Upload
lamthuan
View
962
Download
51
Embed Size (px)
Citation preview
FlexVPN: AnyConnect IKEv2 Remote Accesswith AnyConnect-EAP Contents
IntroductionPrerequisitesRequirementsComponents UsedBackground InformationConfigureAuthenticating and Authorizating users using the Local DatabaseAuthentication, Authorization and Accounting using a remote AAA serverNetwork DiagramHeadend configuration changesRadius Server configurationAnyConnect client profile configurationChange the default AnyConnect IKE identity(Optional)Bypass DownloaderCommunication flowIKEv2 and EAP exchangeVerifyTroubleshoot
Introduction
This document provides a sample configuration of how to configure an IOS/IOS-XE headend forremote access using AnyConnect IKEv2 and AnyConnect-EAP authentication method.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
IOS-XE release 3.15 (15.5(2)S) or later●
IOS release 15.5(2)T or later●
AnyConnect client version 3.0 or later●
Components Used
The information in this document is based on these software and hardware versions:
Cisco ASR1002-X running IOS XE 3.15●
AnyConnect client version 3.1.8009 running on Windows 7●
Cisco ACS server 5.3 (optional)●
The information in this document was created from the devices in a specific lab environment. All ofthe devices used in this document started with a cleared (default) configuration. If your network islive, make sure that you understand the potential impact of any command.
Background Information
AnyConnect-EAP, also known as aggregate authentication, allows a Flex Server to authenticatethe AnyConnect client using the Cisco proprietary AnyConnect-EAP method. Unlike standardbased Extensible Authentication Protocol (EAP) methods such as EAP-Generic Token Card (EAP-GTC), EAP- Message Digest 5 (EAP-MD5) and so on, the Flex Server does not operate in EAPpass-through mode. All EAP communication with the client terminates on the Flex Server and therequired session key used to construct the AUTH payload is computed locally by the Flex Server.The Flex Server has to authenticate itself to the client using certificates as required by theIKEv2 RFC.
Local user authentication is now supported on the Flex Server and remote authentication isoptional. This is ideal for small scale deployments with less number of remote access users and inenvironments with no access to an external Authentication, Authorization, and Accounting (AAA)server. However, for large scale deployments and in scenarios where per-user attributes aredesired it is still recommended to use an external AAA sever for authentication and authorization.The AnyConnect-EAP implementation permits the use of Radius or TACACS for remoteauthentication, authorization and accounting.
Configure
Authenticating and Authorizating users using the Local Database
Note: In order to authenticate users against the local database on the router, EAP needs tobe used. However, in order to use EAP, the local authentication method has to be rsa-sig, sothe router needs a proper certificate installed on it, and it can't be a self-signed certificate.
Sample configuration that uses local user authentication, remote user and group authorization andremote accounting.
AnyConnect-EAP specific configuration shown in bold
Step 1. Enable AAA, and configure authentication, authorization and accounting lists ( aaaattribute list is optional) and add a username to the local database:
aaa new-model
!
aaa authentication login a-eap-authen-local local
aaa authorization network a-eap-author-grp local
!
aaa attribute list AAA-attr
attribute type interface-config "ip mtu 1300"
!
username test password cisco12
Step 2. Configure a trustpoint to obtain an ID certificate from a CA server (router can beconfigured as a CA as well):
crypto pki trustpoint IKEv2-TP
enrollment mode ra
enrollment url http://X.X.X.X:80/certsrv/mscep/mscep.dll
subject-name CN=vpn.example.com,OU=TAC,L=SanJose,C=US
revocation-check none
rsakeypair rsakey
Step 3. Define an IP local pool to assign addresses to AnyConnect VPN clients:
ip local pool ACPOOL 192.168.10.5 192.168.10.10
Step 4. Create an IKEv2 local authorization policy:
crypto ikev2 authorization policy ikev2-auth-policy
pool ACPOOL
aaa attribute list AAA-attr
Step 5. Create desired IKEv2 proposal and policy:
crypto ikev2 proposal IKEv2-prop1
encryption aes-cbc-256
integrity sha256
group 2
!
crypto ikev2 policy IKEv2-pol
proposal IKEv2-prop1
Step 6. Create an IKEv2 profile for AnyConnect-EAP method of client authentication:
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint IKEv2-TP
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 100
Note: Configuring the remote authentication method before the local authentication methodwill be accepted by the CLI, but will not take effect on versions that do not have the fix for theenhancement request CSCvb29701, if the remote authentication method is eap. For theseversions, when configuring eap as the remote authentication method, ensure the localauthentication method is configured as rsa-sig first. This problem is not seen with any otherform of remote authentication method.
Note: On versions of code affected by CSCvb24236 , once remote authentication isconfigured before local authentication, the remote authentication method can no longer beconfigured on that device. Please upgrade to a version that has the fix for this code.
