Solved

IPad and Cisco AnyConnect

Posted on 2011-09-12
13
2,370 Views
Last Modified: 2013-05-02
I have been given an IPad and asked to get it on our VPN. We want to use certificates as part of the authentication process. I have the ASA configured with a profile I know works with certificates for user based VPN authentication. When I try to connect with the IPad I get a message:

"No valid certificates available for authentication"

I know the issue is the certificate that is on the IPad. We are using certificates from our internal CA. Has anyone else got this working?  What certificate template needs to be used to create the certificate for the device? What certificates need to be on the IPad?

Thanks.
0
Comment
Question by:snowmizer
13 Comments
 
LVL 17

Expert Comment

by:Spartan_1337
Comment Utility
0
 
LVL 5

Expert Comment

by:tomago
Comment Utility
First off, if this is for an ASA... do you have the AnyConnect mobile license installed on the ASA?
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
>>We are using certificates from our internal CA

Thats you problem - either buy a certificate http://www.petenetlive.com/Top_Level/certificates.htm
Or find a way to import the ROOT certificate from your CA into the ipads trusted root authorities (on an apple device Im not even sure you can do this)

pl
0
 

Author Comment

by:snowmizer
Comment Utility
I have gone through the documentation. We don't have the mobile license installed but we are in the process of getting that license.

However, I created a profile that didn't use certificates and was able to get to the point where it would have connected if we had the license. When I turn on certificate authentication I get prompted to select the profile I want to connect to and enter my credentials. After I enter the credentials it churns for a bit before it comes right back to the profile selection screen.
0
 
LVL 5

Accepted Solution

by:
tomago earned 500 total points
Comment Utility
The ASA is going to reject VPN requests from mobile devices until that mobile license is installed, as you found out when you used a profile w/o the certificates.

There is a 30 day trial license you can install: www.cisco.com/go/license then click on "If you do not have a PAK, please click here for Demo and Evaluation licenses."

 To get the certificate installed on the iPad, you can e-mail yourself the SSL certificate in DER format.
 Retrieve the email on your iPad and open the certificate file. iPad will ask if you want to install it. Check it to install SSL Certificate.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:snowmizer
Comment Utility
I understand that I won't actually be able to connect until the license is installed. I just want to get to the point where it fails because of the license (which I can do if I don't use certificate authentication). I will make sure the root CA is installed. I didn't set up the original certificates on this so I'm not sure the whole chain is installed (or that the correct template was used).

What template should I be using though for the user/device certificate? Should it be a web server, and IPSec, Can I use the same template we're using for our laptops?
0
 
LVL 5

Expert Comment

by:tomago
Comment Utility
I placed a Web server cert on the ASA and used a Client cert on the Apple devices. I am using SSL and not IPSec. HTH
0
 

Author Comment

by:snowmizer
Comment Utility
We will be using SSL as well. I've already got the web server cert on the ASA for our non-IPad VPN connections. So I should be able to use the same template that I use for our laptops for VPN connections. That template shows intended purposes "Encrypting File System, Secure Email, Client Authentication".

0
 
LVL 5

Expert Comment

by:tomago
Comment Utility
Yes, from the sound of it you should be able to use the same certs as the laptops.
0
 

Author Comment

by:snowmizer
Comment Utility
I'll give that a try tonight and post my results. Thanks guys.
0
 

Author Comment

by:snowmizer
Comment Utility
I exported the VPN cert that we're using from one of our laptops and sent it to the IPad via email and tested the VPN connection. Success!!!!  

Originally I was told that the VPN cert wouldn't work but then I found out that when it was exported it probably didn't have the private key exported. The only issue I had was trying to install the cert as part of a profilei in the "IPhone Configuration Utility". Not exactly sure why that is. There was an old cert (including the root) on the device as part of the profile so I'm not sure if that's what caused the issue with the profile install.

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In this article we will discuss some EI Capitan Mail app issues and provide some manual process to resolve them.
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now