In addition to Site-to-Site VPNs, FlexVPN can also be used for Remote Access VPN. It uses the same familiar commands as used to configure the S2S VPNs. Remote Access VPN can use certificate authentication (mutual certificate authentication between router and AnyConnect client), EAP (MD5/MSCHAPv2) and AnyConnect EAP. Authentication and Authorization can be performed by local AAA or external RADIUS, which can authenticate the users against Active Directory Domain and authorize depending on AD group membership.
This post will describe how to configure FlexVPN Remote Access VPN using aggregated authentication (double authentication) using AD username/password and client certificate authentication. We will not describe the basics of configuring FlexVPN Hub-and-Spoke or certificate authentication; these have been described in previous posts here:
Continue reading “FlexVPN Remote Access VPN”
This blog post describes the configuration of Cisco ISE 2.4 TACACS+ (Device Administration) to authenticate and authorize administration of Cisco IOS devices. In this example Cisco ISE will be joined to the Active Directory domain (LAB.LOCAL), and domain group membership will determine the authorization for users.
Configure External Identity Source
Active Directory will be used as the authentication ID source, for users and groups.
- Navigate to Administration > External Identity Sources > Active Directory
- Click Add to configure a new AD Join Point
- Join the ISE Node to the domain, enter AD credentials when prompted
- Click the Groups tab
- Add the groups to be used for TACACS Authentication/Authorisation e.g Network Admin and Helpdesk Users
- Click Save
Continue reading “Configuring ISE TACACS+”
This post will describe how to configure FlexVPN authorization using RADIUS AAA, ISE 2.4 will be used as the RADIUS server.
The Hub router will authenticate the spoke routers with RSA certificates. The spoke routers’ certificate will have an value in the OU (organisational unit) field which will identify the location e.g. US-Branch or UK-Branch. An IKEv2 name-mangler will be used to extract the OU value from the certificate and use this in the authorization request to the RADIUS server. Depending on matching on location in the Authorization rules the RADIUS server will return different values per location.
Continue reading “FlexVPN external AAA with RADIUS”
See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).
Create a Crypto Keypair
crypto key generate rsa label VPN_KEY modulus 2048
Create a CA Trustpoint
crypto ca trustpoint LAB_PKI
Continue reading “ASA AnyConnect IKEv2/IPSec VPN”
This post describes how to configure a Cisco IOS Router with WebVPN. Cisco ISE (v2.1) will be used as a RADIUS server, to provide authentication and authorization. For testing purposes group membership will be used to determined which RADIUS attributes will be pushed to the connecting client.
RADIUS Server Configuration
For authorization Admin users will be permitted to use split tunnel, these configuration settings will be controlled centrally and pushed to the clients if they pass authorization.
Step 1 – Define Network Device
Add the Router as a Network Device, ensure to enter the shared secret password, this must match the shared secret configured on the router.
Continue reading “Cisco IOS Router SSL-VPN with RADIUS”
Telnet to VTY Line
As default the VTY lines are configured with the command “login”
line vty 0 4
If you attempt to telnet to the device without specifying a password on the VTY line you will get the error “Password required, but none set”. You must specify a password on the VTY line using the command “password XXXXXX” under the VTY line.
line vty 0 4
Continue reading “CCNP ROUTE 2.0: Telnet, VTY, AAA”
It is best practice to not only control access to a Cisco Switch or Router VTY lines but encrypt the management traffic. This blog post describes how to enable SSH and configure a basic ACL to permit traffic from trusted source ip subnet.
Configure the Cisco device with a hostname and domain name
Switch (config)# hostname 3560-1
3560-1(config)# ip domain-name lab.net
Enable SSH and use a stronger key modulus greater than the default of 512. Configure the SSH version, SSH time out and retry settings
3560-1(config)# crypto key generate rsa
3560-1(config)# ip ssh version 2
3560-1(config)# ip ssh authentication-retries 3
3560-1(config)# ip ssh time-out 90
Continue reading “Securing VTY lines on Cisco Router/Switches”