FlexVPN Remote Access VPN

In addition to Site-to-Site VPNs, FlexVPN can also be used for Remote Access VPN. It uses the same familiar commands as used to configure the S2S VPNs. Remote Access VPN can use certificate authentication (mutual certificate authentication between router and AnyConnect client), EAP (MD5/MSCHAPv2) and AnyConnect EAP. Authentication and Authorization can be performed by local AAA or external RADIUS, which can authenticate the users against Active Directory Domain and authorize depending on AD group membership.

This post will describe how to configure FlexVPN Remote Access VPN using aggregated authentication (double authentication) using AD username/password and client certificate authentication. We will not describe the basics of configuring FlexVPN Hub-and-Spoke or certificate authentication; these have been described in previous posts here:

Continue reading “FlexVPN Remote Access VPN”

Advertisements

FlexVPN external AAA with RADIUS

This post will describe how to configure FlexVPN authorization using RADIUS AAA, ISE 2.4 will be used as the RADIUS server.

The Hub router will authenticate the spoke routers with RSA certificates. The spoke routers’ certificate will have an value in the OU (organisational unit) field which will identify the location e.g. US-Branch or UK-Branch.  An IKEv2 name-mangler will be used to extract the OU value from the certificate and use this in the authorization request to the RADIUS server. Depending on matching on location in the Authorization rules the RADIUS server will return different values per location.
Continue reading “FlexVPN external AAA with RADIUS”

Cisco IOS Router SSL-VPN with RADIUS

This post describes how to configure a Cisco IOS Router with WebVPN. Cisco ISE (v2.1) will be used as a RADIUS server, to provide authentication and authorization. For testing purposes group membership will be used to determined which RADIUS attributes will be pushed to the connecting client.

RADIUS Server Configuration

For authorization Admin users will be permitted to use split tunnel, these configuration settings will be controlled centrally and pushed to the clients if they pass authorization.

Step 1 – Define Network Device

Add the Router as a Network Device, ensure to enter the shared secret password, this must match the shared secret configured on the router.



Continue reading “Cisco IOS Router SSL-VPN with RADIUS”

Configuring Check Point Gaia with Windows NPS RADIUS Authentication

 

This post describes how to configure Check Point Gaia (R75.46) and Windows 2008 R2 NPS server to authenticate management access to the Check Point CLI or Web GUI. Please refer to the previous post to configure the Active Directory Groups and NPS Policies.

2 roles will be created in the Check Point Web GUI, one with Read Only permissions and another with Read Write. The NPS RADIUS Policy will match the Check Point roles to an Active Directory group and the members of these groups will be assigned the appropriate role when they login.

Continue reading “Configuring Check Point Gaia with Windows NPS RADIUS Authentication”

Configuring Check Point Security Management Server with RADIUS Authentication

 

This post describes how to configure Check Point Security Management Server to authenticate users against a Windows 2008 R2 NPS RADIUS Server.

 

Create Active Directory Groups

 

Create a new Active Directory group for administrators requiring Read/Write permissions e.g “Firewall Management RW”

Add users requiring Read/Write permissions to the new group

Create a new Active Directory group for administrators requiring Read/Only permissions e.g “Firewall Management RO”

Add users requiring Read/Only permissions to the new group

Continue reading “Configuring Check Point Security Management Server with RADIUS Authentication”

Configuring Dynamic VLAN assignment on ProCurve switches

Introduction

The information contained in this post describes how to configure an HP ProCurve switch and Windows 2008 R2 NPS RADIUS server to authorise and assign users dynamically into specific VLANs.

The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72

Configure VLANs

Create VLANs, define IP address and IP helper-address

VLAN 30

name “VLAN30”

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.20.20

VLAN 40

name “VLAN40”

ip address 192.168.40.1 255.255.255.0

ip helper-address 192.168.20.20

Continue reading “Configuring Dynamic VLAN assignment on ProCurve switches”

Configuring 802.1x authentication on ProCurve Switches

802.1x is an open standards protocol, used for network clients on a user id basis. This post describes how to configure 802.1x on an HP ProCurve switch and authenticate against a Windows 2008 R2 NPS (RADIUS) server.

Open VLAN mode will be used, this involves creating an “Authorized” and “Un-Authorized” VLAN. Using Open VLAN temporarily ignores the ports static VLAN configuration and places the port in the “Un-Authorized” VLAN at which point the client will attempt authentication, if successful the port will dynamically place the port in the “Authorized” VLAN.

The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72

Configuring the switch

Create the “Authorized” VLAN, define IP address and IP helper-address

VLAN 30

name “Auth”

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.20.20

Create the “Un-Authorized” VLAN, define IP address and IP helper-address

VLAN 40

name “Un-Auth”

ip address 192.168.40.1 255.255.255.0

ip helper-address 192.168.20.20


Continue reading “Configuring 802.1x authentication on ProCurve Switches”