Documente Academic
Documente Profesional
Documente Cultură
Alex HONOR
CCIE #19553
Senior Customer Support Engineer
EMEA Technical Assistance Center
Objectives & Prerequisites
Session objectives:
Introduce IKEv2 & FlexVPN, with a focus on AAA-based management
Demonstrate the value-add and possibilities of FlexVPN as a Remote Access solution
with a variety of clients (software & hardware)
Solve simple & complex use cases using FlexVPN
Basic understanding of the following topics is required:
IPsec, IKEv1, PKI, AAA, RADIUS, AnyConnect, VRF, QoS
Experience with the following features is a plus:
Easy VPN, MQC, VRF-Lite, iBGP
More FlexVPN (hub-spoke, dynamic mesh, MPLS over Flex, multicast, ...)
BRKSEC-3036 Advanced IPsec designs with FlexVPN by F. Detienne
Friday 11:30am, North Wing Level -1, Green Hall 3
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Session Agenda
Introduction to FlexVPN Scenarios & Use Cases
Full & Split Tunneling
Tunnel Interfaces
Network Extension
Configuration Building Blocks Virtualization (VRF)
Quality of Service
FlexVPN AAA Integration
AAA-Based Authentication FlexVPN SSL Preview
User & Group Authorization
Wrap-up
Connection Accounting
Remote Access Clients
AnyConnect Software Mobility Client
Windows Native IKEv2 Client
FlexVPN Hardware Client
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Before We Begin...
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Introduction to FlexVPN
FlexVPN Overview
Unified overlay VPN
Combines site-to-site, remote access, hub-spoke & spoke-spoke topologies
IPsec VPN compliant with the IKEv2 standard
SSL VPN remote access coming soon (AnyConnect Secure Mobility Client)
FlexVPN highlights
Unified CLI with smart defaults
Unified infrastructure that leverages point-to-point tunnel interfaces
Most features available across all topologies (QoS, AAA, VRF, ...)
Interoperable with other IKEv2 implementations (ASA, Windows, strongSwan, ...)
Easier to learn, market and manage
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Solution Positioning
Spoke to
Full AAA
Dynamic
Per-Peer
Per-Peer
Failover
Failover
Routing
Routing
Interop.
Remote
Access
Source
Simple
Config
Config
Spoke
Direct
Mgmt
IPsec
Push
QoS
Easy
No No Yes No Yes Yes No Yes Yes Yes Complex
VPN
Crypto
Yes No Yes No Yes Poor No No No No No
Map
FlexVPN Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Why FlexVPN ?
IKEv2 is a major protocol update
No backward compatibility with IKEv1
Requires serious consideration and reconfiguration
Brings in a lot of improvements
Major IOS architecture rework needed to address needs
Per-peer features (QoS, ZBFW, policies, VRF injection,)
Too many overlay technologies offering was too fragmented
VPN learning time had grown out of control (1 day techtorial insufficient)
IKEv2 is a good transition point to revisit design and architecture
Ideal for all types of VPNs
Service aggregation (remote access, site-to-site, ...)
Improved service management
Multitenancy
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Comparing IKEv1 & IKEv2
Authentication
EAP-Only IKEv2
Same
RFC 5998 Integrity
Objectives
DPD ISAKMP Childless IKEv2 Confidentiality
RFC 2408 RFC 6023
Suite-B
IPsec DOI IKEv2
RFC 2407 IKEv1 Mode IKEv2
RFC 5996
More Secure
Anti-DoS
Config
IKE IKEv2 Redirect
RFC 2409 RFC 5685 PSK, RSA-Sig
NAT-T Authentication
EAP Auth.
Etc. ... Options
Hybrid Auth.
I would like:
an IPv6 address
a DNS & WINS server
CFG_REQUEST a list of protected IPv6 subnets
Initiator (RA client) requests
IKE_AUTH configuration parameters
Your assigned IPv6 address is ...
from responder (RA server). Your DNS server is ...
CFG_REPLY
There is no WINS server
My protected IPv6 subnets are ...
CFG_SET
Derived from peer authorization
INFORMATIONAL
Derived from peer authorization
CFG_ACK Initiator and/or responder
sends unsolicited configuration My local IPv6 protected subnets are ...
CFG_SET parameters to its peer.
Acknowledged
INFORMATIONAL
CFG_ACK
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
IKEv2 Certificate-Based Authentication
(initiator) [IKE_SA_INIT_I] (responder) B is willing to accept:
R R certs issued by Root
S#1 S#2 certs issued by Sub#1
A A [IKE_SA_INIT_R] B B
[IKE_AUTH_R] S#2
A B
CERT(Root Sub#2) Compute B
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Interface Features
FlexVPN Server
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Configuration Building Blocks
18
Configuration Example
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local fqdn router.cisco.com IKEv2 identity & profile selection
authentication local rsa-sig
authentication remote eap IKEv2 authentication & certificates
pki trustpoint root sign
aaa authentication eap default AAA integration (authentication,
aaa authorization user eap authorization, accounting)
virtual-template 1
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
IKEv2 CLI Overview
Proposal, Policy and Keyring
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
crypto ikev2 profile default
Only one local identity allowed
IKEv2 CLI Overview identity
identity
local
local
address 10.0.0.1
fqdn local.cisco.com
IKEv2 Profile Extensive CLI identity
identity
local
local
email local@cisco.com
dn
Multiple match identity allowed
Self Identity Control match identity remote address 10.0.1.1
match identity remote fqdn remote.cisco.com
match identity remote fqdn domain cisco.com
Match on peer IKE identity match identity remote email remote@cisco.com
match identity remote email domain cisco.com
or certificate
match certificate certificate_map
subject-name co ou = engineering
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
IPsec CLI Overview
Tunnel Protection similar to DMVPN and EasyVPN
Transform set unchanged crypto ipsec transform-set default esp-aes 128 esp-sha-hmac
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Introducing Smart Defaults
Intelligent, reconfigurable defaults
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Reconfigurable Defaults
All defaults can be modified, deactivated and restored
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Static Site-to-Site Example
Router 1 Router 2 crypto ikev2 profile default
match identity remote fqdn r1.cisco.com
identity local fqdn r2.cisco.com
authentication remote pre-share key r1r2!
