![]() ![]()
Create an IKEv2 local authorization policy: crypto ikev2 authorization policy ikev2-auth-policy pool ACPOOL aaa attribute list AAA-attr Step 5. Define an IP local pool to assign addresses to An圜onnect VPN clients: ip local pool ACPOOL Step 4. Configure a trustpoint to obtain an ID certificate from a CA server (router can be configured as a CA as well): crypto pki trustpoint IKEv2-TP enrollment mode ra enrollment url subject-name CN=,OU=TAC,L=SanJose,C=US revocation-check none rsakeypair rsakey Step 3. #CISCO IKEV2 NAME MANGLER PASSWORD#Enable AAA, and configure authentication, authorization and accounting lists ( aaa attribute list is optional) and add a username to the local database: aaa new-model aaa authentication login a-eap-authen-local local aaa authorization network a-eap-author-grp local aaa attribute list AAA-attr attribute type interface-config "ip mtu 1300" username test password cisco12ģ Step 2. An圜onnect-EAP specific configuration shown in bold Step 1. Sample configuration that uses local user authentication, remote user and group authorization and remote accounting. However, in order to use EAP, the local authentication method has to be rsa-sig, so the router needs a proper certificate installed on it, and it can't be a self-signed certificate. ![]() ![]() Configure Authenticating and Authorizating users using the Local Database Note: In order to authenticate users against the local database on the router, EAP needs to be used. The An圜onnect-EAP implementation permits the use of Radius or TACACS for remote authentication, authorization and accounting. However, for large scale deployments and in scenarios where per-user attributes are desired it is still recommended to use an external AAA sever for authentication and authorization. This is ideal for small scale deployments with less number of remote access users and in environments with no access to an external Authentication, Authorization, and Accounting (AAA) server. Local user authentication is now supported on the Flex Server and remote authentication is optional. The Flex Server has to authenticate itself to the client using certificates as required by the IKEv2 RFC. All EAP communication with the client terminates on the Flex Server and the required session key used to construct the AUTH payload is computed locally by the Flex Server. Unlike standard based Extensible Authentication Protocol (EAP) methods such as EAP-Generic Token Card (EAP- GTC), EAP- Message Digest 5 (EAP-MD5) and so on, the Flex Server does not operate in EAP pass-through mode. Background Information An圜onnect-EAP, also known as aggregate authentication, allows a Flex Server to authenticate the An圜onnect client using the Cisco proprietary An圜onnect-EAP method. If your network is live, make sure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. #CISCO IKEV2 NAME MANGLER SOFTWARE#Prerequisites Requirements Cisco recommends that you have knowledge of these topics: IOS-XE release 3.15 (15.5(2)S) or later IOS release 15.5(2)T or later An圜onnect client version 3.0 or later Components Used The information in this document is based on these software and hardware versions: Cisco ASR1002-X running IOS XE 3.15Ģ An圜onnect client version running on Windows 7 Cisco ACS server 5.3 (optional) The information in this document was created from the devices in a specific lab environment. #CISCO IKEV2 NAME MANGLER HOW TO#1 FlexVPN: An圜onnect IKEv2 Remote Access with An圜onnect-EAP Contents Introduction Prerequisites Requirements Components Used Background Information Configure Authenticating and Authorizating users using the Local Database Authentication, Authorization and Accounting using a remote AAA server Network Diagram Headend configuration changes Radius Server configuration An圜onnect client profile configuration Change the default An圜onnect IKE identity(optional) Bypass Downloader Communication flow IKEv2 and EAP exchange Verify Troubleshoot Introduction This document provides a sample configuration of how to configure an IOS/IOS-XE headend for remote access using An圜onnect IKEv2 and An圜onnect-EAP authentication method. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |