FlexVPN: AnyConnect IKEv2 Remote Access with ... - · PDF fileIntroduction This document provides a sample configuration of how to configure an IOS/IOS-XE headend for ... Cisco ACS

FlexVPN: AnyConnect IKEv2 Remote Accesswith AnyConnect-EAP Contents

IntroductionPrerequisitesRequirementsComponents UsedBackground InformationConfigureAuthenticating and Authorizating users using the Local DatabaseAuthentication, Authorization and Accounting using a remote AAA serverNetwork DiagramHeadend configuration changesRadius Server configurationAnyConnect client profile configurationChange the default AnyConnect IKE identity(Optional)Bypass DownloaderCommunication flowIKEv2 and EAP exchangeVerifyTroubleshoot

Introduction

This document provides a sample configuration of how to configure an IOS/IOS-XE headend forremote access using AnyConnect IKEv2 and AnyConnect-EAP authentication method.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

IOS-XE release 3.15 (15.5(2)S) or later●

IOS release 15.5(2)T or later●

AnyConnect client version 3.0 or later●

Components Used

The information in this document is based on these software and hardware versions:

Cisco ASR1002-X running IOS XE 3.15●

AnyConnect client version 3.1.8009 running on Windows 7●

Cisco ACS server 5.3 (optional)●

The information in this document was created from the devices in a specific lab environment. All ofthe devices used in this document started with a cleared (default) configuration. If your network islive, make sure that you understand the potential impact of any command.

Background Information

AnyConnect-EAP, also known as aggregate authentication, allows a Flex Server to authenticatethe AnyConnect client using the Cisco proprietary AnyConnect-EAP method. Unlike standardbased Extensible Authentication Protocol (EAP) methods such as EAP-Generic Token Card (EAP-GTC), EAP- Message Digest 5 (EAP-MD5) and so on, the Flex Server does not operate in EAPpass-through mode. All EAP communication with the client terminates on the Flex Server and therequired session key used to construct the AUTH payload is computed locally by the Flex Server.The Flex Server has to authenticate itself to the client using certificates as required by theIKEv2 RFC.

Local user authentication is now supported on the Flex Server and remote authentication isoptional. This is ideal for small scale deployments with less number of remote access users and inenvironments with no access to an external Authentication, Authorization, and Accounting (AAA)server. However, for large scale deployments and in scenarios where per-user attributes aredesired it is still recommended to use an external AAA sever for authentication and authorization.The AnyConnect-EAP implementation permits the use of Radius or TACACS for remoteauthentication, authorization and accounting.

Configure

Authenticating and Authorizating users using the Local Database

Note: In order to authenticate users against the local database on the router, EAP needs tobe used. However, in order to use EAP, the local authentication method has to be rsa-sig, sothe router needs a proper certificate installed on it, and it can't be a self-signed certificate.

Sample configuration that uses local user authentication, remote user and group authorization andremote accounting.

AnyConnect-EAP specific configuration shown in bold

Step 1. Enable AAA, and configure authentication, authorization and accounting lists ( aaaattribute list is optional) and add a username to the local database:

aaa new-model

!

aaa authentication login a-eap-authen-local local

aaa authorization network a-eap-author-grp local

!

aaa attribute list AAA-attr

attribute type interface-config "ip mtu 1300"

!

username test password cisco12

Step 2. Configure a trustpoint to obtain an ID certificate from a CA server (router can beconfigured as a CA as well):

crypto pki trustpoint IKEv2-TP

enrollment mode ra

enrollment url http://X.X.X.X:80/certsrv/mscep/mscep.dll

subject-name CN=vpn.example.com,OU=TAC,L=SanJose,C=US

revocation-check none

rsakeypair rsakey

Step 3. Define an IP local pool to assign addresses to AnyConnect VPN clients:

ip local pool ACPOOL 192.168.10.5 192.168.10.10

Step 4. Create an IKEv2 local authorization policy:

crypto ikev2 authorization policy ikev2-auth-policy

pool ACPOOL

aaa attribute list AAA-attr

Step 5. Create desired IKEv2 proposal and policy:

crypto ikev2 proposal IKEv2-prop1

encryption aes-cbc-256

integrity sha256

group 2

!