authentication local pre-share key !r2r1
!
Perform IKE SA agreement & Diffie-Hellman key exchange (not shown) interface Tunnel0
ip address 10.0.0.2 255.255.255.252
My IKE ID is: r1.cisco.com (FQDN) tunnel source Ethernet0/0
tunnel destination 192.0.2.1
My PSK authentication payload is... tunnel protection ipsec profile default
I want to protect GRE traffic between... !
interface Ethernet0/0
Map connection to IKEv2 profile default by matching on peer FQDN ip address 192.0.2.2 255.255.255.0
!
Verify peers AUTH payload & produce our own based on configured PSK router rip
version 2
network 10.0.0.0
Use our own FQDN as IKE ID
...
Finalize IPsec SAs (GRE between local & remote WAN addresses)
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
FlexVPN AAA Integration
28
FlexVPN AAA
Authentication, Authorization & Accounting
Cert. Authentication
(optional)
PSK Authentication AAA PSK Retrieval
RADIUS Authorization
RADIUS Accounting
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Building Block IKEv2 Name Mangler
RA Client FlexVPN Server AAA Server
IKEv2 Initiator IKEv2 Responder RADIUS Server
RADIUS Client RADIUS NAS
IKEv2 Exchange
crypto ikev2 name-mangler extract-user
FQDN: joe.cisco.com fqdn hostname
Email: joe@cisco.com RA Client Identity
email username
DN: cn=joe,ou=IT,o=Cisco dn common-name
EAP: joe@cisco IKEv2 Name Mangler eap prefix delimiter @
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
AAA Pre-Shared Keys Packet Flow
FlexVPN Client FlexVPN Server AAA Server
IKEv2 Initiator IKEv2 Responder RADIUS Server
RADIUS Client RADIUS NAS
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
EAP Authentication
Extensible Authentication Protocol (RFC 3748)
Provides common functions for a variety of authentication methods
Tunneling methods (costly): EAP-TTLS, EAP-PEAP,
Non-tunneling (recommended): EAP-MSCHAPv2, EAP-GTC, EAP-MD5,
Implemented in IKEv2 as additional IKE_AUTH packets
RA client initiates EAP authentication by omitting AUTH payload in IKE_AUTH
RA server must authenticate itself using certificates (mandatory)
Authentication takes place between RA client and EAP backend authentication server
EAP packets are relayed by RA server
Between RA client and RA server: tunneled inside IKEv2
Between RA server and EAP backend: tunneled inside RADIUS
EAP method is transparent to RA server
Only needs to be supported by RA client and EAP backend
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
EAP Authentication
RA Client FlexVPN Server AAA Server
IKEv2 Initiator IKEv2 Responder IKE RADIUS Server
RADIUS Client RADIUS NAS EAP Backend
EAP Supplicant EAP Authenticator
IKEv2 RADIUS
EAP-GTC / EAP-MD5 / EAP-MSCHAPv2 / EAP-AKA / EAP-SIM / ...
Username-Password/Token/Mobile Authentication (One-Way)
IKEv2 RADIUS
TLS EAP-TLS TLS
TLS-Based Certificate Authentication (Mutual)
IKEv2 RADIUS
EAP-PEAP / EAP-TTLS
TLS EAP-MSCHAPv2 / EAP-TLS / ... TLS
TLS-Protected Nested Authentication (One-Way or Mutual)
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
EAP Authentication Packet Flow
RA Client FlexVPN Server AAA Server
IKEv2 Initiator IKEv2 Responder RADIUS Server
RADIUS Client RADIUS NAS EAP Backend
EAP Supplicant EAP Authenticator
IKEv2 (IKE_AUTH) crypto ikev2 profile default
IDi, CFG_REQ, no AUTH authentication remote eap query-identity
aaa authentication eap frad
IKEv2 (IKE_AUTH)
IDr, AUTH(RSA), EAP(ID-Request)
IKEv2 (IKE_AUTH) RADIUS (Access-Request)
EAP(ID-Response: IDEAP)
IKEv2 (IKE_AUTH) RADIUS (Access-Challenge)
EAP(EAP-Method-Pkt#1)
IKEv2 (IKE_AUTH) RADIUS (Access-Request)
EAP(EAP-Method-Pkt#2)
MSK MSK
IKEv2 (IKE_AUTH) RADIUS (Access-Accept)
EAP(Success) EAP(Success), MSK, User-Name, EAP Username
IKEv2 (IKE_AUTH) Other user attributes
AUTH(MSK) Cached for authorization
IKEv2 (IKE_AUTH)
CFG_REPLY, AUTH(MSK)
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
EAP Authentication Initiation
RA Client FlexVPN Server AAA Server
IKEv2 Initiator IKEv2 Responder RADIUS Server
RADIUS Client RADIUS NAS EAP Backend
EAP Supplicant EAP Authenticator
Without query-identity
IKEv2 (IKE_AUTH) IKE ID used as EAP ID
IDi, CFG_REQ, no AUTH
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
FlexVPN AAA Integration
User & Group Authorization
Authorization Types
Not mutually exclusive May be combined
RADIUS (Access-Accept)
Implicit User Authorization Local PSK = cisco!
