IKEv2 Name Mangler Tidbit

I want to touch on what the IKEv2 Name Mangler is & what capabilities it provides us. Name Mangler grants us the ability to derive a name from a remote peer's identity. This derived name can then be used in authorization requests. We can match against things such as a distinguished name (DN), EAP, FQDN, or email. Note that we cannot use Name Mangler to match IKE identities on IP addresses. This name mangler provides flexibility in allowing us to perform AAA-based policy lookups based on the remote peer's IKE identity. The IKEv2 Name Mangler is applied/referenced inside of your IKEv2 profile. Note that this is performed after peer authentication.


Brief overview of how Name Mangler works:


A peer connection matches our IKEv2 profile which contains the name mangler. Our receiving client then proceeds with deriving the name to use for authorization from the initiator's IKE identity based on what we are extracting via the name mangler configuration. The client then attempts to retrieve an authorization policy that has the derived name, which can be checked locally or via external Radius server. Assuming an authorization policy is found, all attributes configured under the authorization policy are applied to the respective session. For whatever reason, should the authorization policy not be found then the tunnel will not come up due to an IKE_AUTH exchange failure.


To see the Name Mangler in action see: Configuring, Verifying, & Troubleshooting FlexVPN Name Mangler Feature


Cheers!



0 comments

Recent Posts

See All

Email Security - S/MIME Tidbit

So it has definitely been a minute since I produced a tidbit. Lately I have been investing personal time into email security. The topics that I have covered thus far are in no particular order, but

November 21 Update Tidbit

Sharing some quick personal news as well as an update with where my head is currently at. I recently invested most of my time with VPNs the last couple of months. So I finally decided to take a stab

Personal Tidbit - Oct 2021

Sharing some exciting news. I recently participated in a Cisco Championship Content competition, & actually claimed first place! Pretty excited to receive the news since I frequently spend time on Ci