Flexvpn Anyconnect

 



In addition to Site-to-Site VPNs, FlexVPN can also be used for Remote Access VPN. It uses the same familiar commands as used to configure the S2S VPNs. Remote Access VPN can use certificate authentication (mutual certificate authentication between router and AnyConnect client), EAP (MD5/MSCHAPv2) and AnyConnect EAP. Authentication and Authorization can be performed by local AAA or external RADIUS, which can authenticate the users against Active Directory Domain and authorize depending on AD group membership.

The Anyconnect profile was quite lengthy and very basic - it's attached to this document for reference (Profileflexacexample.xml) The relevent part is to define: host we will be connecting to, type of protocol and authentication to be used when connect to that host. FlexVPN also allows us to configure remote-access VPNs which is useful for remote workers. This works with a Cisco proprietary AnyConnect-EAP method. All EAP communication terminates on the FlexVPN server. This is different from standards-based EAP methods such as EAP-MD5 or EAP-GTC, which pass through to an AAA server. AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example 18/Jan/2013; Configure ISE Posture with FlexVPN 11/Jun/2018; Configure Zero Touch Deployment (ZTD) of VPN Remote Offices/Spokes 11/Sep/2018; DMVPN to FlexVPN Soft Migration Configuration Example 24/Feb/2014; EIGRP on SVTI, DVTI, and IKEv2 FlexVPN with the 'IPv6 Unnumbered' Command. FlexVPN works with anyconnect - but requires a modified profile on the Anyconnect client. Modify connection profile for endpoint to connect via ipsec.

This post will describe how to configure FlexVPN Remote Access VPN using aggregated authentication (double authentication) using AD username/password and client certificate authentication. We will not describe the basics of configuring FlexVPN Hub-and-Spoke or certificate authentication; these have been described in previous posts here:

FlexVPN Hub-and-Spoke
https://integratingit.wordpress.com/2016/07/10/configuring-cisco-flexvpn-hub-and-spoke/

FlexVPN with Certificate authentication
https://integratingit.wordpress.com/2017/08/26/configuring-cisco-flexvpn-with-certificate-authentication/

FlexVPN Certificate Enrolment (SCEP or Manual)
https://integratingit.wordpress.com/2017/08/26/cisco-ios-certificate-enrollment-via-scep/

AAA

PKI Trustpoint

The router is configured with a Trustpoint which is subsequently authenticated and enrolled with a certificate issued by the Corp PKI CA, this is the same CA that issues certificates to the client users and computers.

This trustpoint is referenced in the IKEv2 Profile. Enrollment is performed by SCEP, but could be manually enrolled.

IKEv2 Profile

Flexvpn anyconnect authentication methods

Identity will be match on a remote key-id *$AnyConnectClient$* this value is sent by AnyConnect and is the default value, this value can be manually specified in AnyConnect in which case the value in the IKEv2 Profile would need to match.

When using EAP Local authentication is always rsa-sig that is the router will be authenticated using a certificate, which the client computer must trust.

In this scenario we will use anyconnect-eap as the remote authentication method. The value aggregate which will authenticate and prompt for username/password, by appending cert-request will validate the client user certificate for double authentication. If no certificate or it is invalid, authentication will fail.

AAA authentication and accounting will reference the RADIUS method list called FLEX

Implicit User Authorization will use the cached attributes received from RADIUS during authentication

The pki trustpoint is configured to reference the match the previously defined trustpoint

VPN IP Address Pool

Flexvpn Anyconnect Ikev2

Routing

A static route for the VPN IP Address Pool will be defined on the Hub router and will be distributed by the Routing Protocol of choice.

IPSec Transform Set and Profile

A standard IPSec Transform set will need to be defined and referenced in an IPSec Profile

Virtual-Template

A standard Virtual-Template will need to be defined specifying a source Loopback interface, tunnel source, tunnel mode and tunnel protection.

Once the Virtual-Template has been created this will need to be referenced in the IKEv2 Profile

Network Devices and Groups

The FlexVPN Hub(s) must be defined in ISE as a NAD (Network Access Device), in order for ISE to authentication, authorize connections/session from the Hub.

  • Navigate to Administration > Network Device Groups
  • Create a new group called FlexVPN_Router, nest this under All Device Types
  • Navigate to Administration > Network Devices
  • Create a new Network Device
  • Add descriptive name for the Hub Router
  • Add IP address
  • Select Device Type as FlexVPN_Router
  • Tick RADIUS Authentication Settings
  • Specify the Shared Secret as specified in the AAA configuration on the Hub
  • Click Save when complete

Authorization Profiles

The Authorization Profiles will be used to provide the VPN configuration to the client once they are authorized. For example the attributes such as IP VPN Pool, DNS Servers, Netmask, Default Domain can be dynamically sent to the client.

