With the release of AC 3.0 on mobile devices we have the chance of connecting any smartphone to an ikev2 flexvpn headend.
AC 30 has been released for Apple.
Release notes are available here:
Anyconnect on smart device will integrate seamlessly into a flexvpn head end without any tweaking on the router.
Per RFC5996, If we use EAP to authenticate a client, the hub MUST be authenticated by providing a certificate.
The underlying reason is the following:
iIf we were using a PSK instead and one person has access to the client and to the head end infrastructure, by using arp poisoining he could impersonate the hub and then decode the user password.
By using a certificate we avoid this situation.
! Definition of Radius config since when EAP is defined, the router proxy simply the request to a radius server
! Working radius are Cisco ACS [ EAP-MD5] Cisco ISE [ EAP-MSCHAP-V2, EAP-MD5, EAP-GTC] Microsoft Radius [ EAP-MSCHAP-V2] Linux Freeradius [ EAP-MD5/EAP-GTC/EAP-MSCHAP-V2]
aaa group server radius freeradius
server-private 172.16.0.254 auth-port 1812 acct-port 1813 key cisco123
aaa authentication login win7 group freeradius
aaa accounting network default start-stop group freeradius
!Definition of the local certificate truspoint.
!Here I'm using enrollment terminal since I want to select the Webserver template from the Microsoft win2008 CA. SCEP gives access to the ike intermediate template which is not suitable
crypto pki trustpoint anyconnect
rsakeypair flexanyconnect 2048
crypto pki certificate chain anyconnect
certificate ca 77E790F86C3BAD9647633D8428015203
! Integrity SHA-1 is required by anyconnect to properly select the right PRF
crypto ikev2 proposal myprop
crypto ikev2 policy mypol
match fvrf any
!Ikev2 profile definition matching the IKE IDentity defined on the client
crypto ikev2 profile default
match identity remote key-id anyconnect_remote_access
match identity remote key-id cisco.com
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint anyconnect
dpd 60 2 on-demand
aaa authentication eap win7
aaa authorization user eap cached
aaa accounting eap default
! Authentication local is rsa sig / remote is EAP - We need to query the remote identity.
! PKI trustpoint need to be anchored as security measure. Without that we can't select our certificate
! accounting is important if the radius provide the pool ip address
! authorization user eap cached will load up the attributes received by the radius during the EAP authentication [ eg IP , IKE Routing, ...]
crypto ipsec transform-set default esp-aes 256 esp-sha-hmac
crypto ipsec profile default
set ikev2-profile default
! Virtual template loopback unnumbered address
description VT source interface
ip address 10.0.0.1 255.255.255.255
ip address 192.168.100.1 255.255.255.0
ip address 172.16.0.1 255.255.255.0
!Virtual template do not need a tunnel source [ not required]
! ip unnumbered to loopback is required
! Tunnel mode ipsec ipv4 needed for AnyConnect
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
ip local pool mypool 192.168.200.1 192.168.200.254
ip route 0.0.0.0 0.0.0.0 172.16.0.254 name route_to_internet
access-list 99 permit any
In this example radius is provided on a Linux PC running freeradius.
cisco Cleartext-Password := "cisco"
Framed-IP-Address = 172.16.1.1,
Service-Type = Framed-User,
Service-Type = Login,
Radius is providing:
Upgrade or install Anyconnect from your vendor store.The configuration is really simple. It's just a matter of few fields to fill in.
First of all, you have to install the CA server in your trusted profile. The easiest is to access that CA Certificate via http
When we download the CA cert, we are prompted to enter the pin and the CA server is installed in the smart device.
Very easy operation either add the IP or the dns name you will connect.
Remember if it's an IP, then you need a SAN field in your router certificate that will match the dns reverse resolution the client will do when connecting.
If it's a valid DNS name, then it need to match the CN from the router certificate or at least the SAN field from the same certificate
Self signed certs are NOT working.
Turn on "Connect with IPSEC"
Modify Authentication from "EAP-Anyconnect" [ which is ASA specific] to EAP-MD5 / GTC / MSCHAP-V2 depending on the radius infrastructure you've in house] . Here in my example, I will use EAP-MD5.
In our case it's "cisco.com"
During the negotiation, Anyconnect will prompt for user and password.
That user will be checked against the radius server by using the eap framework.
At this stage, the router is forwarding the request back and forward between Anyconnect and the radius.
As soon the ACCESS-ACCEPT has been received by the router [ from the radius].
The router will parse the attributes and provide the required IP / IKE routing / Other parameters either to the client and to the virtual-access interface that has been created on the router.
FlexVPN is a modular VPN that simplify designs and deployment.
This is the next generation solution.
If you have any questions, please feel free to comment.
CCIE Security #20306
TAC Escalation VPN - Brussels
Great post can you btw tell me how to get EAP-GTC to work in ACS ?
And do you know if I can integrate ACS with LDAP identity store if I use EAP-GTC as an authentication mechanism ?
again great post and thanks alot
Thanks for your feedback.
My bad. EAP-GTC is not implemented as radius Phase I , just as inner method. I will update the document.
It seems ISE supports more protocols
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html [ table-5-1]
Np at all .. I was hoping that I missed something I have also tried to get EAP-GTC working with ISE but without any luck so I am beginning to suspect that EAP-GTC is only supported as an inner method in ISE
Could be - I never used ISE so far.
thanks for doing this great post
just have small question, how can we enable split tunnel in this scenario.
Thanks for your comments.
Flexvpn / Anyconnect supports Split-tunneling
If your policy is on the radius, then you would add the following setting
Cisco-AVPair += "ipsec:route-set=prefix 10.0.0.0/8"
[ Assuming you want to tunnel ONLY traffic to 10/8
If your policy is local, then you would add the following attribute under your local authorization policy
route set access-list <..>
The ACL as well will contains the destination networks you want to reach from the client
Great post Olivier,
I have a cuestion,,, Do you need any license in the headend? I hay a router ASR1000 and i would implement this solution,,
Thanks in advance,
The only platforms where licensing is required (ASR1001 or ASR1002-X) just requires the 'normal' ipsec license.