Remote PSK = !ocsic Cached for
crypto ikev2 profile default
aaa authorization user {psk|eap} cached Other user attributes for joe authorization
Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authentication
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Attributes Merging
FlexVPN Server AAA Server
Received during
AAA-based authentication
Attribute Value
Cached User Attributes Received during explicit
Framed-IP-Address 10.0.0.101
user authorization
ipsec:dns-servers 10.2.2.2 Explicit User Attributes take precedence
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Attributes Interface Config Ordering
Interface config strings do not override each other during merging
Instead, higher precedence statements are applied last
Pay attention to command-specific behavior (overwrites / stacks up / collides ?)
Attribute Value
OK will be overridden by subsequent
zone-member statement
Interface-Config zone-member security high
Interface-Config service-policy output gold Attribute Value
Interface-Config zone-member security medium
Interface-Config service-policy output silver
Received during explicit group authorization Interface-Config zone-member security high
Interface-Config service-policy output gold
Attribute Value
Interface-Config zone-member security medium
Interface-Config service-policy output silver NOK will collide with previous service-policy statement:
Policy map silver is already attached
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Attributes Scope
RA Client FlexVPN Server
AAA authorization enables the Peer Authorization
IKEv2 Configuration Exchange
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Attributes IP Address Assignment
User-specific statically assigned IP address joe
Framed-IP-Address = "10.0.1.101"
Returned as RADIUS IETF Framed-IP-Address Framed-IP-Netmask = "255.255.255.255"
DHCP-assigned IP addresses
crypto ikev2 authorization policy Eng
Request placed by IOS on behalf of RA client dhcp server 10.2.2.2
DHCP server can be passed by RADIUS
Eng
RADIUS-managed address pool Cisco-AVPair = "ipsec:group-dhcp-server=10.2.2.2"
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
AnyConnect Backup Server List
Primary Backup
WAN
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
AnyConnect Seamless Auto-Reconnect
Seamless reconnection after:
transient loss of connectivity crypto ikev2 profile default
...
switching between networks reconnect [timeout <seconds>]
(e.g. moving from 3G to WiFi)
suspend/resume computer
Supported by AnyConnect desktop & mobile for both SSL & IKEv2
FlexVPN server-side support introduced in IOS 15.4(1)T & IOS-XE 15.4(1)S / 3.11S
Suspend/resume client behavior configurable separately:
DisconnectOnSuspend: release VPN session resources upon suspend, do not reconnect
ReconnectAfterResume: try to reconnect after operating system resumes
Proprietary method:
Session token exchanged during initial session establishment (configuration exchange)
Reconnection attempts use session token as pre-shared key in IKE_AUTH
Mutually exclusive with PSK configuration in IKEv2 profile
Session expires on server after configured timeout (default: 30 minutes)
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
AnyConnect Seamless Auto-Reconnect
crypto ikev2 profile default crypto ikev2 profile default
reconnect [timeout <seconds>] reconnect [timeout <seconds>]
Also works when computer suspends & resumes (behavior controllable through XML profile)
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
AnyConnect Profile Deployment Options
Push using a Software XML Send via e-mail
Management System
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
AnyConnect Mobile Manual Connection
Certificate selection
Cisco ASA only
Connection name
Create new
manual connection
Server FQDN
Enable IKEv2
Select authentication method
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
AnyConnect Mobile URI Handler
anyconnect:// URI handler on Apple iOS & Android
Import XML profile
Create connection entry
Connect & disconnect VPN anyconnect://create/?name=FlexVPN&host=flexra.cisco.com
&protocol=IPsec&authentication=EAP-MD5&ike-identity=acvpn
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
AnyConnect Mobile Certificate Deployment
Package certificate & keypair into PKCS#12 file
Apple iOS
Import PKCS#12 from URL or email attachment
Provision credentials or set up SCEP
enrollment using configuration profile
(e.g. via iPhone Configuration Utility)
Android
Import PKCS#12 from URL, email or filesystem
Use existing credentials from Credential Storage
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
AnyConnect Mutual RSA Signatures
crypto ikev2 profile default
Mutual IKE certificate-based authentication match certificate cisco
identity local dn
AnyConnect picks best available identity certificate authentication remote rsa-sig
authentication local rsa-sig
Based on selection rules in XML profile (if any) pki trustpoint root
Certificate with EKU preferred over non-EKU aaa authorization group cert list frad name-mangler ou
aaa authorization user cert list frad name-mangler cn
Client IKE ID = certificate subject DN virtual-template 1
Server selects IKE profile based on certificate match # Group definition
Matching is done on certificate itself, not on IKE ID Eng
Cleartext-Password := "cisco"
Explicit user/group authorization Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
Explicit Authorization
IKEv2 RADIUS
IKE
IKEv2 RADIUS
EAP-GTC / EAP-MD5 / EAP-MSCHAPv2
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
AnyConnect Certificate Requirements
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Remote Access Clients
Windows Native IKEv2 Client
Windows Native IKEv2 Client
Since Windows 7, IKEv2/IPsec natively supported for RA connections
Supported authentication methods:
Machine Certificates (RSA signatures)
EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2)
EAP-TLS (certificate authentication, based on TLS handshake)
EAP-PEAP (tunnels another EAP method within TLS)
EAP-TTLS (Windows 8 tunnels EAP or non-EAP authentication within TLS)
EAP-AKA / EAP-AKA / EAP-SIM (Windows 8 SIM card & mobile network authentication)
Particularities:
Requires EAP query-identity on server (fails to respond to EAP otherwise)
Requires AES-256 in IPsec transform set (current IOS default is AES-128)
RSA authentication will fail if more than 100 CAs in client Local Machine Trusted Roots store
