This document provides configuration guidance for users of Cisco IOS® SSL VPN. This feature is designed to terminate SSL VPN connections on Cisco IOS Software-based routers (Cisco 1800, 2800, 3700, 3800, 7200, and 7301). SSL VPN is comparable to and complements the popular IP Security (IPsec) remote-access VPN.
The testing was performed at the NSITE lab in Research Triangle Park, North Carolina (RTP) on the devices defined above. The objective of the testing was to configure and test interaction of Cisco IOS SSL VPN with authentication, authorization, and accounting (AAA) policies using the authentication domain setup. This is typically used by a provider offering the Cisco IOS SSL VPN service to enterprise customers for their SSL VPN termination.
Advantage: The primary advantage of AAA authentication domain is that the provider can maintain the user list in the "user@domain" format. This way, if the same username exists in two different VPNs, the WebVPN gateway domain is automatically appended to the username, creating a user@domain. This is comparable to the Group Lock feature in IPsec. Basically, it creates better security and managability for the VPN because the @domain is always appended, and it is unlikely that two users will have the same password.
Note: All Cisco IOS SSL VPN/WebVPN features are included in a single, cost-effective license that would be purchased separately. You can purchase the feature license in packs of 10, 25, or 100 simultaneous users directly from the Cisco.com configuration tool. If you already have a router, use the following SKUs to order the license: FL-WEBVPN-10-K9=; FL-WEBVPN-25-K9=; FL-WEBVPN-100-K9=. Check the Data Sheet to find the maximum supported users for your platform.
This configuration guide is intended for customers and partners working to provide configuration guidelines and best practices for smaller SSL VPN deployments.
3. Network Topology
Figure 1 shows the network topology of the Cisco IOS SSL VPN with the AAA server.
Figure 1. Cisco IOS SSL VPN Topology with AAA Server
4. Basic Configurations
4.1 Global AAA Configuration
! The RADIUS server is located at 188.8.131.52 on the management LAN.
The authentication configuration has a minor problem, since the user list is shared by all contexts. If both contexts have a user "labuser", that user can access both contexts, and therefore be a security hole.
There is a simple way to enhance this scenario and make it secure with the use of authentication domains. The username passed to the context from the VPN user is concatenated with the string specified in the authentication domain command. This string is then sent to the AAA server.
Note: The user must be configured on the AAA server to handle the parsing of the domain. You may have to set up the users in the AAA server with the domain appended to the username. Please refer to the documentation or guides for your AAA server for more information on how to configure this feature.
Now, the context vpn1 has the authentication string "@cisco". When a user logs into the context, the username sent to AAA is "<user>@cisco". However, if user "<user>" logs into context vpn2, the username will be "<user>@linksys", and the password will not match.
Note: The configurations above do not include the configuration of virtual routing and forwarding (VRF) on the contexts. If you are need to use internal VRF instances, add the command "vrfvrf-name" to the context configuration. If the internal network is a service provider, or VRF-aware RADIUS groups are used, you may have to apply VRF to the context.
4.4 Static Routing Configuration
! The Global default route is to allow the SSL session to work with the user on the
! public network. Any routes on the backend need to be handled with additional
ip route 0.0.0.0 0.0.0.0 172.18.143.1
5. Context Configuration Verification
Note: All the output below is from Cisco IOS Software Release 12.4(9)T.
The global table is configured with a default route back to the public Internet. You will notice the route to the 184.108.40.206/24 network. This is the management network of the provider, and the AAA server is at 220.127.116.11.
sslvpn1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
18.104.22.168/24 is subnetted, 1 subnets
C 22.214.171.124 is directly connected, Ethernet0/0.700
172.18.0.0/24 is subnetted, 1 subnets
C 172.18.143.0 is directly connected, GigabitEthernet0/0
S* 0.0.0.0/0 [1/0] via 172.18.143.1
5.1 AAA Authentication List
The AAA authentication list we are using is ssl_global, which uses the global AAA server on the management network.
sslvpn1#show aaa method-lists authentication
name=ssl_global valid=TRUE id=7E000001 : SERVER_GROUP AR