This document provides a sample configuration of how to configure an IOS/IOS-XE headend for remote access using AnyConnect IKEv2 and AnyConnect-EAP authentication method.
Cisco recommends that you have knowledge of these topics:
IOS-XE release 3.15 (15.5(2)S) or later
IOS release 15.5(2)T or later
AnyConnect client version 3.0 or later
The information in this document is based on these software and hardware versions:
Cisco ASR1002-X running IOS XE 3.15
AnyConnect client version 3.1.8009 running on Windows 7
Cisco ACS server 5.3 (optional)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
AnyConnect-EAP, also known as aggregate authentication, allows a Flex Server to authenticate the AnyConnect client using the Cisco proprietary AnyConnect-EAP method. Unlike standard based Extensible Authentication Protocol (EAP) methods such as EAP-Generic Token Card (EAP-GTC), EAP- Message Digest 5 (EAP-MD5) and so on, the Flex Server does not operate in EAP pass-through mode. All EAP communication with the client terminates on the Flex Server and the required session key used to construct the AUTH payload is computed locally by the Flex Server. The Flex Server has to authenticate itself to the client using certificates as required by the IKEv2 RFC.
Local user authentication is now supported on the Flex Server and remote authentication is optional. This is ideal for small scale deployments with less number of remote access users and in environments with no access to an external Authentication, Authorization, and Accounting (AAA) server. However, for large scale deployments and in scenarios where per-user attributes are desired it is still recommended to use an external AAA sever for authentication and authorization. The AnyConnect-EAP implementation permits the use of Radius or TACACS for remote authentication, authorization and accounting.
Authenticating and Authorizating users using the Local Database
Note: In order to authenticate users against the local database on the router, EAP needs to be used. However, in order to use EAP, the local authentication method has to be rsa-sig, so the router needs a proper certificate installed on it, and it can't be a self-signed certificate.
Sample configuration that uses local user authentication, remote user and group authorization and remote accounting.
AnyConnect-EAP specific configuration shown in bold
Step 1. Enable AAA, and configure authentication, authorization and accounting lists ( aaa attribute list is optional) and add a username to the local database:
aaa new-model ! aaa authentication login a-eap-authen-local local aaa authorization network a-eap-author-grp local ! aaa attribute list AAA-attr attribute type interface-config "ip mtu 1300" ! username test password cisco12
Step 2. Configure a trustpoint to obtain an ID certificate from a CA server (router can be configured as a CA as well):
Step 6. Create an IKEv2 profile for AnyConnect-EAP method of client authentication:
crypto ikev2 profile AnyConnect-EAP match identity remote key-id *$AnyConnectClient$* authentication local rsa-sig authentication remote anyconnect-eap aggregate pki trustpoint IKEv2-TP aaa authentication anyconnect-eap a-eap-authen-local aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy aaa authorization user anyconnect-eap cached virtual-template 100
Note: Configuring the remote authentication method before the local authentication method will be accepted by the CLI, but will not take effect on versions that do not have the fix for the enhancement request CSCvb29701, if the remote authentication method is eap. For these versions, when configuring eap as the remote authentication method, ensure the local authentication method is configured as rsa-sig first. This problem is not seen with any other form of remote authentication method.
Note: On versions of code affected by CSCvb24236 , once remote authentication is configured before local authentication, the remote authentication method can no longer be configured on that device. Please upgrade to a version that has the fix for this code.
Step 7. Disable HTTP-URL based certificate lookup:
no crypto ikev2 http-url cert
Step 8. Define the encryption and hash algorithms used to protect data
Note: Referthis document to confirm whether your router hardware supports the NGE encryption algorithms (for example the example above has NGE algorithms). Otherwise IPSec SA installation on the hardware will fail at the last stage of negotiation.
Step 9. Create an IPSec profile:
crypto ipsec profile AnyConnect-EAP set transform-set TS set ikev2-profile AnyConnect-EAP
Step 10. Configure a virtual-template (associate the template in the IKEv2 profile)
interface Virtual-Template100 type tunnel ip unnumbered Loopback0 tunnel mode ipsec ipv4 tunnel protection ipsec profile AnyConnect-EAP
Authentication, Authorization and Accounting using a remote AAA server
Headend configuration changes
Note:Refer to the above section for rest of the configuration.
aaa group server radius ACS server name ACS ! radius server ACS address ipv4 172.16.1.2 auth-port 1645 acct-port 1646 key Cisco123! ! aaa authentication login a-eap-authen group ACS aaa authorization network a-eap-author group ACS aaa accounting network a-eap-acc start-stop group ACS ! crypto ikev2 name-mangler NM eap suffix delimiter @ ! crypto ikev2 profile AnyConnect-EAP aaa authentication anyconnect-eap a-eap-authen aaa authorization group anyconnect-eap list a-eap-author <aaa-username> aaa authorization user anyconnect-eap list a-eap-author name-mangler NM aaa accounting anyconnect-eap a-eap-acc
Radius Server configuration
Step 1. Create an username (for user and/or group authentication and authorization), as shown in the image:
Step 2. Configure Authorization policy, as shown in the image:
Step 3. Now add Radius attributes, as shown in the image:
Step 4. As shown in the image,create Access policy and associate Authorization policy.
AnyConnect client profile configuration
Configure the client profile using the AnyConnect Profile Editor as shown in the image:
Note:AnyConnect uses '*$AnyConnectClient$*' as its default IKE identity of type key-id. However, this identity can be manually changed in the AnyConnect profile to match deployment needs. StandardAuthenticationOnly should be set to false when using AnyConnect-EAP as shown in the image.
Change the default AnyConnect IKE identity(Optional)
If you don't want to use the default ike id used by the client, you can change the ike id in the client profile, however it also required the ike id to be changed under the ikev2 profile configured on the Flexvpn server.
crypto ikev2 profile AnyConnect-EAP match identity remote key-id ANYCONNECT-IKEID
This can also be set using the client profile editor:
Tip: When using the client profile editor, the ike ID can only be changed if Standard Authentication is checked. This is a known issue and bug CSCva64390 has been filed to address this issue. In the meanwhile you can manually edit the xml file using any text editor so that the value for the attribute "StandardAuthenticationOnly" is set to false.
Currently, the IOS and IOS-XE routers do not support XML profile downloads and AnyConnect package upgrades over HTTPS connection. The AnyConnect will try to download the latest XML profile from the headend and the connection will fail becase this capability is not supported on the router. Therefore, it is mandatory to manually disable the downloader in the AnyConnectLocalPolicy.xml file on the user PC. The location of the file can be found under Change Local Policy Parameters Manually