GET VPN - part five (Group Member Authorization List)
In this short post I would like to show one interesting feature that allows us to control which GM can register in a particular KS. I will use the same scenario I used in my previous posts.
There two methods how we can control it:
a) ACL
b) PKI
Let’s try with the first one:
I would like to limit the number of GMs to just only one 4.4.4.2. I need to add firs a standard access list:
access-list 50 permit 4.4.4.2
and then add the ACL to the gdoi group configuration (authorization address ipv4):
crypto gdoi group GDOI-GROUP
identity number 1
server local
rekey lifetime seconds 300
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN-KEY
rekey transport unicast
authorization address ipv4 50
sa ipsec 1
profile IPSEC-PROFILE
match address ipv4 101
replay counter window-size 64
address ipv4 3.3.3.2
redundancy
local priority 10
peer address ipv4 6.6.6.2
When I check the member list I see only one: (you need first issue two commands: clear crypto isakmp, clear crypto gdoi):
R1#sh crypto gdoi ks members
Group Member Information :
Number of rekeys sent for group GDOI-GROUP : 0
Group Member ID : 4.4.4.2 GM Version: 1.0.4
Group ID : 1
Group Name : GDOI-GROUP
Key Server ID : 6.6.6.2
Rekeys sent : 0
Rekeys retries : 0
Rekey Acks Rcvd : 0
Rekey Acks missed : 0
Sent seq num : 0 0 0 0
Rcvd seq num : 0 0 0 0
R1#
You can find following message:
R2#
*Dec 15 18:54:48.835: %GDOI-1-UNAUTHORIZED_IPADDR: Group GDOI-GROUP received registration from unauthorized ip address: 7.7.7.2
R2#
Next method, PKI, is described by Cisco here:
and I try to implement it now.
On all clients (R3,R4 and R5) I need to add:
crypto pki trustpoint CA-TP
subject-name CN=R3.mymicroblog.com,OU=HR
assume that only OU=HR should be able to register at the KS, so on the R5 I change it to:
crypto pki trustpoint CA-TP
subject-name CN=R3.mymicroblog.com,OU=IT
On all clients I need to change isakmp identity:
crypto isakmp identity dn
On servers I have to add a new crypto identity:
crypto identity PKI
dn OU=HR
so, only clients with organization unit equals ‘HR’ should register.
Now I need to add this authorization identity to the crypto gdoi group:
crypto gdoi group GDOI-GROUP
identity number 1
server local
authorization identity PKI
On the KS1 I see following message:
R1#
*Dec 15 21:04:20.243: %GDOI-1-UNAUTHORIZED_IDENTITY: Group GDOI-GROUP received registration from unauthorized identity: Dist. name parsing failed. Peer Address: 5.5.5.2
R1#
It means the authorization works fine. Let’s check member list:
R1#sh crypto gdoi ks members
Group Member Information :
Number of rekeys sent for group GDOI-GROUP : 0
Group Member ID : 4.4.4.2 GM Version: 1.0.4
Group ID : 1
Group Name : GDOI-GROUP
Key Server ID : 3.3.3.2
Rekeys sent : 0
Rekeys retries : 0
Rekey Acks Rcvd : 0
Rekey Acks missed : 0
Sent seq num : 0 0 0 0
Rcvd seq num : 0 0 0 0
Group Member ID : 7.7.7.2 GM Version: 1.0.4
Group ID : 1
Group Name : GDOI-GROUP
Key Server ID : 3.3.3.2
Rekeys sent : 0
Rekeys retries : 0
Rekey Acks Rcvd : 0
Rekey Acks missed : 0
Sent seq num : 0 0 0 0
Rcvd seq num : 0 0 0 0
R1#
There are only two members, the one excluded has not registered.