KB975488: Windows 7 only sends IP address as IKE Identity (except when using certs)
KB814394: Certificate requirements for EAP-TLS and PEAP-EAP-TLS
KB939616: Certificate keypair lost when copying from user store to machine store
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Windows 7 VPN Connection Settings (1)
DNS-resolvable FQDN must be found in:
CN/SAN of FlexVPN Server IKE certificate
CN of EAP Server TLS certificate
EAP-MSCHAPv2
RSA Signatures
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Windows Mutual RSA Signatures
crypto ikev2 profile default
Mutual IKE certificate-based authentication match certificate cisco
identity local dn
Windows can only use local machine certificates authentication remote rsa-sig
authentication local rsa-sig
IKEv2 Profile selection on server pki trustpoint root
aaa authorization group cert list frad name-mangler ou
Client IKE ID = certificate subject DN aaa authorization user cert list frad name-mangler cn
virtual-template 1
Server selects profile based on certificate map
Matching is done on certificate itself, not on IKE ID # Group definition
Eng
Explicit user/group authorization Cleartext-Password := "cisco"
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
Non-AAA authentication no cached attributes
# User definition
Extract CN/OU field from DN using name-mangler joe
Cleartext-Password := "cisco"
Retrieve user/group attributes from RADIUS Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255"
Explicit Authorization
IKEv2 RADIUS
Windows 7 with fix for KB975488: IKE ID = user@domain match identity remote email domain cisco
Selection can be based on email domain match
Windows 7 w/o fix or 8 w/ regression: IKE ID = client IP address match identity remote address 0.0.0.0
Only option: single IKE profile and VTemplate for all groups
Leverage AAA to provide service differentiation
EAP ID provided by client during authentication
Requires query-identity (client cannot perform EAP otherwise) authentication remote eap query-identity
aaa authentication eap frad
EAP server will query AAA database for attributes aaa authorization user eap cached
Attributes can be reused for implicit user authorization
Server sends updated EAP ID in final Access-Accept reply aaa authorization group eap list here ...
(usually same value as the initial client-provided EAP ID) ... name-mangler domain
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Windows 7 EAP-MSCHAPv2
crypto ikev2 profile default
EAP-MSCHAPv2 match identity remote email domain cisco
match identity remote address 0.0.0.0
EAP ID = user or user@domain identity local dn
authentication remote eap query-identity
Password authentication against EAP server database authentication local rsa-sig
pki trustpoint root sign
aaa authentication eap frad
aaa authorization user eap cached
virtual-template 1
# User definition
joe@cisco
Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
IKE
IKEv2 RADIUS
EAP-MSCHAPv2
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Windows 7 EAP-TLS
crypto ikev2 profile default
EAP-TLS match identity remote email domain cisco
match identity remote address 0.0.0.0
Client performs TLS handshake w/ EAP server identity local dn
authentication remote eap query-identity
Mutual authentication using TLS certificates authentication local rsa-sig
Client authentication mandatory (unlike EAP-PEAP) pki trustpoint root sign
aaa authentication eap frad
EAP ID = TLS certificate UPN (or CN if none) aaa authorization user eap cached
virtual-template 1
# User definition
joe@cisco
Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
IKE
IKEv2 RADIUS
EAP-TLS
TLS TLS
EAP Certificate/TLS-Based Authentication
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Windows 7 EAP-TLS Settings
Get certificate from Current
User certificate store
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Windows 7 EAP-PEAP
crypto ikev2 profile default
EAP-PEAP match identity remote email domain cisco
match identity remote address 0.0.0.0
Client performs TLS handshake w/ EAP server identity local dn
authentication remote eap query-identity
Client authenticates EAP server using TLS certificate authentication local rsa-sig
Provides protection for inner EAP exchange pki trustpoint root sign
aaa authentication eap frad
Inner (tunneled) EAP method authenticates the user aaa authorization user eap cached
virtual-template 1
Outer EAP method returns user attributes to server
Tunneled EAP-MSCHAPv2 # User definition
joe@cisco
EAP ID = user or user@domain Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Tunneled EAP-TLS Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
EAP ID = TLS certificate UPN (or CN if none)
IKE
IKEv2 RADIUS
EAP-PEAP (TLS)
TLS EAP-MSCHAPv2 or EAP-TLS TLS
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Windows 7 EAP-PEAP Settings
Server name must be found in
CN of EAP Server TLS certificate
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Windows 7 Certificate Requirements
1 Not required: may be omitted or set to any value Optional: may be omitted or set to the specified value
2 UPN (User Principal Name): Microsoft proprietary user@domain SAN extension (OID 1.3.6.1.4.1.311.20.2.3)
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Windows 7 Certificate Import
Client keypair & certificate can be issued by CA and provisioned to client PC
Import keypair, identity cert and issuer cert from PFX / PKCS#12 package
Due to KB939616, machine IKEv2 cert must be imported explicitly into machine store
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Remote Access Clients
FlexVPN Hardware Client
FlexVPN Hardware Client Overview
IKEv2 initiation on IOS can be driven by the FlexVPN Client Profile CLI construct
Supported authentication methods:
Certificates (RSA signatures)
EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2)
EAP-GTC (cleartext password authentication, used for one-time-passwords/tokens)
EAP-MD5 (hash-based authentication)
Pre-Shared Keys
Routing on FlexVPN server and client:
IKEv2 Routing (bidirectional Configuration Exchange)
Dynamic Routing Protocol (optional, bootstrapped through IKEv2 Routing)
IPv4/IPv6 mixed-mode & dual-stack supported using GRE/IPsec interfaces
More than a Remote Access client, useful also in hub-and-spoke designs
where advanced initiator logic is required (dial backup, object tracking, ...)