  • Navigate to Policy > Policy Elements > Authorization > Authorization Profiles
  • Create new Authorization Profiles as per the table below
Authorization Profile NameAttribute Details
FlexVPN_ClientAccess Type = ACCESS_ACCEPT
cisco-av-pair = ipsec:route-accept=any
cisco-av-pair = ipsec:route-set=interface
cisco-av-pair = ipsec:addr-pool=VPN_POOL
cisco-av-pair = ipsec:dns-servers=192.168.10.5
cisco-av-pair = ipsec:netmask=255.255.255.0
Helpdesk_Users
Access Type = ACCESS_ACCEPT
cisco-av-pair = ipsec:default-domain=remotelab.local

NOTE – the Authorization Profile Helpdesk_Users is not necessarily needed as the attributes could be included in the other rules, but rather it helps to show that multiple Authorization Profiles can be sent to a client and applied successfully.

Policy Sets

  • Navigate to Policy > Policy Set
  • Define a new Policy Set with a descriptive name e.g. FlexVPN
  • Specify the Conditions: DEVICE:Device Type EQUALS All Device Types#FlexVPN_Router
  • Specify the Conditions: DEVICE:Device Type EQUALS All Device Types#FlexVPN_Router
  • Use an AD Join Point
  • Create a Authorization rule for Helpdesk Users
  • Define the Condition: LAB_AD:ExternalGroups EQUALS lab.local/Company/Helpdesk User
  • Define the Profiles: FlexVPN_Client AND Helpdesk_Users
  • Create a Authorization rule for Domain Users
  • Define the Condition: LAB_AD:ExternalGroups EQUALS lab.local/Company/Domain Users
  • Define the Profiles: FlexVPN_Client

Flexvpn Anyconnect Mac

An AnyConnect profile must be created in order to select the use of IPSec and the Authentication Method. The AnyConnect Profile can be named anything, but must be in XML format.

  • Install the Cisco AnyConnect Profile Editor, select at least the VPN Profile Editor and DART
  • Open the VPN Profile Editor
  • Navigate to the Server List tab
  • Click Add
  • Enter an appropriate Display Name e.g AnyConnect EAP
  • Enter the FQDN of the FlexVPN Hub
  • Select Primary Protocol as IPSec
  • Untick the box ASA Gateway
  • Select Auth Method During IKE Negotiation as EAP-AnyConnect
  • Click OK when complete
  • Click File > Save as…
  • Save the file using an appropriate name to the location:
    • C:ProgramDataCiscoCisco AnyConnect Secure Mobility ClientProfile

The IOS routers do not support XML profile downloads and AnyConnect package upgrades. The AnyConnect will try to download the latest XML profile from the FlexVPN Hub router and the connection will fail. This can be disabled:

  • Locate the AnyConnectLocalPolicy.xml file in
    • C:ProgramDataCiscoCisco AnyConnect Secure Mobility Client
  • Change BypassDownloader value to True
  • Save the file
  • Restart the AnyConnect Client
  • Open the Cisco AnyConnect Secure Mobility Client, you should now see the VPN connection with the display name specified in the Profile

For testing we will use 2 separate AD accounts, user1 will be a member of LABHelpdesk Users group and user2 will only be a member of LABDomain Users. The Windows computer used for testing will have a User Certificate and the Root CA Certificate installed, this Root CA is the same CA that issued the certificate to the FlexVPN Hub. Therefore the certificates should be trusted for authentication.

Flexvpn Anyconnect

  • On the FlexVPN Hub enable debugging – debug radius authentication
  • From the client computer login as user1
Flexvpn

From the output you can determine the default IKE Key ID (isakmp-phase1-id) was used, the username logging in and the radius av-pair sent in authorization. Notice the default-domain remotelab.local was sent, this was because user1 is a member of the correct AD group and we specified that the default domain should be different, as specified in a Authorization Profile.

From the ipconfig /all configuration on the client workstation, we can confirm that the VPN session has received the DNS suffix remotelab.local. You can also determine that the client received the correct DNS Server and received an IP address from the VPN_POOL.

Flexvpn Anyconnect Download

  • Logoff user1 and login as user2

Notice in the debug for user2 login that the RADIUS server did not send a default-domain av-pair for this session.

This can be confirmed using ipconfig /all on the windows client, notice no DNS Suffix compared to user1. This is because user2 is only a member of LABDomain Users AD group and the Authorization Profile does not specify a default domain for users of that group.

Checking the ISE Logs you can see that when user2 logged in, that user matched the Authorization rule FlexVPN >> Domain Users and only the FlexVPN_Client Authorization Profile was configured, unlike user1 which matched the FlexVPN >> Helpdesk Users rule and received the FlexVPN_Client and Helpdesk_Users Authorization Profile attributes.

  • On the FlexVPN Hub router, use the command show crypto ikev2 sa detail

From the output you can determine the source public IP address, local id (FlexVPN Hub router cn), remote id (default AnyConnect IKE identity), Remote EAP id (username) and assigned host IP address (from the IP pool VPN_POOL). You can also determine the encryption, hashing, DH group and authentication methods used.

Flexvpn Anyconnect Software

FlexVPN Aggregate Authentication