Cisco Cisco AnyConnect Secure Mobility Client v2.x 技術マニュアル
live, make sure that you understand the potential impact of any command.
Background Information
AnyConnect-EAP, also known as aggregate authentication, allows a Flex Server to authenticate
the AnyConnect client using the Cisco proprietary AnyConnect-EAP method. Unlike standard
based Extensible Authentication Protocol (EAP) methods such as EAP-Generic Token Card (EAP-
GTC), EAP- Message Digest 5 (EAP-MD5) and so on, the Flex Server does not operate in EAP
pass-through mode. All EAP communication with the client terminates on the Flex Server and the
required session key used to construct the AUTH payload is computed locally by the Flex Server.
The Flex Server has to authenticate itself to the client using certificates as required by the
IKEv2 RFC.
the AnyConnect client using the Cisco proprietary AnyConnect-EAP method. Unlike standard
based Extensible Authentication Protocol (EAP) methods such as EAP-Generic Token Card (EAP-
GTC), EAP- Message Digest 5 (EAP-MD5) and so on, the Flex Server does not operate in EAP
pass-through mode. All EAP communication with the client terminates on the Flex Server and the
required session key used to construct the AUTH payload is computed locally by the Flex Server.
The Flex Server has to authenticate itself to the client using certificates as required by the
IKEv2 RFC.
Local user authentication is now supported on the Flex Server and remote authentication is
optional. This is ideal for small scale deployments with less number of remote access users and in
environments with no access to an external Authentication, Authorization, and Accounting (AAA)
server. However, for large scale deployments and in scenarios where per-user attributes are
desired it is still recommended to use an external AAA sever for authentication and authorization.
The AnyConnect-EAP implementation permits the use of Radius or TACACS for remote
authentication, authorization and accounting.
optional. This is ideal for small scale deployments with less number of remote access users and in
environments with no access to an external Authentication, Authorization, and Accounting (AAA)
server. However, for large scale deployments and in scenarios where per-user attributes are
desired it is still recommended to use an external AAA sever for authentication and authorization.
The AnyConnect-EAP implementation permits the use of Radius or TACACS for remote
authentication, authorization and accounting.
Configure
Authenticating and Authorizating users using the Local Database
Note: In order to authenticate users against the local database on the router, EAP needs to
be used. However, in order to use EAP, the local authentication method has to be rsa-sig, so
the router needs a proper certificate installed on it, and it can't be a self-signed certificate.
be used. However, in order to use EAP, the local authentication method has to be rsa-sig, so
the router needs a proper certificate installed on it, and it can't be a self-signed certificate.
Sample configuration that uses local user authentication, remote user and group authorization and
remote accounting.
remote accounting.
AnyConnect-EAP specific configuration shown in bold
Step 1. Enable AAA, and configure authentication, authorization and accounting lists ( aaa
attribute list is optional) and add a username to the local database:
attribute list is optional) and add a username to the local database:
Step 2. Configure a trustpoint to obtain an ID certificate from a CA server (router can be
configured as a CA as well):
configured as a CA as well):
Step 3. Define an IP local pool to assign addresses to AnyConnect VPN clients:
Step 4. Create an IKEv2 local authorization policy:
Step 5. Create desired IKEv2 proposal and policy:
Step 6. Create an IKEv2 profile for AnyConnect-EAP method of client authentication:
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*