the configuration of ASA/ISE/AD and assumes the Cisco ASA is already properly configured and users can successfully authenticate using the AnyConnect VPN client and receive an IP address from the IP Address Pool. Cisco ISE is defined as the RADIUS Server with Active Directory defined as the External Identity Source.
Continue reading “Cisco ASA AnyConnect VPN with Static Client IP Address”