Before You Begin

• In Cisco SD-WAN Manager, configure the following using a feature template:

  • VRF for the SD-WAN RA service VPN

  • Public IP on the TLOC interface used for SD-WAN RA

• Ensure that the RADIUS server and CA server are reachable in the SD-WAN RA service VPN.

SD-WAN RA Headend Device Configuration

This example provides a generic template for configuring a Cisco IOS XE Catalyst SD-WAN device to function as an SD-WAN RA headend. The template uses variables that prompt you for details specific to your network, at runtime when you apply the template.

The following table describes the variables used in the template.

Use the following in a CLI add-on template:

ip local pool SDRA_IP_POOL {{SDRA_POOL_START_IP}} {{SDRA_POOL_END_IP}}
!
aaa new-model
!
aaa group server radius SDRA_RADIUS_SERVER
server-private {{SDRA_RADIUS_IP}} key {{SDRA_RADIUS_ENCR_KEY}}
ip radius source-interface {{SDRA_RADIUS_SOURCE_INTF}}
ip vrf forwarding {{SDRA_SERVICE_VPN}}
!   
no ip http secure-server
!      
aaa authentication login SDRA_AUTHEN_MLIST group SDRA_RADIUS_SERVER 
aaa authorization network SDRA_AUTHOR_MLIST group SDRA_RADIUS_SERVER
aaa accounting network SDRA_ACC_MLIST start-stop group SDRA_RADIUS_SERVER
!
crypto pki trustpoint SDRA_TRUSTPOINT
enrollment url http://{{SDRA_CA_SERVER_IP}}:80
fingerprint {{SDRA_CA_CERT_FINGERPRINT}}
revocation-check none
rsakeypair SDRA_TRUSTPOINT 2048
subject-name cn={{SDRA_HEADEND_SUBJECT_NAME}}
auto-enroll 80
auto-trigger
vrf {{SDRA_SERVICE_VPN}}
!
crypto ikev2 proposal SDRA_IKEV2_PROPOSAL
encryption aes-cbc-256
integrity sha256
group 19
!
crypto ikev2 policy SDRA_IKEV2_POLICY
proposal IKEV2_PROPOSAL
!
crypto ikev2 profile SDRA_IKEV2_PROFILE
match identity remote any
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint SDRA_TRUSTPOINT
aaa authentication anyconnect-eap SDRA_AUTHEN_MLIST
aaa authorization user anyconnect-eap cached
aaa authorization group anyconnect-eap list SDRA_AUTHOR_MLIST name-mangler SDRA_NAME_MANGLER_DOMAIN password {{SDRA_AUTHOR_RADIUS_PASSWD}}
aaa accounting anyconnect-eap SDRA_ACC_MLIST
virtual-template 101 mode auto
reconnect
!
crypto ikev2 name-mangler SDRA_NAME_MANGLER_DOMAIN
eap suffix delimiter @
!
crypto ipsec transform-set SDRA_IPSEC_TS esp-gcm 256
mode tunnel
!         
crypto ipsec profile SDRA_IPSEC_PROFILE
set ikev2-profile SDRA_IKEV2_PROFILE
set transform-set SDRA_IPSEC_TS
!
interface Loopback 65515
no shutdown
vrf forwarding {{SDRA_SERVICE_VPN}}
ip address {{SDRA_UNNUM_INTF_IP}} 192.168.0.1
!
interface Virtual-Template101 type tunnel
no shutdown
vrf forwarding {{SDRA_SERVICE_VPN}}
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDRA_IPSEC_PROFILE 
exit
!

RADIUS Server Configuration

The following is an example user profile:

user1@example.com  Cleartext-password := "user1-passwd"
 Service-Type = NAS-Prompt-User,

The following is an example group profile:

example.com   Cleartext-password := "group-passwd"
 Service-Type = NAS-Prompt-User,
 cisco-avpair+="ip:interface-config=vrf forwarding 20",
 cisco-avpair+="ip:interface-config=ip unnumbered Loopback 65515",
 cisco-avpair+="ipsec:addr-pool=IP_LOCAL_POOL",
 cisco-avpair+="ipsec:route-set=prefix 192.168.1.0/24",
 cisco-avpair+="ipsec:route-set=prefix 192.168.2.0/24"

AnyConnect Remote Access Client Configuration

The AnyConnect client connects to an SD-WAN RA headend similarly to how it connects to any other remote access headend. However, AnyConnect uses SSL by default, and SSL is not supported by SD-WAN RA, so it is necessary to change the mode to IKEv2/IPsec.

In this brief example, the AnyConnect client does not download the profile from the SD-WAN RA headend, but instead uses a locally defined profile.

Note the following points of AnyConnect configuration for this scenario:

• Disable AnyConnect profile download.

  In the AnyConnect local policy file, configure the BypassDownloader variable to TRUE .

• Specify IKEv2/IPsec mode

  PrimaryProtocol: IPsec