ok, if I'm using IPSec PSK (without certificates), is it enough secure? I mean the PSK can be known through the company and by an attacker, but I think IPSec is using session keys for encryption, so knowing the PSK is not a security problem or it is?
Can I manage which users can connect thorugh Radius or if you have the PSK you can connect?
Our VPN server has the following sh ver related to license
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 200
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 5000
WebVPN Peers : 250
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5540 VPN Premium license.
We have both IPSec and SSL VPN configured. Will we be able to use the anyconnect client on iPhone/iPad etc? Do we have to buy the AnyConnect for Mobile license in oder to do that?
You do need the AnyConnect for Mobile license in order to activate the feature (it's not a per seat license).
The license is
where the 'XX' is the last 2 digits of your ASA model number - so for your ASA 5540 you would need an ASA-AC-M-5540 license.
You can read more about licensing here:
Or check the AnyConnect FAQ:
Running AnyConnect(latest version) on Apple iOS devices, mainly iPod Touch, running iOS 4.2.1.
Connecting to an ASA 5510 running 8.3(1).
Have issued a certificate to the ASA and iPod Touch from our Windows 2008 R2 CA.
When setting an AnyConnect connection(on the iPod) to use Certificates, the following error is shown:
"The connection requires a client certificate but no matching certificates is configured.
Please modify this connection, choose a valid certificate and try again."
Has anyone else seen or have resolved this issue?
Also, what would be some things to check to help resolve this issue?
This error would seem that you don't have the Root and/or Intermediate certificate(s) installed on the ASA and iPhone.
When doing certificate authentication, the ASA sends a message to the client (in this case, the iPhone) to tell the client what CA certificates the ASA has installed so the client can choose what certificate to send to the ASA.
This error message seems to indicated that the ASA either doesn't have a CA certificate installed, or that the CA certificates being presented to the client don't match as being the issuer of the client's certificates, so it doesn't know which certificate to send to the ASA.
Check to make sure your phone and ASA have an ID certificate as well as the CA certificate of the Windows 2008 server that issued them installed. If that looks correct, or if you still have issues after installing them:
Gather debugs on the ASA at the following levels from a connection attempt:
debug cry ca transaction 127
debug cry ca messages 127
debug cry ca 127
That should tell you why any PKI is failing. If not, connect the ASAs running-configuration and I can take a look at the configuration to see if there is a misconfiguration.
Here is what the debug output is showing:
# CERT API thread wakes up!
CRYPTO_PKI: Sorted chain size is: 1
CRYPTO_PKI: Found ID cert. serial number: 018E7EBC0548B528425E, subject name: c=US,cn=4EF445C1-4676-4D98-B309-D9E60C353D2B
CRYPTO_PKI: Verifying certificate with serial number: 018E7EBC0548B528425E, subject name: c=US,cn=4EF445C1-4676-4D98-B309-D9E60C353D2B, issuer_name: cn=Apple iPhone Device CA,ou=Apple iPhone,o=Apple Inc.,c=US.
CRYPTO_PKI: Checking to see if an identical cert is
already in the database...
CRYPTO_PKI(Cert Lookup) issuer="cn=Apple iPhone Device CA,ou=Apple iPhone,o=Apple Inc.,c=US" serial number=01 8e 7e bc 05 48 b5 28 42 5e | ..~..H.(B^
CRYPTO_PKI: looking for cert in handle=ac78c848, digest=
f5 07 78 fc f6 99 ff 89 96 e1 3e cf a1 a4 75 11 | ..x.......>...u.
CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 018E7EBC0548B528425E, subject name: c=US,cn=4EF445C1-4676-4D98-B309-D9E60C353D2B, issuer name: cn=Apple iPhone Device CA,ou=Apple iPhone,o=Apple Inc.,c=US .
CRYPTO_PKI: No suitable TP status.
CRYPTO_PKI: cert validation failed to find trustpointCERT API thread sleeps!
On our iOS device, under the following:
General > Profile(name of profile used in iPhone Config utility--for SCEP) > *Profile* > More Details:
iPhone Configuration…(text cut off)
Issued by: iPhone Configuration.... (text cut off)
(shows all the info issued from our internal CA)
On our internal CA it does show the certificate issused successfully along with a cert issued to the ASA.
However, I did notice this, not sure if it matters, when I exported the SCEP profile from the iPhone Configuration Utilty, I had the following turned on:
Iphone Configuration Utility:
Export Connfiguration Profile
Security: Signed Configuration Profile
Would the "Security" need to be set for "None" on the export?, would that be an issue?
