IKEv2 Name Mangler Tidbit

I want to touch on what the IKEv2 Name Mangler is & what capabilities it provides us. Name Mangler grants us the ability to derive a name from a remote peer's identity. This derived name can then be used in authorization requests. We can match against things such as a distinguished name (DN), EAP, FQDN, or email. Note that we cannot use Name Mangler to match IKE identities on IP addresses. This name mangler provides flexibility in allowing us to perform AAA-based policy lookups based on the remote peer's IKE identity. The IKEv2 Name Mangler is applied/referenced inside of your IKEv2 profile. Note that this is performed after peer authentication.


Brief overview of how Name Mangler works:


A peer connection matches our IKEv2 profile which contains the name mangler. Our receiving client then proceeds with deriving the name to use for authorization from the initiator's IKE identity based on what we are extracting via the name mangler configuration. The client then attempts to retrieve an authorization policy that has the derived name, which can be checked locally or via external Radius server. Assuming an authorization policy is found, all attributes configured under the authorization policy are applied to the respective session. For whatever reason, should the authorization policy not be found then the tunnel will not come up due to an IKE_AUTH exchange failure.


To see the Name Mangler in action see: Configuring, Verifying, & Troubleshooting FlexVPN Name Mangler Feature


Cheers!



0 comments

Recent Posts

See All

In this tidbit I want to cover some high level notes on general trustsec items as well as some good-to-knows. A brief overview of what trustsec is: TrustSec provides scalable access controls by uniqu

In this tidbit I will cover some ESA nice-to-know CLI commands & their purposes: > status = view counters/gauges; counters are a total of various events in the system; gauges show current utilization