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
FlexVPN Hardware Client Example
aaa new-model
Sample configuration: aaa authorization network here local
!
Static tunnel interface driven by FlexVPN Client Profile crypto pki trustpoint root
rsakeypair root
Local AAA authorization (default IKEv2 author. policy) !
Certificate-based mutual authentication (no EAP) crypto pki certificate map cisco 1
subject-name co o = cisco
Single peer (name resolution of FQDN on connection) !
crypto ikev2 profile default
Tunnel interface configuration: match certificate cisco
identity local dn
IP address assigned through IKEv2 Configuration Exchange authentication remote rsa-sig
authentication local rsa-sig
Tunnel destination set dynamically by FlexVPN Client logic pki trustpoint root
IKEv2/IPsec initiation triggered by FlexVPN Client logic !
aaa authorization group cert list here default
Default IKEv2 routing between client & server: crypto ikev2 client flexvpn flexra
peer 1 fqdn flexra.cisco.com dynamic
Client advertises route for Tunnel0 assigned IP address client connect Tunnel0
!
Client installs prefixes advertised by server (egress Tun0) interface Tunnel0
ip address negotiated
client#show crypto ikev2 authorization policy default tunnel source Ethernet0/0
IKEv2 Authorization Policy : default tunnel mode ipsec ipv4
route set interface tunnel destination dynamic
route accept any tag : 1 distance : 1 tunnel protection ipsec profile default
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
FlexVPN Hardware Client Key Features
Peer list with object tracking: crypto ikev2 client flexvpn flexra
peer 1 <address>
Ordered list of FlexVPN servers (by address or FQDN) peer 2 <address> track 10 up
peer 3 <address> track 20 down
Enable/disable entries based on tracking object state !
track 10 interface <name> line-protocol
Additional peers can be pushed by server during Config Exchange track 20 ip route <prefix> reachability
Connection modes:
connect auto
Automatic (infinite loop, 10 seconds between tries)
connect track 10 up
When tracking object goes up/down (enables dial backup)
connect manual
Manual (CLI-triggered)
EAP local authentication (IKEv2 initiator only): crypto ikev2 profile default
authentication local eap
Username prompt only if server does query-identity
client#crypto ikev2 client flexvpn connect
Alternative: static credentials in IKEv2 profile Enter the command 'crypto eap credentials flexra'
client#crypto eap credentials flexra
Enter the Username for profile flexra: joe@cisco
Enter the password for username joe@cisco:
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Configuration Review
Review Mutual RSA Signatures
crypto ikev2 profile default
Certificate selection depends on client match certificate cisco
identity local dn
AnyConnect picks best available ID certificate authentication remote rsa-sig
Based on selection rules in XML profile (if any) authentication local rsa-sig
pki trustpoint root
Certificate with EKU preferred over non-EKU aaa authorization group cert list frad name-mangler ou
aaa authorization user cert list frad name-mangler cn
Windows uses local machine certificate virtual-template 1
FlexVPN Client uses trustpoint in initiator IKEv2 profile
# Group definition
IKEv2 Profile selection on server Eng
Cleartext-Password := "cisco"
Client IKE ID = certificate subject DN Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Review EAP Authentication (1)
AnyConnect crypto ikev2 profile default
IKE identity depends on client type Windows
match identity remote key-id acvpn
match identity remote email domain cisco
AnyConnect: KEY-ID string in XML profile Windows (bug) match identity remote address 0.0.0.0
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint root sign
aaa authentication eap frad
aaa authorization user eap cached
Windows 7 with fix for bug KB975488: user@domain virtual-template 1
# User definition
joe@cisco
Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255",
Windows 7 w/o fix, 7 or 8 with regression: client IP address Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
Only option: single IKE profile and VT for all groups
Leverage AAA to provide service differentiation
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Review EAP Authentication (2)
crypto ikev2 profile default
EAP identity depends on client type & EAP method match identity remote key-id acvpn
match identity remote email domain cisco
AnyConnect: user[@domain] entered by user match identity remote address 0.0.0.0
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint root sign
aaa authentication eap frad
aaa authorization user eap cached
Windows 7 + non-TLS EAP: user[@domain] entered by user virtual-template 1
# User definition
joe@cisco
Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255",
Windows 7 + TLS-based EAP: TLS certificate UPN (CN if none) Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
FlexVPN Routing
FlexVPN Routing Overview
IKEv2 Routing (Configuration Exchange)
IPv4 & IPv6 subnets exchanged within IKEv2 Configuration Payloads
Static routes added to the RIB on both sides
Remote Access: currently only supported with FlexVPN hardware client
IPsec Reverse Route Injection (RRI)
Static routes added to RIB for protected remote networks (remote proxies)
No configuration required (automatic for Virtual-Access with non-any-any proxies)
Remote Access: supported with software clients (AnyConnect, Windows 7+, ...)