crypto ikev2 policy IKEv2-pol

proposal IKEv2-prop1

Step 6. Create an IKEv2 profile for AnyConnect-EAP method of client authentication:

crypto ikev2 profile AnyConnect-EAP

match identity remote key-id *$AnyConnectClient$*

authentication local rsa-sig

authentication remote anyconnect-eap aggregate

pki trustpoint IKEv2-TP

aaa authentication anyconnect-eap a-eap-authen-local

aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy

aaa authorization user anyconnect-eap cached

virtual-template 100

Note: Configuring the remote authentication method before the local authentication methodwill be accepted by the CLI, but will not take effect on versions that do not have the fix for theenhancement request CSCvb29701, if the remote authentication method is eap. For theseversions, when configuring eap as the remote authentication method, ensure the localauthentication method is configured as rsa-sig first. This problem is not seen with any otherform of remote authentication method.

Note: On versions of code affected by CSCvb24236 , once remote authentication isconfigured before local authentication, the remote authentication method can no longer beconfigured on that device. Please upgrade to a version that has the fix for this code.

Step 7. Disable HTTP-URL based certificate lookup:

https://tools.cisco.com/bugsearch/bug/CSCvb29701

https://tools.cisco.com/bugsearch/bug/CSCvb24236










Step 8. Define the encryption and hash algorithms used to protect data










Note: Refer this document to confirm whether your router hardware supports the NGEencryption algorithms (for example the example above has NGE algorithms). OtherwiseIPSec SA installation on the hardware will fail at the last stage of negotiation.

Step 9. Create an IPSec profile:










Step 10. Configure a virtual-template (associate the template in the IKEv2 profile)










Authentication, Authorization and Accounting using a remote AAA server

Network Diagram

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html

Headend configuration changes

Note:Refer to the above section for rest of the configuration.

aaa group server radius ACS

server name ACS

!

radius server ACS

address ipv4 172.16.1.2 auth-port 1645 acct-port 1646

key Cisco123!

!

aaa authentication login a-eap-authen group ACS

aaa authorization network a-eap-author group ACS

aaa accounting network a-eap-acc start-stop group ACS

!

crypto ikev2 name-mangler NM

eap suffix delimiter @

!


aaa authentication anyconnect-eap a-eap-authen

aaa authorization group anyconnect-eap list a-eap-author <aaa-username>

aaa authorization user anyconnect-eap list a-eap-author name-mangler NM

aaa accounting anyconnect-eap a-eap-acc

Radius Server configuration

Step 1. Create an username (for user and/or group authentication and authorization), as shown inthe image:

Step 2. Configure Authorization policy, as shown in the image:

Step 3. Now add Radius attributes, as shown in the image:

Step 4. As shown in the image,create Access policy and associate Authorization policy.

AnyConnect client profile configuration

Configure the client profile using the AnyConnect Profile Editor as shown in the image:

The XML equivalent of the profile:

