Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

IPad and Cisco AnyConnect

Posted on 2011-09-12
13
Medium Priority
?
2,491 Views
Last Modified: 2013-05-02
I have been given an IPad and asked to get it on our VPN. We want to use certificates as part of the authentication process. I have the ASA configured with a profile I know works with certificates for user based VPN authentication. When I try to connect with the IPad I get a message:

"No valid certificates available for authentication"

I know the issue is the certificate that is on the IPad. We are using certificates from our internal CA. Has anyone else got this working?  What certificate template needs to be used to create the certificate for the device? What certificates need to be on the IPad?

Thanks.
0
Comment
Question by:snowmizer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 17

Expert Comment

by:James H
ID: 36525576
0
 
LVL 5

Expert Comment

by:tomago
ID: 36525577
First off, if this is for an ASA... do you have the AnyConnect mobile license installed on the ASA?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 36525594
>>We are using certificates from our internal CA

Thats you problem - either buy a certificate http://www.petenetlive.com/Top_Level/certificates.htm
Or find a way to import the ROOT certificate from your CA into the ipads trusted root authorities (on an apple device Im not even sure you can do this)

pl
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:snowmizer
ID: 36525599
I have gone through the documentation. We don't have the mobile license installed but we are in the process of getting that license.

However, I created a profile that didn't use certificates and was able to get to the point where it would have connected if we had the license. When I turn on certificate authentication I get prompted to select the profile I want to connect to and enter my credentials. After I enter the credentials it churns for a bit before it comes right back to the profile selection screen.
0
 
LVL 5

Accepted Solution

by:
tomago earned 2000 total points
ID: 36525636
The ASA is going to reject VPN requests from mobile devices until that mobile license is installed, as you found out when you used a profile w/o the certificates.

There is a 30 day trial license you can install: www.cisco.com/go/license then click on "If you do not have a PAK, please click here for Demo and Evaluation licenses."

 To get the certificate installed on the iPad, you can e-mail yourself the SSL certificate in DER format.
 Retrieve the email on your iPad and open the certificate file. iPad will ask if you want to install it. Check it to install SSL Certificate.
0
 

Author Comment

by:snowmizer
ID: 36525674
I understand that I won't actually be able to connect until the license is installed. I just want to get to the point where it fails because of the license (which I can do if I don't use certificate authentication). I will make sure the root CA is installed. I didn't set up the original certificates on this so I'm not sure the whole chain is installed (or that the correct template was used).

What template should I be using though for the user/device certificate? Should it be a web server, and IPSec, Can I use the same template we're using for our laptops?
0
 
LVL 5

Expert Comment

by:tomago
ID: 36525789
I placed a Web server cert on the ASA and used a Client cert on the Apple devices. I am using SSL and not IPSec. HTH
0
 

Author Comment

by:snowmizer
ID: 36525818
We will be using SSL as well. I've already got the web server cert on the ASA for our non-IPad VPN connections. So I should be able to use the same template that I use for our laptops for VPN connections. That template shows intended purposes "Encrypting File System, Secure Email, Client Authentication".

0
 
LVL 5

Expert Comment

by:tomago
ID: 36525869
Yes, from the sound of it you should be able to use the same certs as the laptops.
0
 

Author Comment

by:snowmizer
ID: 36525873
I'll give that a try tonight and post my results. Thanks guys.
0
 

Author Comment

by:snowmizer
ID: 36549662
I exported the VPN cert that we're using from one of our laptops and sent it to the IPad via email and tested the VPN connection. Success!!!!  

Originally I was told that the VPN cert wouldn't work but then I found out that when it was exported it probably didn't have the private key exported. The only issue I had was trying to install the cert as part of a profilei in the "IPhone Configuration Utility". Not exactly sure why that is. There was an old cert (including the root) on the device as part of the profile so I'm not sure if that's what caused the issue with the profile install.

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question