Configure SD-WAN Remote Access (SDRA) through Configuration Groups

Available Languages

Download Options

ePub (1.0 MB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (906.1 KB)
View on Kindle device or Kindle app on multiple devices

Updated:August 29, 2024

Document ID:222336

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to configure SD-WAN Remote Access (SDRA) using an existing configuration group.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Cisco Software-Defined Wide Area Network (SD-WAN)
PublicKey Infrastructure (PKI)
FlexVPN
RADIUS server

Components Used

The information in this document is based on these software and hardware versions:

C8000V version17.12.03a
vManage version 20.12.03a
Certificate Authority (CA) server with simple certificate enrollment protocol (SCEP)
AnyConnect Secure Mobility Client version 4.10.04071

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Configure Certificate Authority (CA) on Manager

This section guides you through the configuration of a Certificate Authority (CA) server for SCEP-based automatic enrollment via the SD-WAN Manager.

Note: The devices enabled for remote access receive a certificate from this certificate authority. The devices use the certificate to authenticate to remote access clients.

Step 1. Navigate to Enterprise CA to configure the CA certificate through the vManage. From vManage GUI:

Configuration -> Certificate Authority -> Enterprise CA

Note

Certificate Authority

Note: The other CA options such as Enterprise CA without SCEP, Cisco vManage as CA and Cisco vManage as intermediate CA are not supported for the SD-WAN RA feature

Step 2. Once the Enterprise CA has been displayed, select the SCEP option.

Step 3. Copy and paste the CA certificate into the Root Certificate box.

Step 4. Fill out your CA Server information:

Note: The CA server has been placed in the service VRF 1. CA server must be reachable through the service VRF for all the SD-WAN RA headends.

Step 5. Click onSave Certificate Authorityto save the configuration.

Note: The related CA settings are applied once the remote access configuration is finished and implemented on the device.

Add the Remote Access Feature Profile to an Existing Configuration Group.

Set up remote access by modifying an existing configuration group.

Note: SDRA can be configured using either the CLI add-on template or Configuration Groups. However, it does not support the use of feature templates.

Enable Remote Access on Service VPN

Warning: Enabling remote access on a service VPN is a required step. Without this, any subsequent configurations for remote access parameters (profile/feature) are not propagated to the device.

Step 1. From vManage GUI, navigate to Configuration -> Configuration Groups. Click the three dots (...) on the right side of your preexisting configuration group and click Edit.

Configuration Groups

Step 2. Scroll down to Service Profile:<name>, and expand the section. Click the three dots (...) on the right side of the desired VPN profile and click Edit Feature.

Configuration Groups 2

Step 3.

Select the check box Enable SD-WAN Remote Access

Edit Service VPN Feature

Step 4. Click Save.

Configure the Remote Access Feature

Step 1. From vManage GUI, navigate toConfiguration->Configuration Groups-> <Config Group Name>. Click the three dots (...) on the right sideand clickEdit.

Expand theSystem Profile:<Name>section. ClickAdd Featureand search forRemote Access.

Add Feature

SDRA Protocol

Note: SDRA supports both IPSec and SSL; however, the guide specifies the use of IPSec for this lab, while noting that SSL configuration is optional and largely follows the same steps.

Configure RADIUS Server

The first part of the configurations is the Radius Server Setup when configuring remote access. Click Add Radius Group to expand it, and then Add Radius Group.

Add Radius Group

Expand the RADIUS Server section, and click Add RADIUS Server.

Fill out the RADIUS server configuration with the RADIUS IPv4 Address and Key, and click Add as the example shows.

Add Radius Server

Expand the RADIUS Group section, and click Add RADIUS Group.

Edit AAA Features

Select the drop-down to the left of VPN, and select Global.

Add the RADIUS server that was previously configured.

Once you configure the RADIUS Group as shown in the picture, click Add to save the RADIUS Group.

Add Radius Group

This is an example of RADIUS configuration completed. Click Save.

Edit AAA Feature

Note: SD-WAN RA headends use a RADIUS/EAP server for authentication of remote access clients and for managing per-user policy. The RADIUS/EAP server must be reachable from all the SD-WAN RA headends in a service VPN.

CA Server Setup

The next section is the CA Server Setup, however since this CA was configured on a previous task, it automatically pulls it. No required configuration here.

Add Feature 2

Configure AnyConnect EAP Setup

The next section is theAnyConnect EAP Setup, in this scenario the user is authenticated, therefore theUser Authenticationcheck box is the option selected (default).

