Onboard Cisco AnyConnect IKEv2 to PrivacyIdea

Question
1

Hi all,

we are currently running IKEv2 IPsec VPN against a Cisco Router.
As client we used in the passed the Windows integrated VPN client without an issue.
Radius was a NPS on WIndows 2016.

Unfortunatly this Windows does not support PAP authentication for IKEv2.

So we switched to Cisco AnyConnect Client and are still able to login to IKEv2 with EAP-MSCHAPv2.
But as soon as we switch the radius on the router to PrivacyIdea we can’t login, even with PIN+OTP.
I estimate cause the password is still sent via MSCHAPv2,

so my questions are:

  1. how to check, if PAP or MSCHAPv2 is used from router to radius?
  2. imho this is always a setting on the VPN-client, cause cisco want’s to modify the router-config
  3. does someone have a hint howto onboard IKEv2 to PrivacyIdea?

br
Thomas

2

yes, privacyIDEA with OTP only supports PAP.

Run the freeradius server in debug mode:

freeradius -X

The RADIUS client (i.e. the VPN server) will define the RADIUS attributes used.

Dunno.

3

Hi all,

I just wanted to provide a reply to my own question.

Cisco Anyconnect supports IKEv2 VPN with PAP Radius-Authentication, when EAP-Anyconnect is used.
Apropriate documentation:

  • List item

Failed to get configuration from secure gateway. Contact your system administrator - Cisco Community entry from ‎11-26-2020 03:34 AM

br
Thomas

4

sorry to fast :wink: posted.

  1. you need to use eap-anyconnect
  2. this will use PAP towards the radius

relevant config on the router

aaa authentication login AUTHEN_RADIUS group radius
aaa authorization network a-eap-author-grp local

crypto ikev2 profile FLEXVPN_IKEV2
authentication remote anyconnect-eap aggregate
pki trustpoint vpn.xxxx-bis-20230703-trustpoint
aaa authentication anyconnect-eap AUTHEN_RADIUS
aaa authorization group anyconnect-eap list a-eap-author-grp FLEXVPN_CONFIG

radius server pi-pa
address ipv4 10.a.b.c auth-port 1812 acct-port 1813
timeout 10
pac key 7 xxx

1 Like