GET VPN - part five (Group Member Authorization List)

In this short post I would like to show one interesting feature that allows us to control which GM can register in a particular KS. I will use the same scenario I used in my previous posts.

getvpn-1.jpg

There two methods how we can control it:

a) ACL

b) PKI

Let’s try with the first one:

I would like to limit the number of GMs to just only one 4.4.4.2. I need to add firs a standard access list:

access-list 50 permit 4.4.4.2

and then add the ACL to the gdoi group configuration (authorization address ipv4):

crypto gdoi group GDOI-GROUP
 identity number 1
 server local
  rekey lifetime seconds 300
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  authorization address ipv4 50
  sa ipsec 1
   profile IPSEC-PROFILE
   match address ipv4 101
   replay counter window-size 64
  address ipv4 3.3.3.2
  redundancy
   local priority 10
   peer address ipv4 6.6.6.2

When I check the member list I see only one: (you need first issue two commands: clear crypto isakmp, clear crypto gdoi):

R1#sh crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group GDOI-GROUP : 0

Group Member ID    : 4.4.4.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP
 Key Server ID     : 6.6.6.2
 Rekeys sent       : 0
 Rekeys retries    : 0
 Rekey Acks Rcvd   : 0
 Rekey Acks missed : 0

 Sent seq num : 0       0       0       0
Rcvd seq num :  0       0       0       0

R1#

You can find following message:

R2#
*Dec 15 18:54:48.835: %GDOI-1-UNAUTHORIZED_IPADDR: Group GDOI-GROUP received registration from unauthorized ip address: 7.7.7.2
R2#

Next method, PKI, is described by Cisco here:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/15-2mt/sec-get-vpn.html#GUID-D334DB6B-C3EC-4792-AA0F-B13C25006B5B

and I try to implement it now.

On all clients (R3,R4 and R5) I need to add:

 crypto pki trustpoint CA-TP
 subject-name CN=R3.mymicroblog.com,OU=HR

assume that only OU=HR should be able to register at the KS, so on the R5 I change it to:

 crypto pki trustpoint CA-TP
 subject-name CN=R3.mymicroblog.com,OU=IT

On all clients I need to change isakmp identity:

 crypto isakmp identity dn

On servers I have to add a new crypto identity:

crypto identity PKI
 dn OU=HR

so, only clients with organization unit equals ‘HR’ should register.
Now I need to add this authorization identity to the crypto gdoi group:

crypto gdoi group GDOI-GROUP
 identity number 1
 server local
 authorization identity PKI

On the KS1 I see following message:

R1#
*Dec 15 21:04:20.243: %GDOI-1-UNAUTHORIZED_IDENTITY: Group GDOI-GROUP received registration from unauthorized identity:       Dist. name parsing failed. Peer Address: 5.5.5.2
R1#

It means the authorization works fine. Let’s check member list:

R1#sh crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group GDOI-GROUP : 0

Group Member ID    : 4.4.4.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP
 Key Server ID     : 3.3.3.2
 Rekeys sent       : 0
 Rekeys retries    : 0
 Rekey Acks Rcvd   : 0
 Rekey Acks missed : 0

 Sent seq num : 0       0       0       0
Rcvd seq num :  0       0       0       0

Group Member ID    : 7.7.7.2     GM Version: 1.0.4
 Group ID          : 1
 Group Name        : GDOI-GROUP
 Key Server ID     : 3.3.3.2
 Rekeys sent       : 0
 Rekeys retries    : 0
 Rekey Acks Rcvd   : 0
 Rekey Acks missed : 0

 Sent seq num : 0       0       0       0
Rcvd seq num :  0       0       0       0

R1#

There are only two members, the one excluded has not registered.

 
7
Kudos
 
7
Kudos

Now read this

ACS, radius and management access to ASA

There are couple of ways how to configure management access to ASA. One of them is configuring users in ACS database. Depending on radius attributes the user can have access to specific management ways. ciscoasa# sh run aaa aaa... Continue →