Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

• You must enable the BypassDownloader function in the AnyConnectLocalPolicy file by setting the <BypassDownloader> value to true. If your device does not support SSL, the BypassDownloader function will not work.You must disable the function manually by setting the <BypassDownloader> value to false, else the connection will fail.

To establish a VPN connection, the VPN client must obtain user credentials using authentication methods such as, extensible authentication protocol (EAP), Extended Authentication (XAUTH), etc. and forward the user credentials to a hub, which contacts an access control server. The access control server sends an external database or active directory (AD) to validate the credentials.

FlexVPN server (as a hub) works with Cisco Secure Access Control Server to validate user credentials to establish VPN connections. However, Cisco AnyConnect uses EAP to obtain user credentials and does not support XAUTH. On the other hand, Cisco Secure Access Control Server does not support EAP-MD5 with external database (in this case AD). This leads to a scenario where either Cisco Secure Access Control Server must support EAP-MD5 or FlexVPN must authenticate the information from Cisco AnyConnect separately and connect separately with Cisco Secure Access Control Server. FlexVPN can use the Aggregate Authentication method to authentication information from Cisco AnyConnect. Implementing aggregate authentication method on FlexVPN server would provide a window to add more feature support on Cisco IOS software.

The FlexVPN RA - Aggregate Auth Support for AnyConnect feature implements aggregate authentication method by extending support for Cisco AnyConnect client that uses the proprietary AnyConnect EAP authentication method to establish a secure tunnel over the Internet using Cisco AnyConnect and FlexVPN server. This is a server-specific feature and works with Cisco AnyConnect.

Internet Key Exchange Version 2 supports Cisco AnyConnect that uses the proprietary AnyConnect EAP authentication method by implementing basic aggregate authentication where authentication is performed via authentication, authorization, and accounting (AAA) using the remote RADIUS server. The following is an example of a network topology explains aggregate authentication implementation on Cisco IOS software.

Figure 1. FlexVPN Server Connected to RADIUS Server

In this diagram:

• Cisco Secure Access Control Server acts as a RADIUS server for authorization.

• The credentials are stored in Microsoft Active Directory, which acts as the active directory for authentication.

  Note	Microsoft Active Directory is referred for example purpose only. It does not matter where the credentials are stored.

• Cisco device acts as FlexVPN server.

• Windows 7 PC acts as Cisco AnyConnect client.

1. To initiate a VPN connection, Cisco AnyConnect client verifies a FlexVPN server using certifications.

2. After verifying the certificates, Cisco AnyConnect client sends Cisco AnyConnect EAP loaded message to FlexVPN server.

3. When FlexVPN server receives Cisco AnyConnect EAP loaded message from Cisco AnyConnect, FlexVPN server downloads the message and strips the message of EAP.

4. FlexVPN establishes a connection with RADIUS server for authorization and Microsoft Active Directory (AD) for authentication, and forwards the stripped message to verify the credentials provided by Cisco AnyConnect client.

5. When the credentials are verified and approved by RADIUS server and Microsoft Active Directory (AD), an appropriate reply is sent to FlexVPN server, which in turn replies to Cisco AnyConnect and a VPN connection is established.

Authentication in IKE using AnyConnect EAP is a variation of the standards EAP model as described in RFC 3748. When using AnyConnect EAP the public configuration or authentication XML is transported via EAP payloads. The following figure illustrates the typical message flow used by Cisco AnyConnect .

Figure 2. IKE Exchanges using AnyConnect EAP

1. Cisco AnyConnect client initiates IKE connection to FlexVPN server. The client sends vendor ID payloads to indicate support for Cisco AnyConnect EAP in addition to the typical IKE payloads. The client identifies itself as a Cisco product by including the Cisco copyright vendor ID.
2. The server gateway sends vendor ID payloads to indicate fragmentation and AnyConnect EAP support and identifies itself as a Cisco product by including the Cisco copyright vendor ID.
3. The configuration payload requests the tunnel configuration. The client indicates its desire to use Cisco AnyConnect EAP authentication by omitting the AUTH Payload from this message.
4. The Aggregate Authentication and Configuration protocol is carried over EAP
5. FlexVPN server sends a EAP success message.
6. Cisco AnyConnect client sends the AUTH payload.
7. FlexVPN server sends the AUTH payload and the tunnel configuration attributes that Cisco AnyConnect client requested.

The aggregate authentication implementation on Cisco IOS software can be extended for dual-factor authentication. Double authentication can be done by introducing new AnyConnect EAP exchange during Aggregate Authentication which exchange and validate the device certificate information. This mechanism of authenticating 'device' as well as 'user' is called 'Double Authentication'.

Note	AnyConnect EAP is AnyConnect client specific authentication method and does not apply to any other client.

1.    enable


2.    configure terminal


3.    crypto ikev2 profile profile-name


4.    aaa accounting anyconnect-eap list-name


5.    match identity remote key-id opaque-string


6.    authentication remote anyconnect-eap aggregate [cert-request]


7.    authentication local rsa-sig


8.    pki trustpoint trustpoint-label


9.    aaa authentication anyconnect-eap list-name


10.    aaa authorization group anyconnect-eap list aaa-listname name-mangler mangler-name


11.    aaa authorization user anyconnect-eap cached


12.    aaa authorization user anyconnect-eap list aaa-listname name-mangler mangler-name


13.    end


14.    show crypto ikev2 session detailed

Device> enable

Device# configure terminal

Device(config)# crypto ikev2 profile profile1

Device(config-ikev2-profile)# aaa accounting anyconnect-eap list1

Device(config-ikev2-profile)# match identity remote key-id aggauth_user3@abc.com

Device(config-ikev2-profile)# authentication remote anyconnect-eap aggregate cert-request

Device(config-ikev2-profile)# authentication local rsa-sig

Device(config-ikev2-profile)# pki trustpoint CA1

Device(config-ikev2-profile)# aaa authentication anyconnect-eap list1

Device(config-ikev2-profile)# aaa authorization group anyconnect-eap list list1 name-mangler mangler1

Device(config-ikev2-profile)# aaa authorization user anyconnect-eap cached

Device(config-ikev2-profile)# aaa authorization user anyconnect-eap list list1 name-mangler mangler1

Device(config-ikev2-profile)# end

Device# show crypto ikev2 session detailed