Dynamic Routing Protocol
Pros: more powerful/flexible/adaptive
Cons: more complex/resource-intensive
Remote Access: only supported with FlexVPN hardware client
NHRP Routes
Not applicable to Remote Access (Dynamic Mesh scenarios only)
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
FlexVPN Routing Events & Sources
route set local {ipv4 | ipv6} prefix
Prefixes listed in route set local authorization attribute(s) route accept any [distance ...] [tag ...]
Authorization
Local configuration
Prefixes received during Configuration Exchange route set interface [ifc-name]
within IPv4/IPv6 SUBNET attributes route set remote {ipv4 | ipv6} prefix
Config. Exchange route set access-list ...
(handling controlled by local route accept attribute)
Remote configuration
IKEv2 Static Routes Reverse Route Injection Regular Dynamic Routes NHRP Static Routes
Default route changed to point through VPN tunnel Assigned IP address reachable over client VA (automatic RRI)
IPv4 Route Table
============================================================ S 10.0.1.22/32 is directly connected, Virtual-Access1
Destination Gateway Interface
0.0.0.0/0 10.42.1.1 Local Area Connection interface Loopback1
0.0.0.0/0 On-link FlexVPN Connection ip address 10.0.1.1 255.255.255.255
192.0.2.2/32 10.42.1.1 Local Area Connection !
10.42.1.0/24 On-link Local Area Connection interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
Local LAN still reachable Server reachable in the clear via ISP
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Scenario: AnyConnect Full Tunneling
10.42.1.1 FlexVPN Server
WAN 10.0.0.0/16
10.42.1.0/24 Assigned VPN IP: 192.0.2.2 Lo1: 10.0.1.1/32
10.0.1.22/32
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Scenario: AnyConnect Split Tunneling
10.42.1.1 FlexVPN Server
WAN 10.0.0.0/16
10.42.1.0/24 Assigned VPN IP: 192.0.2.2 Lo1: 10.0.1.1/32
10.0.1.22/32
Authorization: one or more subnets to include in split tunnel
IPv4 Route Table Specific route(s) pointing through VPN tunnel route set remote ipv4 10.0.0.0 255.255.0.0
============================================================
Destination Gateway Interface S 10.0.1.22/32 is directly connected, Virtual-Access1
0.0.0.0/0 10.42.1.1 Local Area Connection
10.0.0.0/16 On-link FlexVPN Connection
interface Loopback1
10.42.1.0/24 On-link Local Area Connection
ip address 10.0.1.1 255.255.255.255
!
Local LAN still reachable interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Scenarios & Use Cases
Network Extension
Scenario: HW Client Single Address PAT
FlexVPN Client FlexVPN Server
WAN 10.0.0.0/16
10.42.1.0/24 Eth0/1 Eth0/0 Lo1: 10.0.1.1/32
Assigned IP: 10.0.1.22/32
route set interface route set interface
Authorization Authorization
route set remote ipv4 10.0.0.0 255.255.0.0
Summary prefix reachable through tunnel Assigned IP address reachable over client VA
S 10.0.0.0/16 is directly connected, Tunnel0 S 10.0.1.22/32 is directly connected, Virtual-Access1
S 10.0.1.1/32 is directly connected, Tunnel0
C 10.0.1.22/32 is directly connected, Tunnel0
C 10.42.1.0/24 is directly connected, Ethernet0/1
Works, but not recommended
Case generator clumsy / impractical
Traffic from LAN to remote VPN networks:
PAT to Tunnel0 assigned IP address
interface Tunnel0 interface Loopback1
ip address negotiated ip address 10.0.1.1 255.255.255.255
ip nat outside !
! interface Virtual-Template1 type tunnel
ip nat inside source route-map vpn interface Tunnel0 overload ip unnumbered Loopback1
!
