IKEv2 Name Mangler Tidbit

I want to touch on what the IKEv2 Name Mangler is & what capabilities it provides us. Name Mangler grants us the ability to derive a name from a remote peer's identity. This derived name can then be used in authorization requests. We can match against things such as a distinguished name (DN), EAP, FQDN, or email. Note that we cannot use Name Mangler to match IKE identities on IP addresses. This name mangler provides flexibility in allowing us to perform AAA-based policy lookups based on the remote peer's IKE identity. The IKEv2 Name Mangler is applied/referenced inside of your IKEv2 profile. Note that this is performed after peer authentication.

Brief overview of how Name Mangler works:

A peer connection matches our IKEv2 profile which contains the name mangler. Our receiving client then proceeds with deriving the name to use for authorization from the initiator's IKE identity based on what we are extracting via the name mangler configuration. The client then attempts to retrieve an authorization policy that has the derived name, which can be checked locally or via external Radius server. Assuming an authorization policy is found, all attributes configured under the authorization policy are applied to the respective session. For whatever reason, should the authorization policy not be found then the tunnel will not come up due to an IKE_AUTH exchange failure.

To see the Name Mangler in action see: Configuring, Verifying, & Troubleshooting FlexVPN Name Mangler Feature



Recent Posts

See All

Troubleshooting FMC Policy Deployment Tidbit

In this tidbit I want to share some tips on how to troubleshoot FMC policy deployment errors. It is important to understand that the policy deployment is broken down into the following phases: Phase

HTTP Methods & Status Codes Tidbit

In this tidbit I want to touch on different types of HTTP Methods & the types of HTTP status codes you may encounter when consuming APIs in regard to automation. HTTP Methods: GET = get user info PATC

FMC & FTD Communication/Registration Tidbit

In this tidbit I want to cover the basics in regard to FTD & FMC registration. I also intend on covering how the two communicate with each other as this can be helpful when having registration issues