×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IKEv2 AnyConnect and Pool allocation via RADIUS

Answered Question
Aug 16th, 2013
User Badges:
  • Silver, 250 points or more

I am configured a CSR1000V (03.09.00a.S.153-2.S) for AnyConnect with IKEv2. I am storing username and IKEv2 authorization policy on the RADIUS server. Clients are dropped into their own iVRFs through RADIUS attributes passed back to the NAS.


e.g. in FreeRadius (2.1.12), the following is defined (home is the 'group') in [email protected] format.


home                    Cleartext-Password := "cisco"

                             Cisco-AVPair += "ip:interface-config=vrf forwarding CUST-A",

                             Cisco-AVPair += "ip:interface-config=ip unnumbered loopback100",

                              Framed-Pool = "CUST-A-POOL"


[email protected]               Cleartext-Password := "test123"



Group and user authorization information is then merged and cloned onto the virtual template:


crypto ikev2 name-mangler EXTRACT-GROUP

eap suffix delimiter @

!

crypto ikev2 profile FlexVPN-IKEv2-Profile-1

match fvrf IPSEC-FVRF

match identity remote key-id FlexAnyConnect

identity local dn

authentication remote eap query-identity

authentication local rsa-sig

pki trustpoint cacert.org

dpd 60 2 on-demand

aaa authentication eap FlexVPN-AuthC-List1

aaa authorization group eap list FlexVPN-AuthZ-List-1 name-mangler EXTRACT-GROUP

aaa authorization user eap cached

virtual-template 1

!

interface Virtual-Template1 type tunnel

no ip address

tunnel mode ipsec ipv4

tunnel vrf IPSEC-FVRF

tunnel protection ipsec profile FlexVPN-IPsec-Profile-1


However, it appears that the RADIUS attribute specifying the pool is ignored; I can see the RADIUS attribute (IETF 88) passed back to the NAS in the RADIUS debugs:


*Aug 16 21:36:39.384 BST: RADIUS:  Framed-IP-Pool      [88]  13  "CUST-A-POOL"



However, the crypto debugs state that an IP address cannot be assigned:


*Aug 16 21:36:39.435 BST: IKEv2:Failed to allocate IP addr

<snip>

Payload contents:

AUTH NOTIFY(INTERNAL_ADDRESS_FAILURE)



If the Framed-Pool is removed and a Framed-IP-Address defined instead for the user, then the address is assigned. The CUST-A-POOL is defined locally on the NAS. Is there anything I am missing? Can any more detailed debugs be generated?


Cheers,

Matt

Correct Answer by Marcin Latosiewicz about 3 years 12 months ago
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
mmelbourne Mon, 08/19/2013 - 12:06
User Badges:
  • Silver, 250 points or more

Marcin,


Thank you for your response; sending "ipsec:addr-pool" does work. I did a bug scrape, but didn't find this (if I try to view it in the new Bug Tool, I get "Insufficient Permissions to View Bug"), but it was possible to paste the Bug ID into the old Bug Toolkit to get the detail.


As an aside, I also found that "include-local-lan" doesn't appear to work with IKEv2 AnyConnect and isn't likely to be fixed; according to CSCud65859, the workaround is to use split-tunneling ("ipsec:route-set=prefix prefix/len").


Cheers,

Matt

Actions

This Discussion