Any Connect EAP Setup

Note: If dual authentication for both user/password and client certificate is desired, select the User & Device Authentication option. This configuration corresponds to the CLI command:authentication remote anyconnect-eap aggregate cert-request

Configure AAA Policy

For this SDRA guide, the remote users contain an email domain, for example, sdra-user@test.com. Therefore, to achieve this, select the optionDerive Name from Peer Identity Domain.

In thePolicy Passwordfield:cisco12345

Edit Remote Access Feature

IKEv2 and IPSec Settings

You can leave all these configurations as default and click onSave.

Associate Device and Deploy

Once Remote Access has been configured, proceed to deploy the configuration through the Associated Devices tab.

Associated Devices

Select the checkbox of the desired device and Deploy.

ClickNext

SelectPreview CLI

Summary

In the next screen, select Deploy one more time.

Verify

Request PKI Certificates

After deployment is completed, you need to request the ID certificate on the RA Headend through CLI.

1. Log in to the CLI RA Headend.

2. Verify the trustpoint configuration has been successfully deployed with the show run | sec crypto pki trustpoint command.

crypto pki trustpoint sdra_trustpoint
enrollment url http://192.168.6.3:80
fingerprint 8F0B275AA454891B706AC5F27610157C4BE4C277
subject-name CN=SDRA-6-10.0.0.6-Spoke4-CG
vrf 1
revocation-check none
rsakeypair sdra_trustpoint 2048
auto-enroll 80
hash sha256

3. Verify if the CA Certificate (root cert) is installed on the sdra_trustpoint

show crypto pki cert sdra_trustpoint

4. If there is no CA Certificate associated proceed to authenticate to the CA Server

crypto pki authenticate sdra_trustpoint

5. Request the ID Certificate for the edge device that is utilized for the Remote Access (RA) connection

Note: Please verify that the two certificates listed are installed and correctly associated with the sdra_trustpoint to ensure that remote access functions as intended.

crypto pki enroll sdra_trustpoint

Spoke4-CG#show crypto pki cert sdra_trustpoint 
Certificate
  Status: Available
  Certificate Serial Number (hex): 03
  Certificate Usage: General Purpose
  Issuer: 
    cn=CA-SERVER-SDRA-CLUS2024
  Subject:
    Name: Spoke4-CG
    hostname=Spoke4-CG
    cn=SDRA-6-10.0.0.6-Spoke4-CG
  Validity Date: 
    start date: 21:22:15 UTC Apr 26 2024
    end   date: 21:22:15 UTC Apr 26 2025
    renew date: 21:22:14 UTC Feb 12 2025
  Associated Trustpoints: sdra_trustpoint 
  Storage: nvram:CA-SERVER-SD#3.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer: 
    cn=CA-SERVER-SDRA-CLUS2024
  Subject: 
    cn=CA-SERVER-SDRA-CLUS2024
  Validity Date: 
    start date: 22:37:07 UTC Apr 22 2024
    end   date: 22:37:07 UTC Apr 22 2027
  Associated Trustpoints: sdra_trustpoint 
  Storage: nvram:CA-SERVER-SD#1CA.cer

Crypto PKI debugs

If you encounter any issues while requesting the certificates, please enable the debug commands to assist in troubleshooting:

       debug crypto pki messages
       debug crypto pki scep
       debug crypto transactions

Reference: RADIUS Attributes

A RADIUS server needs to be configured with the Cisco attribute-value (AV) Pair attributes corresponding to the remote access user.

This is an example of a FreeRADIUS user configuration.

IPSec Cisco AV Pair Attributes:

test.com Cleartext-Password := "cisco12345"
 Cisco-AVPair = "ip:interface-config=vrf forwarding 1",
 Cisco-AVPair += "ip:interface-config=ip unnumbered GigabitEthernet1",
 Cisco-AVPair += "ipsec:addr-pool=sdra_ip_pool",
 Cisco-AVPair += "ipsec:route-set=prefix 192.168.6.0/24"

SSL Cisco AV Pair Attributes:

 sdra_sslvpn_policy Cleartext-Password := "cisco"
 Cisco-AVPair = "ip:interface-config=vrf forwarding 1",
 Cisco-AVPair += "ip:interface-config=ip unnumbered GigabitEthernet1",
 Cisco-AVPair += "webvpn:addr-pool=sdra_ip_pool"

Related Information

Revision History

Revision	Publish Date	Comments
1.0	29-Aug-2024	Initial Release

Contributed by Cisco Engineers

Amanda Nava
SD-WAN Technical Leader

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)