FlexVPN Remote Access VPN

In addition to Site-to-Site VPNs, FlexVPN can also be used for Remote Access VPN. It uses the same familiar commands as used to configure the S2S VPNs. Remote Access VPN can use certificate authentication (mutual certificate authentication between router and AnyConnect client), EAP (MD5/MSCHAPv2) and AnyConnect EAP. Authentication and Authorization can be performed by local AAA or external RADIUS, which can authenticate the users against Active Directory Domain and authorize depending on AD group membership.

This post will describe how to configure FlexVPN Remote Access VPN using aggregated authentication (double authentication) using AD username/password and client certificate authentication. We will not describe the basics of configuring FlexVPN Hub-and-Spoke or certificate authentication; these have been described in previous posts here:

Continue reading “FlexVPN Remote Access VPN”


Configuring ISE TACACS+

This blog post describes the configuration of Cisco ISE 2.4 TACACS+ (Device Administration) to authenticate and authorize administration of Cisco IOS devices. In this example Cisco ISE will be joined to the Active Directory domain (LAB.LOCAL), and domain group membership will determine the authorization for users.

ISE Configuration

Configure External Identity Source

Active Directory will be used as the authentication ID source, for users and groups.

  • Navigate to Administration > External Identity Sources > Active Directory 
  • Click Add  to configure a new AD Join Point 
  • Join the ISE Node to the domain, enter AD credentials when prompted 
  • Click the Groups tab 
  • Add the groups to be used for TACACS Authentication/Authorisation e.g Network Admin and Helpdesk Users 
  • Click Save

Continue reading “Configuring ISE TACACS+”

FlexVPN external AAA with RADIUS

This post will describe how to configure FlexVPN authorization using RADIUS AAA, ISE 2.4 will be used as the RADIUS server.

The Hub router will authenticate the spoke routers with RSA certificates. The spoke routers’ certificate will have an value in the OU (organisational unit) field which will identify the location e.g. US-Branch or UK-Branch.  An IKEv2 name-mangler will be used to extract the OU value from the certificate and use this in the authorization request to the RADIUS server. Depending on matching on location in the Authorization rules the RADIUS server will return different values per location.
Continue reading “FlexVPN external AAA with RADIUS”

ASA AnyConnect IKEv2/IPSec VPN

See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).

ASA Configuration

Create a Crypto Keypair

crypto key generate rsa label VPN_KEY modulus 2048

Create a CA Trustpoint

crypto ca trustpoint LAB_PKI
fqdn asa-1.lab.net
subject-name CN=asa-1.lab.net,OU=LAB,ST=London,C=GB
keypair VPN_KEY
enrollment terminal
crl nocheck

Continue reading “ASA AnyConnect IKEv2/IPSec VPN”

Cisco IOS Router SSL-VPN with RADIUS

This post describes how to configure a Cisco IOS Router with WebVPN. Cisco ISE (v2.1) will be used as a RADIUS server, to provide authentication and authorization. For testing purposes group membership will be used to determined which RADIUS attributes will be pushed to the connecting client.

RADIUS Server Configuration

For authorization Admin users will be permitted to use split tunnel, these configuration settings will be controlled centrally and pushed to the clients if they pass authorization.

Step 1 – Define Network Device

Add the Router as a Network Device, ensure to enter the shared secret password, this must match the shared secret configured on the router.

Continue reading “Cisco IOS Router SSL-VPN with RADIUS”

CCNP ROUTE 2.0: Telnet, VTY, AAA

Telnet to VTY Line

As default the VTY lines are configured with the command “login”

line vty 0 4

If you attempt to telnet to the device without specifying a password on the VTY line you will get the error “Password required, but none set”. You must specify a password on the VTY line using the command “password XXXXXX” under the VTY line.

line vty 0 4
password XXXXXX
Continue reading “CCNP ROUTE 2.0: Telnet, VTY, AAA”

Securing VTY lines on Cisco Router/Switches

It is best practice to not only control access to a Cisco Switch or Router VTY lines but encrypt the management traffic. This blog post describes how to enable SSH and configure a basic ACL to permit traffic from trusted source ip subnet.

Configure the Cisco device with a hostname and domain name

Switch (config)# hostname 3560-1
3560-1(config)# ip domain-name lab.net

Enable SSH and use a stronger key modulus greater than the default of 512. Configure the SSH version, SSH time out and retry settings

3560-1(config)# crypto key generate rsa
3560-1(config)# 1024
3560-1(config)# ip ssh version 2
3560-1(config)# ip ssh authentication-retries 3
3560-1(config)# ip ssh time-out 90

Continue reading “Securing VTY lines on Cisco Router/Switches”