ePub(1.0 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(906.1 KB) View on Kindle device or Kindle app on multiple devices
Updated:August 29, 2024
Document ID:222336
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure SD-WAN Remote Access (SDRA) using an existing configuration group.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
Cisco Software-Defined Wide Area Network (SD-WAN)
PublicKey Infrastructure (PKI)
FlexVPN
RADIUS server
Components Used
The information in this document is based on these software and hardware versions:
C8000V version17.12.03a
vManage version 20.12.03a
Certificate Authority (CA) server with simple certificate enrollment protocol (SCEP)
AnyConnect Secure Mobility Client version 4.10.04071
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure Certificate Authority (CA) on Manager
This section guides you through the configuration of a Certificate Authority (CA) server for SCEP-based automatic enrollment via the SD-WAN Manager.
Note: The devices enabled for remote access receive a certificate from this certificate authority. The devices use the certificate to authenticate to remote access clients.
Step 1. Navigate to Enterprise CA to configure the CA certificate through the vManage. From vManage GUI:
Configuration -> Certificate Authority -> Enterprise CA
Note: The other CA options such as Enterprise CA without SCEP, Cisco vManage as CA and Cisco vManage as intermediate CA are not supported for the SD-WAN RA feature
Step 2. Once the Enterprise CA has been displayed, select the SCEP option.
Step 3. Copy and paste the CA certificate into the Root Certificate box.
Step 4. Fill out your CA Server information:
Note: The CA server has been placed in the service VRF 1. CA server must be reachable through the service VRF for all the SD-WAN RA headends.
Step 5. Click onSave Certificate Authorityto save the configuration.
Note: The related CA settings are applied once the remote access configuration is finished and implemented on the device.
Add the Remote Access Feature Profile to an Existing Configuration Group.
Set up remote access by modifying an existing configuration group.
Note: SDRA can be configured using either the CLI add-on template or Configuration Groups. However, it does not support the use of feature templates.
Enable Remote Access on Service VPN
Warning: Enabling remote access on a service VPN is a required step. Without this, any subsequent configurations for remote access parameters (profile/feature) are not propagated to the device.
Step 1. From vManage GUI, navigate to Configuration -> Configuration Groups. Click the three dots (...) on the right side of your preexisting configuration group and click Edit.
Step 2. Scroll down to Service Profile:<name>, and expand the section. Click the three dots (...) on the right side of the desired VPN profile and click Edit Feature.
Step 3.
Select the check box Enable SD-WAN Remote Access
Step 4. Click Save.
Configure the Remote Access Feature
Step 1. From vManage GUI, navigate toConfiguration->Configuration Groups-> <Config Group Name>. Click the three dots (...) on the right sideand clickEdit.
Note: SDRA supports both IPSec and SSL; however, the guide specifies the use of IPSec for this lab, while noting that SSL configuration is optional and largely follows the same steps.
Configure RADIUS Server
The first part of the configurations is the Radius Server Setup when configuring remote access. Click Add Radius Group to expand it, and then Add Radius Group.
Expand the RADIUS Server section, and click Add RADIUS Server.
Fill out the RADIUS server configuration with the RADIUS IPv4 Address and Key, and click Add as the example shows.
Expand the RADIUS Group section, and click Add RADIUS Group.
Select the drop-down to the left of VPN, and select Global.
Add the RADIUS server that was previously configured.
Once you configure the RADIUS Group as shown in the picture, click Add to save the RADIUS Group.
This is an example of RADIUS configuration completed. Click Save.
Note: SD-WAN RA headends use a RADIUS/EAP server for authentication of remote access clients and for managing per-user policy. The RADIUS/EAP server must be reachable from all the SD-WAN RA headends in a service VPN.
CA Server Setup
The next section is the CA Server Setup, however since this CA was configured on a previous task, it automatically pulls it. No required configuration here.
Configure AnyConnect EAP Setup
The next section is theAnyConnect EAP Setup, in this scenario the user is authenticated, therefore theUser Authenticationcheck box is the option selected (default).
Note: If dual authentication for both user/password and client certificate is desired, select the User & Device Authentication option. This configuration corresponds to the CLI command:authentication remote anyconnect-eap aggregate cert-request
Configure AAA Policy
For this SDRA guide, the remote users contain an email domain, for example, sdra-user@test.com. Therefore, to achieve this, select the optionDerive Name from Peer Identity Domain.
In thePolicy Passwordfield:cisco12345
IKEv2 and IPSec Settings
You can leave all these configurations as default and click onSave.
Associate Device and Deploy
Once Remote Access has been configured, proceed to deploy the configuration through the Associated Devices tab.
Select the checkbox of the desired device and Deploy.
ClickNext
SelectPreview CLI
In the next screen, select Deploy one more time.
Verify
Request PKI Certificates
After deployment is completed, you need to request the ID certificate on the RA Headend through CLI.
1. Log in to the CLI RA Headend.
2. Verify the trustpoint configuration has been successfully deployed with the show run | sec crypto pki trustpoint command.
3. Verify if the CA Certificate (root cert) is installed on the sdra_trustpoint
show crypto pki cert sdra_trustpoint
4. If there is no CA Certificate associated proceed to authenticate to the CA Server
crypto pki authenticate sdra_trustpoint
5. Request the ID Certificate for the edge device that is utilized for the Remote Access (RA) connection
Note: Please verify that the two certificates listed are installed and correctly associated with the sdra_trustpoint to ensure that remote access functions as intended.
crypto pki enroll sdra_trustpoint
Spoke4-CG#show crypto pki cert sdra_trustpoint
Certificate
Status: Available
Certificate Serial Number (hex): 03
Certificate Usage: General Purpose
Issuer:
cn=CA-SERVER-SDRA-CLUS2024
Subject:
Name: Spoke4-CG
hostname=Spoke4-CG
cn=SDRA-6-10.0.0.6-Spoke4-CG
Validity Date:
start date: 21:22:15 UTC Apr 26 2024
end date: 21:22:15 UTC Apr 26 2025
renew date: 21:22:14 UTC Feb 12 2025
Associated Trustpoints: sdra_trustpoint
Storage: nvram:CA-SERVER-SD#3.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=CA-SERVER-SDRA-CLUS2024
Subject:
cn=CA-SERVER-SDRA-CLUS2024
Validity Date:
start date: 22:37:07 UTC Apr 22 2024
end date: 22:37:07 UTC Apr 22 2027
Associated Trustpoints: sdra_trustpoint
Storage: nvram:CA-SERVER-SD#1CA.cer
Crypto PKI debugs
If you encounter any issues while requesting the certificates, please enable the debug commands to assist in troubleshooting: