Всем доброго времени суток.
Подскажите, господа знатоки.
Настроен впн с помощью AnyConnect по ikev2, аутентификация по сертификатам. Возможно ли сделать так что бы осуществлялась дополнительная проверка с помощью aaa (логина пароля), так же как в webvpn или EasyVPN ?
Вот как работает сейчас:
Код:
aaa new-model
...
aaa authentication login REMOTEAUTHEN local
...
aaa authorization network REMOTEAUTHOR local
...
crypto pki trustpoint webvpn-tp
serial-number none
ip-address none
subject-name [...]
crl cache delete-after 15
revocation-check crl
rsakeypair webvpn-key
authorization username subjectname commonname
eku request server-auth client-auth
...
crypto ikev2 authorization policy REMOTE-authpol
pool REMOTE-USER-pool
dns 192.168.1.1
netmask 255.255.255.255
split-dns local
include-local-lan
route set access-list REMOTE-USER-stdacl
!
crypto ikev2 proposal aes256sha
encryption aes-cbc-256
integrity sha1
group 2
!
crypto ikev2 policy 10
match fvrf any
proposal aes256sha
!
!
crypto ikev2 profile RemoteUser-ikev2prof
match certificate REMOTE-USER-cert-map
identity local dn
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint webvpn-tp
dpd 60 10 on-demand
aaa authorization group cert list REMOTEAUTHOR REMOTE-authpol local
virtual-template 102
!
no crypto ikev2 http-url cert
crypto ikev2 disconnect-revoked-peers
...
webvpn gateway webvpn-gw
ip address aaa.bbb.ccc.ddd port 443
http-redirect port 80
ssl encryption aes256-sha1
ssl trustpoint webvpn-tp
inservice
!
webvpn context webvpn-ctx
virtual-template 1
aaa authentication list REMOTEAUTHEN
gateway webvpn-gw
authentication certificate aaa
username-prefill
ca trustpoint webvpn-tp
!
ssl encryption aes256-sha1
ssl authenticate verify all
inservice
!
policy group pol_1
functions svc-enabled
functions svc-required
timeout idle 3600
svc address-pool "REMOTE-USER-pool" netmask 255.255.255.255
svc dpd-interval client 60
svc dpd-interval gateway 60
svc mtu 1300
svc profile RemoteSSLIPSEC
svc split dns "local"
svc split include acl REMOTE-USER-stdacl
svc dns-server primary 192.168.1.1
default-group-policy pol_1