Cisco, VPN

Configuring Cisco FlexVPN with Certificate authentication

The intention of this blog post is to describe the steps to configure certificate authentication for FlexVPN on a Cisco IOS router. This post will not describe all the steps to enrol for a certificate or all the steps to configure FlexVPN, refer to the previous blog posts list below.

The configuration used is based on the FlexVPN sVTI blog post below and has successfully enrolled for certificates on all routers. VPN connectivity has been established using PSK, the configuration below will convert from PSK to certificate authentication.

References

Requesting a certificate on Cisco IOS router using SCEP or manual enrolment
Configuring FlexVPN VTI and Hub-and-Spoke on Cisco routers

Configure FlexVPN for Certificate authentication

All certificates in this FlexVPN lab are signed by the CA called lab-PKI-CA

Run the command show crypto pki certificates to identify the issuer, in this instance lab-PKI-CA


Continue reading

Advertisements
Cisco

Cisco IOS Certificate Enrollment via SCEP or Manual enrollment

The intention of this blog post is to describe how to configure a Cisco IOS router to request a certificate from a Microsoft SCEP (NDES) server to use for VPN authentication. A Windows Server must be configured as a Certificate Authority and with “Network Device Enrollment Service”. In the lab a Windows 2008 R2 server is configured as a Domain Controller, CA and NDES server – in production these roles would ideally located on separate servers.

Windows Server Configuration

Open the Certificate Templates Console
Right click to Duplicate the IPSec (Offline request) template
Select Windows Server 2008 Enterprise, click OK
Change the display name to IOSTemplate
Click Extensions
Click Application Policies
Click Edit and
add Client Authentication



Continue reading

Cisco, ISE

Using Device Sensor with Cisco ISE Profiling

The Device Sensor feature on Cisco Catalyst switches can be used for profiling on ISE. It collects additional information about endpoints connected to the switch using LLDP, CDP and DHCP protocols which other ISE Probes may not collect. The endpoint information is encapsulated in a RADIUS accounting packet and then forwarded to ISE. The Device Sensor utilises the ISE RADIUS Probe that should be enabled as default, therefore no additional probes need enabling.
Continue reading

Cisco, ISE, VPN

Configuring Cisco IOS SSL-VPN with RADIUS

This post describes how to configure a Cisco IOS Router with WebVPN. Cisco ISE (v2.1) will be used as a RADIUS server, to provide authentication and authorization. For testing purposes group membership will be used to determined which RADIUS attributes will be pushed to the connecting client.

RADIUS Server Configuration

For authorization Admin users will be permitted to use split tunnel, these configuration settings will be controlled centrally and pushed to the clients if they pass authorization.

Step 1 – Define Network Device

Add the Router as a Network Device, ensure to enter the shared secret password, this must match the shared secret configured on the router.



Continue reading

Cisco, ISE, VPN

Cisco ASA AnyConnect VPN with Static Client IP Address

When using a Cisco ASA with the AnyConnect VPN Client software in some instances it is useful to assign the same static IP address to a client whenever they connect to the VPN. Within Active Directory you can configure per user a static IP address and use this IP address whenever the user connects to the VPN. The RADIUS Server (in this instance Cisco ISE 2.0) can be configured to query the attribute in AD which is the” msRADIUSFramedIPAddress” value and assign to the client whenever they connect.

This blog post describes the steps to modify the configuration of ASA/ISE/AD and assumes the Cisco ASA is already properly configured and users can successfully authenticate using the AnyConnect VPN client and receive an IP address from the IP Address Pool. Cisco ISE is defined as the RADIUS Server with Active Directory defined as the External Identity Source.
Continue reading

Cisco, ISE

Configuring Wired 802.1x/MAB Authentication with Cisco ISE

The purpose of this blog post is to document the configuration steps required to configure Wired 802.1x and MAB authentication on Cisco Catalyst switches using Cisco ISE 2.0 as the RADIUS server. ISE will be configured to use Microsoft AD as the External Identity Store to authenticate the users and computer onto the AD domain.

The switch is already configured for VLAN, Routing etc and any device plugged into the switch will be able to access the network. Basic ISE functionality has already been configured (integration with AD/PKI).

Software/Hardware Used:
Cisco Catalyst 3650 – IP Services 12.2(55)SE4
Cisco ISE 2.0 with patch 2
Microsoft Server 2008 R2 (Domain Controller, DNS, DHCP)
Continue reading

Cisco, VPN

Configuring DMVPN Phase 3 Dual Hub

This post details the configuration on how to configure a DMVPN Phase 3 VPN in a Dual Hub Single Cloud. I previously wrote a post on configuring DMVPN Phase 2, refer to this post for more detailed information on configuring DMVPN.

As per most previous posts GNS3 was used to lab the configuration. I had to use the Advanced Security IOS image “c7200-advsecurityk9-mz.152-4.M7” instead of my normal Advanced IP Services IOS image “c7200-advipservicesk9-mz.152-4.S4” because that version does not support NHRP redirect required for DMVPN Phase 3. The error received when configuring NHRP redirect is: % NHRP-WARNING: ‘ip nhrp redirect’ failed to initialise.

This post covers the following:

  • Front Door VRF
  • Crypto Keyring
  • Dual DMVPN Hub configuration
  • DMVPN Spoke configuration
  • DMVPN NHS Clustering (dual active Hubs and Active/Standby Hub)
  • DMVPN Phase 3

The router default ISAKMP Policy, IPSec Transform Set and IPSec Profile were used and therefore not covered in this post. This previous post covers ISAKMP and IPSec Policy/Profile creation.

The lab scenario has 6 x Cisco IOS 15.2(4) routers as represented in the diagram below.


Continue reading