route-map vpn permit 10
match interface Tunnel0
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Scenario: HW Client Network Extension
FlexVPN Client FlexVPN Server
WAN 10.0.0.0/16
10.42.1.0/24 Eth0/1 Eth0/0 Lo1: 10.0.1.1/32
Assigned IP: 10.0.1.22/32
route set interface route set interface
Authorization Authorization
route set remote ipv4 10.42.1.0 255.255.255.0 route set remote ipv4 10.0.0.0 255.255.0.0
Summary prefix reachable through tunnel Assigned IP address reachable over client VA
S 10.0.0.0/16 is directly connected, Tunnel0 C 10.0.1.1/32 is directly connected, Loopback0
S 10.0.1.1/32 is directly connected, Tunnel0 S 10.0.1.22/32 is directly connected, Virtual-Access1
C 10.0.1.22/32 is directly connected, Tunnel0 S 10.42.1.0/24 is directly connected, Virtual-Access1
C 10.42.1.0/24 is directly connected, Ethernet0/1
Client LAN directly reachable over tunnel
Local/remote addresses & prefixes exchanged using IKEv2 routing (prefix can be redistributed into IGP)
Recommended design
Equivalent to NEM+ in Easy VPN
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Scenario: HW Client Dynamic Routing
FlexVPN Client FlexVPN Server
WAN 10.0.0.0/16
10.42.1.0/24 Eth0/1 Eth0/0 Lo1: 10.0.1.1/32
Assigned IP: 10.0.1.22/32
route set interface route set interface
Authorization Authorization
Summary prefix reachable through tunnel Assigned IP address reachable over client VA
B 10.0.0.0/16 [200/0] via 10.0.1.1 (Tunnel0) S 10.0.1.22/32 is directly connected, Virtual-Access1
S 10.0.1.1/32 is directly connected, Tunnel0 B 10.42.1.0/24 [200/0] via 10.0.1.22 (Virtual-Access1)
C 10.0.1.22/32 is directly connected, Tunnel0
C 10.42.1.0/24 is directly connected, Ethernet0/1
Client LAN directly reachable over tunnel
Addresses for BGP unicast peering exchanged using IKEv2 (prefix can be redistributed into IGP)
Local/remote prefixes exchanged using iBGP
BGP Dynamic Neighbor easy configuration
router bgp 65100 router bgp 65100
neighbor 10.0.1.1 remote-as 65100 bgp listen range 10.0.1.0/24 peer-group clients
neighbor 10.0.1.1 update-source Tunnel0 neighbor clients peer-group
address-family ipv4 neighbor clients remote-as 65100
network 10.42.1.0 mask 255.255.255.0 neighbor clients update-source Loopback1
neighbor 10.0.1.1 activate address-family ipv4
exit-address-family network 10.0.0.0 mask 255.255.0.0
neighbor clients activate
Dynamic, flexible & powerful but closer to Site-Site than RA exit-address-family
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Scenarios & Use Cases
Virtualization (VRF)
Virtual Routing & Forwarding
Router maintains separate L3 forwarding information for each
VRF instance (RIB, FIB, routing protocols)
Two variants: VRF with MPLS VPN, and VRF-Lite (local significance only)
Each interface on the router belongs to a single VRF
For ip unnumbered, reference interface must belong to the same VRF
If no VRF specified, interface belongs to the global VRF
VRF definition and assignment:
New CLI: multi-protocol VRF (IPv4/IPv6)
vrf definition red
Old CLI: single-protocol VRF (IPv4-only) rd 1:1
ip vrf red address-family ipv4
rd 1:1 exit-address-family
address-family ipv6
interface Ethernet0/0 exit-address-family
ip vrf forwarding red
... interface Ethernet0/0
vrf forwarding red
...
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Tunnels iVRF & fVRF
Physical device
Blue RIB/FIB Red RIB/FIB Global RIB/FIB Green RIB/FIB Orange RIB/FIB
Eth1/2
Eth2/1
Eth0/0
Eth0/1
Eth1/0
Eth1/1
Eth1/3
Eth2/0
Eth2/2
Eth2/3
Encaps. Encaps.
Tun1 Tun2
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
VRF Use Case Configuration
Per-Department Configuration Global Configuration
aaa attribute list Eng aaa authentication login frad group frad
attribute type interface-config "vrf forwarding Eng" aaa authorization network here local
attribute type interface-config "ip unnumbered Loopback1" !
! crypto ikev2 name-mangler dept
aaa ikev2
crypto attribute list Fin policy Eng
authorization eap suffix delimiter @ Single IKEv2 profile
poolattribute
Eng type interface-config "vrf forwarding Fin" ! Single AnyConnect profile
dns attribute
10.0.1.1 type interface-config "ip unnumbered Loopback101" crypto ikev2 profile default
aaa! attribute list Eng match identity remote key-id vpn@cisco
! crypto ikev2 authorization policy Fin Applied to V-Access identity local dn
pool Fin
interface Loopback1 authentication remote eap query-identity
during V-Template cloning
vrf dns 10.0.1.101
forwarding Eng authentication local rsa-sig
aaa attribute
ip address 10.0.1.1list Fin
255.255.255.255 pki trustpoint root
! ! aaa authentication eap frad
interface
ip local pool Loopback101
Eng 10.0.1.10 10.0.1.99 aaa authorization group eap list here name-mangler dept
vrf forwarding Fin virtual-template 1
ip address 10.0.1.101 255.255.255.255 ! Authorization based on
! no crypto ikev2 http-url cert
ip local pool Fin 10.0.1.110 10.0.1.199 username@domain suffix
!
interface Virtual-Template1 type tunnel
no ip address
RADIUS User Database tunnel mode ipsec ipv4
tunnel protection ipsec profile default
joe@Eng Cleartext-Password := "joe123"
tom@Fin Cleartext-Password := "tom456"
No attributes required on AAA server
EAP authenticates username & domain
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Scenarios & Use Cases
Quality of Service
The Need for QoS on VPN
QoS is crucial on VPN links for:
Sharing network bandwidth
Marshaling bandwidth usage of applications
Meeting application latency & speed requirements
The classical greedy spoke problem:
Spoke 1
Hub (greedy)
CE 1
Crypto engine or WAN link Interface w/ limited downstream rate
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Server-Side Hierarchical Shaper
class-map control
Tunnel bandwidth parent policy: match ip precedence 6
class-map voice
Each VPN tunnel is given a maximum bandwidth match ip precedence 5
...