Step 7. Disable HTTP-URL based certificate lookup:
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint IKEv2-TP
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 100
Step 8. Define the encryption and hash algorithms used to protect data
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint IKEv2-TP
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 100
Note: Refer this document to confirm whether your router hardware supports the NGEencryption algorithms (for example the example above has NGE algorithms). OtherwiseIPSec SA installation on the hardware will fail at the last stage of negotiation.
Step 9. Create an IPSec profile:
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint IKEv2-TP
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 100
Step 10. Configure a virtual-template (associate the template in the IKEv2 profile)
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint IKEv2-TP
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 100
Authentication, Authorization and Accounting using a remote AAA server
Network Diagram
Headend configuration changes
Note:Refer to the above section for rest of the configuration.
aaa group server radius ACS
server name ACS
!
radius server ACS
address ipv4 172.16.1.2 auth-port 1645 acct-port 1646
key Cisco123!
!
aaa authentication login a-eap-authen group ACS
aaa authorization network a-eap-author group ACS
aaa accounting network a-eap-acc start-stop group ACS
!
crypto ikev2 name-mangler NM
eap suffix delimiter @
!
crypto ikev2 profile AnyConnect-EAP
aaa authentication anyconnect-eap a-eap-authen
aaa authorization group anyconnect-eap list a-eap-author <aaa-username>
aaa authorization user anyconnect-eap list a-eap-author name-mangler NM
aaa accounting anyconnect-eap a-eap-acc
Radius Server configuration
Step 1. Create an username (for user and/or group authentication and authorization), as shown inthe image:
Step 2. Configure Authorization policy, as shown in the image:
Step 3. Now add Radius attributes, as shown in the image:
Step 4. As shown in the image,create Access policy and associate Authorization policy.
AnyConnect client profile configuration
Configure the client profile using the AnyConnect Profile Editor as shown in the image:
The XML equivalent of the profile:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">false</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Automatic
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="true">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>vpn.example.com</HostName>
<HostAddress>vpn.example.com</HostAddress>
<PrimaryProtocol>IPsec</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
Note:AnyConnect uses '*$AnyConnectClient$*' as its default IKE identity of type key-id.However, this identity can be manually changed in the AnyConnect profile to matchdeployment needs. StandardAuthenticationOnly should be set to false when usingAnyConnect-EAP as shown in the image.
Change the default AnyConnect IKE identity(Optional)
If you don't want to use the default ike id used by the client, you can change the ike id in the clientprofile, however it also required the ike id to be changed under the ikev2 profile configured on theFlexvpn server.
Client profile:
<ServerList>
<HostEntry>
<HostName>vpn.example.com</HostName>
<HostAddress>vpn.example.com</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>false
<IKEIdentity>ANYCONNECT-IKEID</IKEIdentity>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
FlexServer configuration:
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id ANYCONNECT-IKEID
This can also be set using the client profile editor:
Tip: When using the client profile editor, the ike ID can only be changed if StandardAuthentication is checked. This is a known issue and bug CSCva64390 has been filed toaddress this issue. In the meanwhile you can manually edit the xml file using any text editorso that the value for the attribute "StandardAuthenticationOnly" is set to false.
Bypass Downloader
Currently, the IOS and IOS-XE routers do not support XML profile downloads and AnyConnectpackage upgrades over HTTPS connection. The AnyConnect will try to download the latest XMLprofile from the headend and the connection will fail becase this capability is not supported on therouter. Therefore, it is mandatory to manually disable the downloader in theAnyConnectLocalPolicy.xml file on the user PC.The location of the file can be found under Change Local Policy Parameters Manually
Change BypassDownloader value to True.
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectLocalPolicy xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd"
acversion="3.0.0592">
<FipsMode>false</FipsMode>
<BypassDownloader>true</BypassDownloader>
<RestrictWebLaunch>false</RestrictWebLaunch>
<StrictCertificateTrust>false</StrictCertificateTrust>
<EnableCRLCheck>false</EnableCRLCheck>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<ExcludePemFileCertStore>false</ExcludePemFileCertStore>
<ExcludeMacNativeCertStore>false</ExcludeMacNativeCertStore>
<ExcludeFirefoxNSSCertStore>false</ExcludeFirefoxNSSCertStore>
<UpdatePolicy>
<AllowSoftwareUpdatesFromAnyServer>true</AllowSoftwareUpdatesFromAnyServer>
<AllowVPNProfileUpdatesFromAnyServer>true</AllowVPNProfileUpdatesFromAnyServer>
<AllowServiceProfileUpdatesFromAnyServer>true</AllowServiceProfileUpdatesFromAnyServer>
<AllowISEProfileUpdatesFromAnyServer>true</AllowISEProfileUpdatesFromAnyServer>
<AllowComplianceModuleUpdatesFromAnyServer>true</AllowComplianceModuleUpdatesFromAnyServer>
</UpdatePolicy>
</AnyConnectLocalPolicy>
It can be done either through manually editing of the file or by using AnyConnect Profile Editortool:
Communication flow
IKEv2 and EAP exchange