cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
155
Views
0
Helpful
0
Replies
Highlighted
Beginner

AnyConnect / DAP / Certificates

Hi, I'm trying to figure out a way to allow VPN access via. AnyConnect for staff with a mobile phone so that they can use an app while in the field, but I'm stuck on the certificate process in DAP.

I would like to use DAP to validate that the phone (iPhone) has a certain certificate installed. (We don't want to use the certificate for authentication). I've imported a couple of certificates into the "user" certificate store in the iOS app, and set up the MCA in DAP, but when I debug the connection, I don't see DAP evaluating the certificate at all. I've tried setting up DAP for the issuing CA, the CN on the cert and the serial number on the cert, but none of them show up in the debug.

What am I missing? Are there any resources on setting up DAP for this sort of thing?

 

DAP record [    Company_VPN_iphone     ]:
((EVAL(endpoint.os.version,"EQ","Apple Plugin","string"))) and ((EVAL(endpoint.cert[1].issuer.cn,"EQ","Company Corporate Issuing CA","string")) or (EVAL(endpoint.cert[2].subject.cn,"EQ","vpn.company.com","string")))

 

asaoutsidedmz# deb dap tra
debug dap trace enabled at level 1
asaoutsidedmz# DAP_TRACE: DAP_open: New DAP Request: CD
DAP_TRACE: DAP_add_CSD: csd_token = [0875514653F1F92171793B88]
DAP_TRACE: Username: myusername, DAP_add_SCEP: scep required = [FALSE]
DAP_TRACE: Username: myusername, DAP_add_AC:
endpoint.anyconnect.clientversion = "4.8.02046";
endpoint.anyconnect.platform = "apple-ios";
endpoint.anyconnect.devicetype = "iPhone12,1";
endpoint.anyconnect.platformversion = "13.3.1";
endpoint.anyconnect.deviceuniqueid = "29443342-670D-4E8C-AD82-449DA15FC4EF";
endpoint.anyconnect.deviceuniqueidglobal = "29443342-670D-4E8C-AD82-449DA15FC4EF";
endpoint.anyconnect.phoneid = "unknown";
endpoint.anyconnect.useragent = "AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 4.8.02046";

DAP_TRACE: aaa["cisco"]["grouppolicy"] = "SSLVPN"
DAP_TRACE: aaa["cisco"]["username"] = "myusername"
DAP_TRACE: aaa["cisco"]["username1"] = "myusername"
DAP_TRACE: aaa["cisco"]["username2"] = ""
DAP_TRACE: aaa["cisco"]["tunnelgroup"] = "CompanyVPN"
DAP_TRACE: aaa["cisco"]["sceprequired"] = "false"
DAP_TRACE: endpoint["application"]["clienttype"] = "AnyConnect"
DAP_TRACE: endpoint.feature = "failure"
DAP_TRACE: endpoint.os.version = "Apple Plugin"
DAP_TRACE: endpoint.anyconnect.clientversion  = "4.8.02046"
DAP_TRACE: endpoint.anyconnect.platform  = "apple-ios"
DAP_TRACE: endpoint.anyconnect.devicetype  = "iPhone12,1"
DAP_TRACE: endpoint.anyconnect.platformversion  = "13.3.1"
DAP_TRACE: endpoint.anyconnect.deviceuniqueid  = "29443342-670D-4E8C-AD82-449DA15FC4EF"
DAP_TRACE: endpoint.anyconnect.deviceuniqueidglobal  = "29443342-670D-4E8C-AD82-449DA15FC4EF"
DAP_TRACE: endpoint.anyconnect.phoneid  = "unknown"
DAP_TRACE: endpoint.anyconnect.useragent  = "AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 4.8.02046"
DAP_TRACE: Username: myusername, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: myusername, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: myusername, dap_concat_fcn: [Security check failed. Please contact the Helpdesk] 59 490
DAP_TRACE: Username: myusername, dap_comma_str_fcn: [,] 1 128
DAP_TRACE: Username: myusername, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: myusername, DAP_close: CD

Gratefully,

Greg