This is one of the many scenarios covered in Lab technology guides section HERE , we will setup an AnyConnect Client connected to an IOS device using IKEv2 with EAP as an authentication method for Client. Responder or IOS device must use Certificate for authentication. We will perform User Authentication using EAP. AnyConnect Client user will be configured on RADIUS Server (Cisco Identity Services Engine ) in this case & authentication and authorization will be performed accordingly. We will use a Windows XP host with AnyConnect Secure Mobility Client v4 Installed to perform this scenario based on below sample topology diagram
Here’s the snippet of ISE configuration steps:
- Setup Network Device in ISE for HQ RTR
Under Administration -> Network Resources -> Network Devices
- Create RA VPN user as and End User in Internal Identity Store
Under Administration -> Identity Management -> Identities
- Create a Policy Element Result & link it to Authorization Profile
Under Policy -> Policy Elements -> Results
- Create an Authorization Profile & Add the following attributes under ‘Advanced Attribute Settings’
- Create an Authorization Policy Rule
Under Policy -> Authorization
- Verify the configuration & make sure that AnyConnect VPN User can successfully connect to VPN Head-End (HQ)
- Verify under the Statistics tab in AnyConnect Secure Mobility Client for Client IPv4 address (assigned), Protocol/Cipher & Split Tunneling ACL (fields highlighted in RED)
For Detailed configuration & step by step walk-through of setup , consult HERE