Subject-name CN=, OU=UK-Branch ,O=LAB,ST=London,C=GBĬrypto ikev2 authorization policy default Spoke 1 router will configured to be a Branch router located in the UK, it’s certificate will be configured as below. The default password is cisco.Īaa authorization group cert list FLEX name-mangler NM password Cisco1234 A local user account must be created on the RADIUS server with the username that matches the OU value and the password Cisco1234 (as specified in the configuration below). The aaa authorisation command is referencing the previously created aaa method-list (FLEX) name-mangler (NM), it will use the password Cisco1234. In this instance we will only be authorizing per group. This name-mangler is referenced in the IKEv2 Profile.Īuthorization can be configured per user or per group. The name-mangler will extract the OU from the spoke router’s certificate and use for authorisation. Tunnel protection ipsec profile IPSEC_PROFILE It is important that the Virtual-Template not be configured with an IP address, the RADIUS server will push instruct which Loopback to use as the source IP address per session (depending on which spoke it authorising). The loopback interfaces need advertising into the routing protocol.Īddress-family ipv4 unicast vrf UK autonomous-system 1Īddress-family ipv4 unicast vrf US autonomous-system 1Ī ddress-family ipv4 unicast autonomous-system 1 Radius-server dead-criteria time 20 tries 2 Radius-server attribute 8 include-in-access-req Radius-server attribute 6 support-multiple Radius-server attribute 6 on-for-login-auth IP address assigned from DHCP IP AddressĪaa accounting network FLEX start-stop group ISEĬlient 192.168.10.20 server-key Cisco1234Īddress ipv4 192.168.10.20 auth-port 1645 acct-port 1646.IP address assigned from IP Address POOL.The following AV (attribute values) will be pushed to the spoke routers: This post will not describe the basics of configuring FlexVPN Hub-and-Spoke or certificate authentication however following posts provide information on how to configure everything not covered in this post: Depending on matching on location in the Authorization rules the RADIUS server will return different values per location. An IKEv2 name-mangler will be used to extract the OU value from the certificate and use this in the authorization request to the RADIUS server. The spoke routers’ certificate will have an value in the OU (organisational unit) field which will identify the location e.g. The Hub router will authenticate the spoke routers with RSA certificates. This post will describe how to configure FlexVPN authorization using RADIUS AAA, ISE 2.4 will be used as the RADIUS server.
0 Comments
Leave a Reply. |