- Silver, 250 points or more
I am configured a CSR1000V (03.09.00a.S.153-2.S) for AnyConnect with IKEv2. I am storing username and IKEv2 authorization policy on the RADIUS server. Clients are dropped into their own iVRFs through RADIUS attributes passed back to the NAS.
e.g. in FreeRadius (2.1.12), the following is defined (home is the 'group') in [email protected] format.
home Cleartext-Password := "cisco"
Cisco-AVPair += "ip:interface-config=vrf forwarding CUST-A",
Cisco-AVPair += "ip:interface-config=ip unnumbered loopback100",
Framed-Pool = "CUST-A-POOL"
[email protected] Cleartext-Password := "test123"
Group and user authorization information is then merged and cloned onto the virtual template:
crypto ikev2 name-mangler EXTRACT-GROUP
eap suffix delimiter @
crypto ikev2 profile FlexVPN-IKEv2-Profile-1
match fvrf IPSEC-FVRF
match identity remote key-id FlexAnyConnect
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint cacert.org
dpd 60 2 on-demand
aaa authentication eap FlexVPN-AuthC-List1
aaa authorization group eap list FlexVPN-AuthZ-List-1 name-mangler EXTRACT-GROUP
aaa authorization user eap cached
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel vrf IPSEC-FVRF
tunnel protection ipsec profile FlexVPN-IPsec-Profile-1
However, it appears that the RADIUS attribute specifying the pool is ignored; I can see the RADIUS attribute (IETF 88) passed back to the NAS in the RADIUS debugs:
*Aug 16 21:36:39.384 BST: RADIUS: Framed-IP-Pool  13 "CUST-A-POOL"
However, the crypto debugs state that an IP address cannot be assigned:
*Aug 16 21:36:39.435 BST: IKEv2:Failed to allocate IP addr
If the Framed-Pool is removed and a Framed-IP-Address defined instead for the user, then the address is assigned. The CUST-A-POOL is defined locally on the NAS. Is there anything I am missing? Can any more detailed debugs be generated?
ipsec:addr-pool or ipsec:ipv6-addr-pool