FlexVPN Remote Access VPN using EAP Authentication via Cisco Identity Services Engine (ISE)

Home / ISE / FlexVPN Remote Access VPN using EAP Authentication via Cisco Identity Services Engine (ISE)

This is one of the many scenarios covered in Lab technology guides section HERE , we will setup an AnyConnect Client connected to an IOS device using IKEv2 with EAP as an authentication method for Client. Responder or IOS device must use Certificate for authentication. We will perform User Authentication using EAP. AnyConnect Client user will be configured on RADIUS Server (Cisco Identity Services Engine ) in this case & authentication and authorization will be performed accordingly. We will use a Windows XP host with AnyConnect Secure Mobility Client v4 Installed to perform this scenario based on below sample topology diagramiseflexvpn

Here’s the snippet of ISE configuration steps:

  • Setup Network Device in ISE  for HQ RTR

Under  Administration -> Network Resources -> Network Devices

  • Create RA VPN user as and End User in Internal Identity Store

Under  Administration -> Identity Management -> Identities

  • Create a Policy Element Result  & link it to Authorization Profile

Under  Policy -> Policy Elements -> Results

  • Create an Authorization Profile & Add the following attributes under ‘Advanced Attribute Settings

ise1screengrab

  • Create an Authorization Policy Rule

Under Policy -> Authorization

ise2screengrab

  • Verify the configuration & make sure that AnyConnect VPN User can successfully connect to VPN Head-End (HQ)

ise3screengrab

  • Verify under the Statistics tab in AnyConnect Secure Mobility Client for Client IPv4 address (assigned), Protocol/Cipher & Split Tunneling ACL (fields highlighted in RED)

 

ise4screengrab

For Detailed configuration & step by step walk-through of setup , consult HERE

 

 

 

Leave a Reply