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

<ClientInitialization>

<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>

<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>

<ShowPreConnectMessage>false</ShowPreConnectMessage>

<CertificateStore>All</CertificateStore>

<CertificateStoreOverride>false</CertificateStoreOverride>

<ProxySettings>Native</ProxySettings>

<AllowLocalProxyConnections>false</AllowLocalProxyConnections>

<AuthenticationTimeout>12</AuthenticationTimeout>

<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>

<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>

<LocalLanAccess UserControllable="true">false</LocalLanAccess>

<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>

<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>

<AutoReconnect UserControllable="false">true

<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>

</AutoReconnect>

<AutoUpdate UserControllable="false">false</AutoUpdate>

<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>

<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>

<AutomaticVPNPolicy>false</AutomaticVPNPolicy>

<PPPExclusion UserControllable="false">Automatic

<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>

</PPPExclusion>

<EnableScripting UserControllable="false">false</EnableScripting>

<EnableAutomaticServerSelection UserControllable="true">false

<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>

<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>

</EnableAutomaticServerSelection>

<RetainVpnOnLogoff>false

</RetainVpnOnLogoff>

<AllowManualHostInput>true</AllowManualHostInput>

</ClientInitialization>

<ServerList>

<HostEntry>

<HostName>vpn.example.com</HostName>

<HostAddress>vpn.example.com</HostAddress>

<PrimaryProtocol>IPsec</PrimaryProtocol>

</HostEntry>

</ServerList>

</AnyConnectProfile>

Note:AnyConnect uses '*$AnyConnectClient$*' as its default IKE identity of type key-id.However, this identity can be manually changed in the AnyConnect profile to matchdeployment needs. StandardAuthenticationOnly should be set to false when usingAnyConnect-EAP as shown in the image.

Change the default AnyConnect IKE identity(Optional)

If you don't want to use the default ike id used by the client, you can change the ike id in the clientprofile, however it also required the ike id to be changed under the ikev2 profile configured on theFlexvpn server.

Client profile:

<ServerList>

<HostEntry>

<HostName>vpn.example.com</HostName>

<HostAddress>vpn.example.com</HostAddress>

<PrimaryProtocol>IPsec

<StandardAuthenticationOnly>false

<IKEIdentity>ANYCONNECT-IKEID</IKEIdentity>

</StandardAuthenticationOnly>

</PrimaryProtocol>

</HostEntry>

</ServerList>

FlexServer configuration:


match identity remote key-id ANYCONNECT-IKEID

This can also be set using the client profile editor:

Tip: When using the client profile editor, the ike ID can only be changed if StandardAuthentication is checked. This is a known issue and bug CSCva64390 has been filed toaddress this issue. In the meanwhile you can manually edit the xml file using any text editorso that the value for the attribute "StandardAuthenticationOnly" is set to false.

Bypass Downloader

Currently, the IOS and IOS-XE routers do not support XML profile downloads and AnyConnectpackage upgrades over HTTPS connection. The AnyConnect will try to download the latest XMLprofile from the headend and the connection will fail becase this capability is not supported on therouter. Therefore, it is mandatory to manually disable the downloader in theAnyConnectLocalPolicy.xml file on the user PC.The location of the file can be found under Change Local Policy Parameters Manually

Change BypassDownloader value to True.

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectLocalPolicy xmlns="http://schemas.xmlsoap.org/encoding/"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd"

acversion="3.0.0592">

<FipsMode>false</FipsMode>

<BypassDownloader>true</BypassDownloader>

<RestrictWebLaunch>false</RestrictWebLaunch>

<StrictCertificateTrust>false</StrictCertificateTrust>

<EnableCRLCheck>false</EnableCRLCheck>

<RestrictPreferenceCaching>false</RestrictPreferenceCaching>

<ExcludePemFileCertStore>false</ExcludePemFileCertStore>

https://tools.cisco.com/bugsearch/bug/CSCva64390

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html#ID-1430-0000032f

<ExcludeMacNativeCertStore>false</ExcludeMacNativeCertStore>

<ExcludeFirefoxNSSCertStore>false</ExcludeFirefoxNSSCertStore>

<UpdatePolicy>

<AllowSoftwareUpdatesFromAnyServer>true</AllowSoftwareUpdatesFromAnyServer>

<AllowVPNProfileUpdatesFromAnyServer>true</AllowVPNProfileUpdatesFromAnyServer>

<AllowServiceProfileUpdatesFromAnyServer>true</AllowServiceProfileUpdatesFromAnyServer>

<AllowISEProfileUpdatesFromAnyServer>true</AllowISEProfileUpdatesFromAnyServer>

<AllowComplianceModuleUpdatesFromAnyServer>true</AllowComplianceModuleUpdatesFromAnyServer>

</UpdatePolicy>

</AnyConnectLocalPolicy>

It can be done either through manually editing of the file or by using AnyConnect Profile Editortool:

Communication flow

IKEv2 and EAP exchange

Documents

FlexVPN: AnyConnect IKEv2 Remote Access with ... - · PDF fileIntroduction This document provides a sample configuration of how to configure an IOS/IOS-XE headend for ... Cisco ACS