Solved

IPad and Cisco AnyConnect

Posted on 2011-09-12
13
2,390 Views
Last Modified: 2013-05-02
I have been given an IPad and asked to get it on our VPN. We want to use certificates as part of the authentication process. I have the ASA configured with a profile I know works with certificates for user based VPN authentication. When I try to connect with the IPad I get a message:

"No valid certificates available for authentication"

I know the issue is the certificate that is on the IPad. We are using certificates from our internal CA. Has anyone else got this working?  What certificate template needs to be used to create the certificate for the device? What certificates need to be on the IPad?

Thanks.
0
Comment
Question by:snowmizer
13 Comments
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 36525576
0
 
LVL 5

Expert Comment

by:tomago
ID: 36525577
First off, if this is for an ASA... do you have the AnyConnect mobile license installed on the ASA?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 36525594
>>We are using certificates from our internal CA

Thats you problem - either buy a certificate http://www.petenetlive.com/Top_Level/certificates.htm
Or find a way to import the ROOT certificate from your CA into the ipads trusted root authorities (on an apple device Im not even sure you can do this)

pl
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:snowmizer
ID: 36525599
I have gone through the documentation. We don't have the mobile license installed but we are in the process of getting that license.

However, I created a profile that didn't use certificates and was able to get to the point where it would have connected if we had the license. When I turn on certificate authentication I get prompted to select the profile I want to connect to and enter my credentials. After I enter the credentials it churns for a bit before it comes right back to the profile selection screen.
0
 
LVL 5

Accepted Solution

by:
tomago earned 500 total points
ID: 36525636
The ASA is going to reject VPN requests from mobile devices until that mobile license is installed, as you found out when you used a profile w/o the certificates.

There is a 30 day trial license you can install: www.cisco.com/go/license then click on "If you do not have a PAK, please click here for Demo and Evaluation licenses."

 To get the certificate installed on the iPad, you can e-mail yourself the SSL certificate in DER format.
 Retrieve the email on your iPad and open the certificate file. iPad will ask if you want to install it. Check it to install SSL Certificate.
0
 

Author Comment

by:snowmizer
ID: 36525674
I understand that I won't actually be able to connect until the license is installed. I just want to get to the point where it fails because of the license (which I can do if I don't use certificate authentication). I will make sure the root CA is installed. I didn't set up the original certificates on this so I'm not sure the whole chain is installed (or that the correct template was used).

What template should I be using though for the user/device certificate? Should it be a web server, and IPSec, Can I use the same template we're using for our laptops?
0
 
LVL 5

Expert Comment

by:tomago
ID: 36525789
I placed a Web server cert on the ASA and used a Client cert on the Apple devices. I am using SSL and not IPSec. HTH
0
 

Author Comment

by:snowmizer
ID: 36525818
We will be using SSL as well. I've already got the web server cert on the ASA for our non-IPad VPN connections. So I should be able to use the same template that I use for our laptops for VPN connections. That template shows intended purposes "Encrypting File System, Secure Email, Client Authentication".

0
 
LVL 5

Expert Comment

by:tomago
ID: 36525869
Yes, from the sound of it you should be able to use the same certs as the laptops.
0
 

Author Comment

by:snowmizer
ID: 36525873
I'll give that a try tonight and post my results. Thanks guys.
0
 

Author Comment

by:snowmizer
ID: 36549662
I exported the VPN cert that we're using from one of our laptops and sent it to the IPad via email and tested the VPN connection. Success!!!!  

Originally I was told that the VPN cert wouldn't work but then I found out that when it was exported it probably didn't have the private key exported. The only issue I had was trying to install the cert as part of a profilei in the "IPhone Configuration Utility". Not exactly sure why that is. There was an old cert (including the root) on the device as part of the profile so I'm not sure if that's what caused the issue with the profile install.

0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding 14 149
How do I determine past ip addresses of multiple computers logged onto my network? 5 73
winscp 000webhost.com 6 44
Configuring VPN in server 2012 5 16
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question