A shaper provides the backpressure mechanism !
policy-map child-common
Protected packets are processed by the child policy: class control
bandwidth 20
There would be several policies: bandwidth, LLQ, etc. class voice
priority percent 60
...
!
policy-map parent-branch
Branch class class-default
Parent shaper limits shape average 5000000
total bandwidth service-policy inner
Hub !
policy-map parent-client
BW Reservation class class-default
shape average 1000000
Low-Latency Queuing service-policy inner
Fair Queuing
RA Client
Different policies for
different traffic classes
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
QoS Use Case
Requirements:
Traffic segregation between departments Engineering VRF Finance VRF
Single VPN endpoint in global VRF
AnyConnect software client
EAP user authentication
Eth0/1 Eth0/2
Per-user QoS policy
Joes V-Access Toms V-Access
Proposed solution: Global VRF
Single IKEv2 profile & V-Template Eth0/0
High B/W (10 Mbps) Low B/W (5 Mbps)
Interface configuration strings
Explicit RADIUS group authorization WAN
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
QoS Use Case Configuration
Per-Department Configuration Global Configuration
interface Loopback1 aaa authentication login frad group frad
vrf forwarding Eng aaa authorization network frad group frad
ip address 10.0.1.1 255.255.255.255 !
interface Loopback101
! crypto ikev2 name-mangler dept
vrf forwarding Fin
ip local pool Eng 10.0.1.10 10.0.1.99 eap suffix delimiter @
ip address 10.0.1.101 255.255.255.255
!
!
crypto ikev2 profile default
ip local pool Fin 10.0.1.110 10.0.1.199
match identity remote key-id vpn@cisco
identity local dn
RADIUS User Database Per-user QoS policy authentication remote eap query-identity
authentication local rsa-sig Group authorization
joe@Eng Cleartext-Password := "joe123"
Cisco-AVPair = "ip:interface-config=service-policy output high" pki trustpoint root based on domain
aaa authentication eap frad
tom@Fin Cleartext-Password := "tom456" aaa authorization group eap list frad name-mangler dept
Cisco-AVPair = "ip:interface-config=service-policy output low" aaa authorization user eap cached
virtual-template 1
Apply per-user
Eng Cleartext-Password := "cisco" !
no crypto ikev2 http-url cert attributes from EAP
Cisco-AVPair = "ipsec:addr-pool=Eng",
Cisco-AVPair += "ipsec:dns-servers=10.0.1.1", !
Cisco-AVPair += "ip:interface-config=vrf forwarding Eng", interface Virtual-Template1 type tunnel
Cisco-AVPair += "ip:interface-config=ip unnumbered Loopback1" no ip address
tunnel mode ipsec ipv4
Fin Cleartext-Password := "cisco" tunnel protection ipsec profile default
Cisco-AVPair = "ipsec:addr-pool=Fin", All attributes centralized !
Cisco-AVPair += "ipsec:dns-servers=10.0.1.101", policy-map high QoS policies defined locally
on AAA server ...
Cisco-AVPair += [...] on FlexVPN server
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
TENTATIVE
FlexVPN SSL Preview Still in development !
FlexVPN SSL Overview
Roadmap: TENTATIVE
IOS-XE 3.12S / 15.4(2)S : CSR1000v support
IOS-XE 3.13S / 15.4(3)S : ASR1000 support
Client-based only (AnyConnect all platforms)
No support for clientless aka WebVPN
Integrated into FlexVPN framework
AAA integration
Virtual tunnel interfaces
Smart defaults
CLI consistency
Initial baseline release, features to be added progressively
Virtual Hosting, HostScan / Posture, Two-Factor, DTLS, Mixed-Mode / Dual-Stack, ...
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
FlexVPN SSL CLI
TENTATIVE
crypto ssl proposal my-proposal Cryptographic algorithms
protection dhe-rsa-aes256-sha rsa-aes256-sha1 Key exchange method
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Wrapping up...
Call to Action...
Visit the Cisco Campus at the World of Solutions
BRKSEC-3036 Advanced IPsec designs with FlexVPN by Frdric Detienne
Friday 11:30am, North Wing Level -1, Green Hall 3
Meet the Engineer
Alex Honor, Frdric Detienne, Olivier Plerin (TAC EMEA),
Raffaele Brancaleoni (Advanced Services EMEA),
Wen Zhang (TAC US), Tom Alexander (TAC GCE)
Discuss your projects challenges at the Technical Solutions Clinics
Attend one of the Lunch Time Table Topics, held in the main Catering Hall
Recommended Reading: For reading material and further resources for this session, please
visit www.pearson-books.com/CLMilan2014
CL365 -Visit us online after the event for updated PDFs and on-demand
session videos. www.CiscoLiveEU.com
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Complete Your Online Session Evaluation
Complete your online session
evaluation
Complete four session evaluations
and the overall conference evaluation
to receive your Cisco Live T-shirt
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 110