IPad and Cisco AnyConnect

I have been given an IPad and asked to get it on our VPN. We want to use certificates as part of the authentication process. I have the ASA configured with a profile I know works with certificates for user based VPN authentication. When I try to connect with the IPad I get a message:

"No valid certificates available for authentication"

I know the issue is the certificate that is on the IPad. We are using certificates from our internal CA. Has anyone else got this working?  What certificate template needs to be used to create the certificate for the device? What certificates need to be on the IPad?

Thanks.
snowmizerAsked:
Who is Participating?
 
tomagoConnect With a Mentor Commented:
The ASA is going to reject VPN requests from mobile devices until that mobile license is installed, as you found out when you used a profile w/o the certificates.

There is a 30 day trial license you can install: www.cisco.com/go/license then click on "If you do not have a PAK, please click here for Demo and Evaluation licenses."

 To get the certificate installed on the iPad, you can e-mail yourself the SSL certificate in DER format.
 Retrieve the email on your iPad and open the certificate file. iPad will ask if you want to install it. Check it to install SSL Certificate.
0
 
James HIT DirectorCommented:
0
 
tomagoCommented:
First off, if this is for an ASA... do you have the AnyConnect mobile license installed on the ASA?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Pete LongTechnical ConsultantCommented:
>>We are using certificates from our internal CA

Thats you problem - either buy a certificate http://www.petenetlive.com/Top_Level/certificates.htm
Or find a way to import the ROOT certificate from your CA into the ipads trusted root authorities (on an apple device Im not even sure you can do this)

pl
0
 
snowmizerAuthor Commented:
I have gone through the documentation. We don't have the mobile license installed but we are in the process of getting that license.

However, I created a profile that didn't use certificates and was able to get to the point where it would have connected if we had the license. When I turn on certificate authentication I get prompted to select the profile I want to connect to and enter my credentials. After I enter the credentials it churns for a bit before it comes right back to the profile selection screen.
0
 
snowmizerAuthor Commented:
I understand that I won't actually be able to connect until the license is installed. I just want to get to the point where it fails because of the license (which I can do if I don't use certificate authentication). I will make sure the root CA is installed. I didn't set up the original certificates on this so I'm not sure the whole chain is installed (or that the correct template was used).

What template should I be using though for the user/device certificate? Should it be a web server, and IPSec, Can I use the same template we're using for our laptops?
0
 
tomagoCommented:
I placed a Web server cert on the ASA and used a Client cert on the Apple devices. I am using SSL and not IPSec. HTH
0
 
snowmizerAuthor Commented:
We will be using SSL as well. I've already got the web server cert on the ASA for our non-IPad VPN connections. So I should be able to use the same template that I use for our laptops for VPN connections. That template shows intended purposes "Encrypting File System, Secure Email, Client Authentication".

0
 
tomagoCommented:
Yes, from the sound of it you should be able to use the same certs as the laptops.
0
 
snowmizerAuthor Commented:
I'll give that a try tonight and post my results. Thanks guys.
0
 
snowmizerAuthor Commented:
I exported the VPN cert that we're using from one of our laptops and sent it to the IPad via email and tested the VPN connection. Success!!!!  

Originally I was told that the VPN cert wouldn't work but then I found out that when it was exported it probably didn't have the private key exported. The only issue I had was trying to install the cert as part of a profilei in the "IPhone Configuration Utility". Not exactly sure why that is. There was an old cert (including the root) on the device as part of the profile so I'm not sure if that's what caused the issue with the profile install.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.