Solved

IPad and Cisco AnyConnect

Posted on 2011-09-12
13
2,431 Views
Last Modified: 2013-05-02
I have been given an IPad and asked to get it on our VPN. We want to use certificates as part of the authentication process. I have the ASA configured with a profile I know works with certificates for user based VPN authentication. When I try to connect with the IPad I get a message:

"No valid certificates available for authentication"

I know the issue is the certificate that is on the IPad. We are using certificates from our internal CA. Has anyone else got this working?  What certificate template needs to be used to create the certificate for the device? What certificates need to be on the IPad?

Thanks.
0
Comment
Question by:snowmizer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 17

Expert Comment

by:James H
ID: 36525576
0
 
LVL 5

Expert Comment

by:tomago
ID: 36525577
First off, if this is for an ASA... do you have the AnyConnect mobile license installed on the ASA?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 36525594
>>We are using certificates from our internal CA

Thats you problem - either buy a certificate http://www.petenetlive.com/Top_Level/certificates.htm
Or find a way to import the ROOT certificate from your CA into the ipads trusted root authorities (on an apple device Im not even sure you can do this)

pl
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:snowmizer
ID: 36525599
I have gone through the documentation. We don't have the mobile license installed but we are in the process of getting that license.

However, I created a profile that didn't use certificates and was able to get to the point where it would have connected if we had the license. When I turn on certificate authentication I get prompted to select the profile I want to connect to and enter my credentials. After I enter the credentials it churns for a bit before it comes right back to the profile selection screen.
0
 
LVL 5

Accepted Solution

by:
tomago earned 500 total points
ID: 36525636
The ASA is going to reject VPN requests from mobile devices until that mobile license is installed, as you found out when you used a profile w/o the certificates.

There is a 30 day trial license you can install: www.cisco.com/go/license then click on "If you do not have a PAK, please click here for Demo and Evaluation licenses."

 To get the certificate installed on the iPad, you can e-mail yourself the SSL certificate in DER format.
 Retrieve the email on your iPad and open the certificate file. iPad will ask if you want to install it. Check it to install SSL Certificate.
0
 

Author Comment

by:snowmizer
ID: 36525674
I understand that I won't actually be able to connect until the license is installed. I just want to get to the point where it fails because of the license (which I can do if I don't use certificate authentication). I will make sure the root CA is installed. I didn't set up the original certificates on this so I'm not sure the whole chain is installed (or that the correct template was used).

What template should I be using though for the user/device certificate? Should it be a web server, and IPSec, Can I use the same template we're using for our laptops?
0
 
LVL 5

Expert Comment

by:tomago
ID: 36525789
I placed a Web server cert on the ASA and used a Client cert on the Apple devices. I am using SSL and not IPSec. HTH
0
 

Author Comment

by:snowmizer
ID: 36525818
We will be using SSL as well. I've already got the web server cert on the ASA for our non-IPad VPN connections. So I should be able to use the same template that I use for our laptops for VPN connections. That template shows intended purposes "Encrypting File System, Secure Email, Client Authentication".

0
 
LVL 5

Expert Comment

by:tomago
ID: 36525869
Yes, from the sound of it you should be able to use the same certs as the laptops.
0
 

Author Comment

by:snowmizer
ID: 36525873
I'll give that a try tonight and post my results. Thanks guys.
0
 

Author Comment

by:snowmizer
ID: 36549662
I exported the VPN cert that we're using from one of our laptops and sent it to the IPad via email and tested the VPN connection. Success!!!!  

Originally I was told that the VPN cert wouldn't work but then I found out that when it was exported it probably didn't have the private key exported. The only issue I had was trying to install the cert as part of a profilei in the "IPhone Configuration Utility". Not exactly sure why that is. There was an old cert (including the root) on the device as part of the profile so I'm not sure if that's what caused the issue with the profile install.

0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question