Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1425
Views
5
Helpful
2
Replies

IKEv2 AnyConnect and Pool allocation via RADIUS

Go to solution
mmelbourne
Level 5
Level 5

‎08-16-2013 01:50 PM - edited ‎02-21-2020 07:05 PM

I am configured a CSR1000V (03.09.00a.S.153-2.S) for AnyConnect with IKEv2. I am storing username and IKEv2 authorization policy on the RADIUS server. Clients are dropped into their own iVRFs through RADIUS attributes passed back to the NAS.

e.g. in FreeRadius (2.1.12), the following is defined (home is the 'group') in username@group format.

home                    Cleartext-Password := "cisco"

                             Cisco-AVPair += "ip:interface-config=vrf forwarding CUST-A",

                             Cisco-AVPair += "ip:interface-config=ip unnumbered loopback100",

                              Framed-Pool = "CUST-A-POOL"

matt@home               Cleartext-Password := "test123"

Group and user authorization information is then merged and cloned onto the virtual template:

crypto ikev2 name-mangler EXTRACT-GROUP

eap suffix delimiter @

!

crypto ikev2 profile FlexVPN-IKEv2-Profile-1

match fvrf IPSEC-FVRF

match identity remote key-id FlexAnyConnect

identity local dn

authentication remote eap query-identity

authentication local rsa-sig

pki trustpoint cacert.org

dpd 60 2 on-demand

aaa authentication eap FlexVPN-AuthC-List1

aaa authorization group eap list FlexVPN-AuthZ-List-1 name-mangler EXTRACT-GROUP

aaa authorization user eap cached

virtual-template 1

!

interface Virtual-Template1 type tunnel

no ip address

tunnel mode ipsec ipv4

tunnel vrf IPSEC-FVRF

tunnel protection ipsec profile FlexVPN-IPsec-Profile-1

However, it appears that the RADIUS attribute specifying the pool is ignored; I can see the RADIUS attribute (IETF 88) passed back to the NAS in the RADIUS debugs:

*Aug 16 21:36:39.384 BST: RADIUS:  Framed-IP-Pool      [88]  13  "CUST-A-POOL"

However, the crypto debugs state that an IP address cannot be assigned:

*Aug 16 21:36:39.435 BST: IKEv2:Failed to allocate IP addr

<snip>

Payload contents:

AUTH NOTIFY(INTERNAL_ADDRESS_FAILURE)

If the Framed-Pool is removed and a Framed-IP-Address defined instead for the user, then the address is assigned. The CUST-A-POOL is defined locally on the NAS. Is there anything I am missing? Can any more detailed debugs be generated?

Cheers,

Matt

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
2 Replies 2

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎08-19-2013 08:18 AM

Matt,

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty98153

Send:

ipsec:addr-pool
or
ipsec:ipv6-addr-pool

M.

0 Helpful

Go to solution
mmelbourne
Level 5
Level 5
In response to Marcin Latosiewicz

‎08-19-2013 12:06 PM

Marcin,

Thank you for your response; sending "ipsec:addr-pool" does work. I did a bug scrape, but didn't find this (if I try to view it in the new Bug Tool, I get "Insufficient Permissions to View Bug"), but it was possible to paste the Bug ID into the old Bug Toolkit to get the detail.

As an aside, I also found that "include-local-lan" doesn't appear to work with IKEv2 AnyConnect and isn't likely to be fixed; according to CSCud65859, the workaround is to use split-tunneling ("ipsec:route-set=prefix prefix/len").

Cheers,

Matt

Customers Also Viewed These Support Documents