I've attached a screen cap for a little better explaination of what is on my iOS device.
I have this working now. I had the certs all messed up. Once I redid all the certs things are working like a charm.
I used a Web Server cert on the ASA and a Client cert on the Apple devices.
Things are working great.
How do the iPhone/iPad appear to the ASA's pre-login OS detection policy. I assume its 'Mac', but is there a way (or a need?) to differentiate between a device running OSX vs iOS. Does Host Scan support iOS, can I do certificate-based authentication, and does the Advanced Endpoint / Remediation ability work on Macs or iPads?
You won't be able to do a pre-login check with clientless and the iPhone as CSD/hostscan is not supported on the iPhone currently - which means no AES as well. You can do certificate authentication, though.
AES/CSD is supported on the MAC.
Ok, but does an iPhone/iPad 'look' the same to the Pre-login policy? Or are you saying that those devices just bypass Host Scan / Pre-login entirely, and just jump right to the authentication part? How does that affect DAP?
I guess I'm concerned that a OSX Mac could connect but somehow bypass the pre-login checks if its able to spoof itself as an iPhone. I also want to set myself up for the point where I have 'managed' and 'unmanaged' iPhones that VPN in, and have the ability to assign one policy / ACL / DHCP pool / whatever to the two different 'types' of devices.
iphone bypasses the pre-login policy (similar to if you cancel out of all the downloads to prevent hostscan from running on a pc) - you will be able to login with the iphone but it will not return any of the hostscan values due to not running hostscan.
DAP isn't affected per se - it just won't return hostscan values other than AAA values (if using clientless). Anyconnect will return, after login, the following:
If you bypass hostscan, I'm not sure how you would masquerade as another OS type - the OS detection doesn't appear to be using the HTTP user agent for checking. I can try to find out how we check for the OS if hostscan is not running - but the information may be proprietary.
As far as managed vs unmanaged iphone types - there is not really any way without hostscan to tell one iphone from another, you'd have to either set up a different tunnel group for your managed vs unmanaged iphones, but that depends on the users to make a decision.
Jason - I'm also trying to get my DAP policies to get a match on the LUA EVAL statement. When I turn on DAP debugging (error and trace) I see the following:
DAP_TRACE: name = endpoint.feature, value = "failure"
DAP_TRACE: dap_add_csd_data_to_lua:endpoint.os.version="Apple Plugin" <<-----------
DAP_TRACE: name = endpoint.os.version, value = "Apple Plugin"
DAP_TRACE: Username: xxxxxx, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: xxxxxx, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: xxxxxx, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: xxxxxx, DAP_close: 761406E8
I've tried to get the Lua to match using the exact same string that I see coming back from the debug. My Lua check looks like this:
EVAL(endpoint.os.version, "EQ", "Apple Plugin", “STRING") I've also tried "NE" just trying to get something to match but it doesn't seem to match even when I use the NE value even though I'm using the exact returned value.
For this specific check (I have several other checks) I have no other entries in this specific DAP policy, such as checking for a AAA attribute or endpoint attribute, just this one lua check and it keeps coming back as failing so my connection fails. I really need to match on something unique on the iPad, just having a hard time finding something that makes it unique.
I have a cert on the machine that I was trying to do some cert to ssl vpn connection profile mapping but was not able to get that to work either. I'm about out of ideas on this one...
2 things - this check won't work if you're using an anyconnect essentials license.
It can also be related to the the following bug:
Which is fixed in the 8.2(4), 8.3(2)13 and 8.4(1) code on CCO.
Thanks Jason for the response. I am running the Essentials licsense, and thanks for the update on the bug. I'm probably running into this one because I am running 8.3(2)12. I'll probably try to get the 8.4(1) version which is on the download page. Are there any other issues with DAP in 8.4 that I should be aware of from a DAP standpoint? I'll review the release notes and if it looks good probably get this upgraded and tested. Thanks again.
We currently have ASAs 5520 for our SSL VPN needs. We use AnyConnect for company laptops that have to meet posture requirements and clientless for user's Home PCs. We now have a requirement to test iPhone ssl vpn connections. The clientless version doesn't work because it doesn't support java to connect to terminal servers after authentication. I need information on how to configure the ASAs for iPhone using AnyConnect. Do we need to add a new profile?