IKEv2 Name Mangler Tidbit

I want to touch on what the IKEv2 Name Mangler is & what capabilities it provides us. Name Mangler grants us the ability to derive a name from a remote peer's identity. This derived name can then be used in authorization requests. We can match against things such as a distinguished name (DN), EAP, FQDN, or email. Note that we cannot use Name Mangler to match IKE identities on IP addresses. This name mangler provides flexibility in allowing us to perform AAA-based policy lookups based on the remote peer's IKE identity. The IKEv2 Name Mangler is applied/referenced inside of your IKEv2 profile. Note that this is performed after peer authentication.


Brief overview of how Name Mangler works:


A peer connection matches our IKEv2 profile which contains the name mangler. Our receiving client then proceeds with deriving the name to use for authorization from the initiator's IKE identity based on what we are extracting via the name mangler configuration. The client then attempts to retrieve an authorization policy that has the derived name, which can be checked locally or via external Radius server. Assuming an authorization policy is found, all attributes configured under the authorization policy are applied to the respective session. For whatever reason, should the authorization policy not be found then the tunnel will not come up due to an IKE_AUTH exchange failure.


To see the Name Mangler in action see: Configuring, Verifying, & Troubleshooting FlexVPN Name Mangler Feature


Cheers!



0 comments

Recent Posts

See All

ASA MultiContext Mode Packet Classification Tidbit

In order to understand how traffic flows through the segregated contexts it is important to understand how the ASA determines the context in which it will send the packets. This process is known as c

ASA Security Contexts Tidbit

In this tidbit I want to explain what Cisco ASA Security Contexts are in this blog. A very plain & simple way to put it, security contexts are a way to logically divide the ASA into multiple logical

Fundamentals of PKI Tidbit

I want to touch on some of the fundamentals and standards involved with PKI to give us an overview of what things are/mean. To start let's cover what the standards are. So you have probably seen or